Lab: Using application functionality to exploit insecure deserialization
This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the
morale.txt file from Carlos's home directory.
You can log in to your own account using the following credentials:
You also have access to a backup account:
Log in to your own account. On the "My account" page, notice the option to delete your account by sending a
- Send a request containing the session cookie to Burp Repeater, and send the cookie to Burp Decoder.
In Burp Decoder, notice that the serialized object has an
avatar_linkattribute, which contains the file path to your avatar.
Edit the serialized data so that the
/home/carlos/morale.txt. Remember to update the length indicator. The modified attribute should look like this:
- Re-encode the object and copy it to your clipboard.
In Burp Repeater, replace the session cookie with the modified one in your clipboard. Change the request line to
POST /my-account/deleteand send the request. Your account will be deleted, along with Carlos's