| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Insecure Deserialization — Serialized Object Modification, Privilege Escalation |
| Difficulty | Apprentice |
| Objective | Edit the serialized object in the session cookie to gain administrative privileges, then delete the user carlos |
Modifying Serialized Objects¶
I logged in as wiener:peter and intercepted a request to /my-account:
GET /my-account?id=wiener HTTP/2
Host: 0a490082030045b080a6c6f800ef007f.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d
Decoding the session cookie from base64:
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}
PHP serialized object format — a User class with two properties: username (string wiener) and admin (boolean false, b:0). The authorization state is stored client-side inside this cookie, and the server trusts and deserializes whatever admin value it receives without validating it server-side. PHP serialization is also human-readable: O:4:"User":2:{...} gives you the class name, property count, and each property's type, length, and value in plain text — trivially editable.
Changing b:0 to b:1, re-encoding to base64, and replacing the session cookie:
The admin panel link appeared. Switching the request to GET /admin:
The response contained <a href="/admin/delete?username=carlos">. Requesting that path returned 302, following the redirect:
carlos deleted and Lab solved o.o