1. Web Security Academy
  2. Insecure deserialization
  3. Exploiting
  4. Lab

Lab: Using application functionality to exploit insecure deserialization


This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos's home directory.

You can access your own account using the following credentials: wiener:peter

You also have access to a backup account: gregg:rosebud

Try Burp Suite for Free

Find insecure deserialization vulnerabilities using Burp Suite

Try for free