1. Web Security Academy
  2. Insecure deserialization
  3. Exploiting
  4. Lab

Lab: Using application functionality to exploit insecure deserialization


This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos's home directory.

You can access your own account using the following credentials: wiener:peter

You also have access to a backup account: gregg:rosebud