18.2 Modifying Serialized Data Types

This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete the user carlos. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readJun 30, 2024

Description

This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete the user carlos.

You can log in to your own account using the following credentials: wiener:peter

Solution

  1. Log in using your own credentials. In Burp, open the post-login GET /my-account request and examine the session cookie using the Inspector to reveal a serialized PHP object. Send this request to Burp Repeater.
  2. In Burp Repeater, use the Inspector panel to modify the session cookie as follows:
  3. Update the length of the username attribute to 13, change the username to administratorand Change the access token to the integer 0. As this is no longer a string, you also need to remove the double-quotes surrounding the value.
  4. Update the data type label for the access token by replacing s with i.
  5. The result should look like this:
    O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}
  6. Click “Apply changes”. The modified object will automatically be re-encoded and updated in the request.
  7. Send the request. Notice that the response now contains a link to the admin panel at /admin, indicating that you have successfully accessed the page as the administrator user.
  8. Change the path of your request to /admin and resend it. Notice that the /admin page contains links to delete specific user accounts.
  9. Change the path of your request to /admin/delete?username=carlos and send the request to solve the lab.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer