Burp Suite User Forum

Create new post

Modifying serialized objects

Sondip | Last updated: Apr 02, 2021 06:48AM UTC

GET /my-account HTTP/1.1 Host: ac4b1f111f3a24d080a90e3a000d00c2.web-security-academy.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://ac4b1f111f3a24d080a90e3a000d00c2.web-security-academy.net/login Connection: close Cookie: session=%54%7a%6f%30%4f%69%4a%56%63%32%56%79%49%6a%6f%79%4f%6e%74%7a%4f%6a%67%36%49%6e%56%7a%5a%58%4a%75%59%57%31%6c%49%6a%74%7a%4f%6a%59%36%49%6e%64%70%5a%57%35%6c%63%69%49%37%63%7a%6f%31%4f%69%4a%68%5a%47%31%70%62%69%49%37%59%6a%6f%78%54%7a%4d%77%4a%64%75%64%33%51%3d%3d Upgrade-Insecure-Requests: 1 then server show me like this - Internal Server Error PHP Fatal error: Uncaught Exception: unserialize() failed in /var/www/index.php:4 Stack trace: #0 {main} thrown in /var/www/index.php on line 4.

Michelle, PortSwigger Agent | Last updated: Apr 05, 2021 03:58PM UTC

Thanks for letting us know, we'll take a look.

Michelle, PortSwigger Agent | Last updated: Apr 06, 2021 03:24PM UTC

Thanks for your patience, we're currently looking into this but this will work if in step 2 you URL decode the cookie twice so the steps would be:

In Burp Decoder, select "Decode as" > "URL". On the new string, select "Decode as" > "URL" again.
On the next new string select "Decode as" > "Base64" to reveal that the cookie is a serialized PHP object.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.