Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Lab: Using application functionality to exploit insecure deserialization

PRACTITIONER

This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

You also have access to a backup account: gregg:rosebud

ACCESS THE LAB

Solution

  1. Log in to your own account. On the "My account" page, notice the option to delete your account by sending a POST request to /my-account/delete.
  2. Send a request containing a session cookie to Burp Repeater.
  3. In Burp Repeater, study the session cookie using the Inspector panel. Notice that the serialized object has an avatar_link attribute, which contains the file path to your avatar.

  4. Edit the serialized data so that the avatar_link points to /home/carlos/morale.txt. Remember to update the length indicator. The modified attribute should look like this:

    s:11:"avatar_link";s:23:"/home/carlos/morale.txt"
  5. Click "Apply changes". The modified object will automatically be re-encoded and updated in the request.
  6. Change the request line to POST /my-account/delete and send the request. Your account will be deleted, along with Carlos's morale.txt file.

Community solutions

Emanuele Picariello

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

  • Practise exploiting vulnerabilities on realistic targets.

  • Record your progression from Apprentice to Expert.

  • See where you rank in our Hall of Fame.

Already got an account? Login here

Try Burp Suite for Free

Find insecure deserialization vulnerabilities using Burp Suite

Try for free