Day 8: Insecure deserialization

5 min readJun 13, 2022

Please note: This is part eight of a 10-part series on TryHackMe OWASP top 10 room

Serialization is whereby objects are converted into byte streams for storage or transmission into memory or the database. The reverse process is deserialization.

Insecure deserialization occurs when an attacker leverages the serialization process to pass malicious data/code to the application. This vulnerability is enabled by an application that fetches data without any validation checks. It can allow for an attacker to gain remote access to the web application servers in what is known as Remote Code Execution (RCE).

I found this blog informative on serialization and insecure deserialization.

LAB 1 :INSECURE DESERIALIZATION — COOKIES PRACTICAL

Websites use cookies to store user-specific information. Sometimes the cookie value is stored in an encoded form.

This lab requires that we access and modify the cookie values in order to get privileged access.

First Flag( Cookie Value)

Logging in to the app directs you to the profile page that gives information, among which includes your user access level

The challenge gives us the hint that the first flag is in one of the cookies;

Right-click the page and navigate to inspect element

Click the application tab then storage:

On the cookies tab, you realize that the cookies and values are stored in either plaintext or encoded in base64(e.g sessionid)

Since all the other cookies are in plaintext, we can tell that neither of them contains the flag. However, the sessionid cookie value is encoded.

Decode the cookie value (used base64decode.org online) to get the flag:

Second Flag (Admin Dashboard)

The second challenge requires that we modify the cookie values in order to get admin access.

On login, myprofile page shows the user access level. This information is reflected in the cookies table with the name “userType” and value “user”.This shows that the userType field represents the user access level / what a user can do in the system.

The cookie can therefore be modified to admin so as to give you the admin rights; This can simply be achieved by double-clicking on the field value and changing it to admin

Having changed the access rights to admin, you can navigate to the app’s admin page using url/admin

As long as the browser tab is still open, you will be immediately redirected to the admin dashboard (url/admin) on every login.

When you change the value back to “user” and attempt to log in again, you’ll be redirected to the user home page url/myprofile.

LAB 2:INSECURE DESERIALIZATION — CODE EXECUTION

In this lab, we are expected to pass an encoded payload to the web server to get a remote shell and find the flag on flag.txt file.

First, change the userType cookie from “admin” to “user” and navigate back to myprofile page.

On the left side of myprofile page, left-click on “Exchange your vim” — when you do this, a cookie is encoded and stored in the browser.

After this, left-click on “Provide your feedback!. You should be redirected to the feedback page. When you visit this page, the cookie that was created is obtained, decoded and de-serialized. This process can be exploited using Python pickleme payload. The payload has been attached in the tryhack me room.

Run netcat on your kali machine to listen on any port 4444. Ensure that netcat is running throughout the entire lab.