Modifying serialised objects

Description

This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result.

Reproduction

  1. Log in using wiener:peter. Notice that the post-login GET /my-account request contains a session cookie that appears to be URL and Base64-encoded.

  2. Use Burp’s Inspector panel to study the request in its decoded form. The cookie is a serialised PHP object. The admin attribute contains b:0, indicating the boolean value false. Send this request to Burp Repeater.

  3. In Burp Repeater, use the Inspector to examine the cookie again and change the value of the admin attribute to b:1. Click Apply changes. The modified object will automatically be re-encoded and updated in the request.

  4. Send the request. The response now contains a link to the admin panel at /admin, indicating that the page was accessed with admin privileges.

  5. Change the path of the request to /admin and resend it. The /admin page contains links to delete specific user accounts.

  6. Change the path of the request to /admin/delete?username=carlos and send the request to solve the lab.

PoC

Exploitability

An attacker will need to log in; edit the serialised object in the session cookie to exploit this vulnerability and gain administrative privileges; and then delete Carlos’s account.