Burp Suite User Forum

Create new post

Lab: Modifying serialized data types - Debug dumps tokens

Mike | Last updated: Aug 19, 2021 06:16PM UTC

Hey, not sure if this a bug or a feature) So if in cookie you change username to not much token, username: carlos token: from peter Here it is Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6ImNhcmxvcyI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJwOWE1ZWkweDk5cWk3NHZlanNxMzZjenAwdG4xejNkNiI7fQo= Response returns 500 and conviniently all registered tokens: Internal Server Error PHP Fatal error: Uncaught Exception: (DEBUG: $access_tokens[$user->username] = y6woegwraq17bq0drumffn0nfujbitmw, $user->access_token = p9a5ei0x99qi74vejsq36czp0tn1z3d6, $access_tokens = [y6woegwraq17bq0drumffn0nfujbitmw, p9a5ei0x99qi74vejsq36czp0tn1z3d6, xlbjcoe8ecul6sfmtdrt5cm8qqr6o7hx]) Invalid access token for user carlos in /var/www/index.php:7 Stack trace: #0 {main} thrown in /var/www/index.php on line 7

Mike | Last updated: Aug 19, 2021 06:34PM UTC

typo on line 3, should be match instead on much

Uthman, PortSwigger Agent | Last updated: Aug 20, 2021 02:25PM UTC

Hi Mike, This looks like it could be expected behavior based on what the previous lab mentions in the learning materials (the 'Modifying object attributes' section here - https://portswigger.net/web-security/deserialization/exploiting): "At no point is the authenticity of the serialized object checked. This data is then passed into the conditional statement and, in this case, would allow for an easy privilege escalation. This simple scenario is not common in the wild. However, editing an attribute value in this way demonstrates the first step towards accessing the massive amount of attack-surface exposed by insecure deserialization." There is no validation logic on the access_token

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.