Using application functionality to exploit insecure deserialisation
This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object.
Log in to
wiener:peter. On the My account page, there is an option to delete the account by sending a
Intercept the request.
Study the session cookie using the Inspector panel. The serialised object has an
avatar_linkattribute, which contains the file path to your avatar.
Edit the serialised data so that the
/home/carlos/morale.txt. Update the length indicator. The modified attribute looks like this:
Click Apply changes. The modified object will automatically be re-encoded and updated in the request.
Forward the request. Your account will be deleted, along with Carlos’s
An attacker will need to log in to
wiener:peter; edit the serialised object in the session cookie and use it to delete the
morale.txt file from Carlos’s home directory.