Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Exploiting PHP deserialization with a pre-built gadget chain

Nayan | Last updated: Nov 12, 2020 06:13PM UTC

After modifying the cookie, I am not getting the Symfony internal server error. I am getting a blank screen in Response section. Also after replacing my session cookie with the malicious one created by me, my lab is not getting solved after sending the request. I have performed all the steps multiple times and not missed out on anything, still these problems are not getting solved.

Ben, PortSwigger Agent | Last updated: Nov 13, 2020 10:26AM UTC

Hi, Which request are you using to modify the cookie and how are you modifying it? One of our users, Michael Sommer, has created video solutions for a number of these lab exercises. Sometimes it is easier to follow along to a visual solution so have you checked the following solution on YouTube: https://www.youtube.com/watch?v=WmO8Kad0M7Y

Andreas | Last updated: Sep 01, 2021 12:43AM UTC

Hi, I have a similar issue. Posting the following request - GET /my-account HTTP/1.1 Host: ac451fdc1f8956ef803006e200db00d2.web-security-academy.net Cookie: session=%7B%22token%22%3A%22Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJocTR0cW4waGxhcnpmbmJmc2RibDVvNnl2amJubWZzayI7fQ%3D%3D%22%2C%22sig_hmac_sha1%22%3A%22d0e6e9063b666dfe339a5f9696090b0f39fb150f%22% User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ac451fdc1f8956ef803006e200db00d2.web-security-academy.net/login Upgrade-Insecure-Requests: 1 Sec-Gpc: 1 Cache-Control: max-age=0 Te: trailers Connection: close I receive this error message - HTTP/1.1 400 Bad Request Content-Type: text/html; charset=utf-8 Connection: close Content-Length: 164 <html><head><title>Client Error: Too Nosy</title></head><body><h1>Client Error: Tampering with the _lab cookie is not required to solve this lab.</h1></body></html> When looking at the phpinfo.php file I see the Zend framework mentioned instead....has there been a change to what is suggested in the official solution? Thanks, Andreas

Ben, PortSwigger Agent | Last updated: Sep 01, 2021 05:28PM UTC