Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab : Modifying serialized data types. Bug Decoder?

Alberto | Last updated: Mar 15, 2021 10:58AM UTC

Hello, I was doing these lab exercises and I noticed some weird Burp behaviors. I had the same problem with Lab : Modifying object attributes. In my specific case : Cookie: session= Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJtMzZiM2YzNHBocmd2eDl0aDVvczhranEzanBudWQwcyI7fQ%253d%253d If I select this cookie, the inspector say : Decode from Url, Decode from Base64 and that is the result : O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"m36b3f34phrgvx9th5os8kjq3jpnud0s";} If I select the cookie, right click and then "Send to decoder" the result should be the same but It's not. That's the result i get O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"m36b3f34phrgvx9th5os8kjq3jpnud0s";fQ%3d%3d In this lab, after some try without any success I decided to watch the video solution : https://www.youtube.com/watch?v=l7KCL7vY98k Then I realized I was doing the right thing but getting a different result. Even if I repeat the exact same steps of the video I get this error : PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www/index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4 I understand that probably I'm replacing the value of the "Cookie: session= value..." with the wrong one. PS : I even tried to encode directly the right value to solve this lab {s:8:"username";s:13:"administrator";s:12:"access_token";i:"0";} encoded base64 = e3M6ODoidXNlcm5hbWUiO3M6MTM6ImFkbWluaXN0cmF0b3IiO3M6MTI6ImFjY2Vzc190b2tlbiI7aToiMCI7fQ== encoded url = %65%33%4d%36%4f%44%6f%69%64%58%4e%6c%63%6d%35%68%62%57%55%69%4f%33%4d%36%4d%54%4d%36%49%6d%46%6b%62%57%6c%75%61%58%4e%30%63%6d%46%30%62%33%49%69%4f%33%4d%36%4d%54%49%36%49%6d%46%6a%59%32%56%7a%63%31%39%30%62%32%74%6c%62%69%49%37%61%54%6f%69%4d%43%49%37%66%51%3d%3d Am I getting the wrong translation from the Decoder/Encoder? TY, have a nice day

Uthman, PortSwigger Agent | Last updated: Mar 15, 2021 11:36AM UTC

Hi Alberto, Thanks for the feedback. The difference between the Inspector's result and the Decoder is that the Inspector detects that there is double-URL encoding present and so decodes it. In the video you have linked, it looks like we were only expecting single-URL decoding (i.e. just %3d%3d to be decoded). It looks like the video is quite old and the lab has since been changed (along with the introduction of the Inspector) and expects you to perform double-URL decoding. If you send the Cookie to the Decoder, select Decode as > URL, then select Decode as > URL again, you should see the same base64 result. You can then decode that to get the expected cookie. In your example, you are only encoding this: {s:8:"username";s:13:"administrator";s:12:"access_token";i:"0";} However, you need to encode (base64 followed by URL) this: O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;} The expected result should be: %54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57%31%6c%49%6a%74%7a%4f%6a%45%7a%4f%69%4a%68%5a%47%31%70%62%6d%6c%7a%64%48%4a%68%64%47%39%79%49%6a%74%7a%4f%6a%45%79%4f%69%4a%68%59%32%4e%6c%63%33%4e%66%64%47%39%72%5a%57%34%69%4f%32%6b%36%4d%44%74%39%43%67%3d%3d Can you please give this a try?

Alberto | Last updated: Mar 15, 2021 01:16PM UTC

Ty, Now It's working and I understood my error. Have a nice day :)

Uthman, PortSwigger Agent | Last updated: Mar 15, 2021 01:46PM UTC

Great! Have a nice day too! :)

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.