From 99d7aa5228c146aa4928e7192882755de72b1d60 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 29 Jul 2022 17:37:01 +0500
Subject: [PATCH] Create Lab 2.md

---
 Portswigger/Insecure Deserialization/Lab 2.md | 52 +++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 Portswigger/Insecure Deserialization/Lab 2.md

diff --git a/Portswigger/Insecure Deserialization/Lab 2.md b/Portswigger/Insecure Deserialization/Lab 2.md
new file mode 100644
index 0000000..c2f0611
--- /dev/null
+++ b/Portswigger/Insecure Deserialization/Lab 2.md	
@@ -0,0 +1,52 @@
+# Portswigger Insecure Deserialization - Lab 2
+
+## Modifying serialized data types
+
+In this lab we need to modify the serlialized session which is vulnerable to authentication bypass through which we can get access to administrator account
+
+<img src="https://i.imgur.com/S787FVy.png"/>
+
+We can login as `wiener` with the given password `peter`
+
+<img src="https://i.imgur.com/1KdYJpy.png"/>
+
+<img src="https://i.imgur.com/3lGZIrk.png"/> 
+
+The session cookie can be accessed from developer tools which is base64 encoded 
+
+<img src="https://i.imgur.com/mzWD1Dn.png"/>
+
+<img src="https://i.imgur.com/cxOUBdq.png"/>
+
+```
+O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"x64caqpmvk2jtz6vgxrit5eotzkg2h30";}
+```
+
+To understand what's happening in serialized cookie here,
+
+- `O:4`  represents the object `user` which is length of  `4` and has two attirbutes `2` which are `username` and `acces_token`
+-`s:8` represents the username attirbute of string type having length of `8` which has the key value `winener` of string data type having length of `6`
+- `s:12` represents the `acess_token` of string type having length of 12 which has key value of string data type of lenght `32`
+
+We can try replacing the session cookie with the username `admnistrator` also we should edit the length of string also we can try performing php loose comparision which is comparing string with an integer value `0`
+
+https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf
+
+<img src="https://i.imgur.com/hhr75t6.png"/>
+
+On replacing the token we'll see an error message which will reveal some access tokens
+
+<img src="https://i.imgur.com/xORmlIS.png"/>
+
+We can try using these tokens from which only `vxdtpdwjbj8mhrubuejx0b2dqi8o1ky8` token worked for administrator
+
+<img src="https://i.imgur.com/q5Ik9Ay.png"/>
+
+Now we can delete the carlos user and complete this lab
+
+<img src="https://i.imgur.com/j1zPMId.png"/>
+
+
+## References
+
+- https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf