Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  1. Notes
  2. Product Security Engineering

PHP Security

PreviousThreat ModelingNextAppSec Testing

Last updated 6 months ago

Decode the cookie for unserialize() flaw

View the cookies from the sample web application using your browser’s built-in "developer tools". For instance, opening up your developer console, you can enter document.cookie.

We are interested in the value set for the applicable cookie, which determines which fields to display.

Our "columns" cookie has the following encoded value:

YTo1OntzOjQ6Im5hbWUiO2I6MTtzOjU6ImVtYWlsIjtiOjA7czo1OiJwaG9uZSI7YjowO3M6ODoic3VtbWFyeSI7YjoxO3M6NjoicGF5IjtiOjA7fTc%3D

we see a string ending with %3D or = there is a high chance it is encoded in Base64.

To decode this string, enter the following in your Terminal:

echo "YTo1OntzOjQ6Im5hbWUiO2I6MTtzOjU6ImVtYWlsIjtiOjA7czo1OiJwaG9uZSI7YjowO3M6ODoic3VtbWFyeSI7YjoxO3M6NjoicGF5IjtiOjA7fTc%3D" | base64 -d

Decoded, we can see that this is data. It says: an array of five elements, each element having as the index the column name and the value a boolean flag. We could expand this into an array that looks something like:

Array
(
    [name] => 1
    [email] => 0
    [phone] => 0
    [summary] => 1
    [pay] => 0
)

The boolean 1 or 0 values determine which fields are shown to the user. Optionally see for more details on this serialized data structure.

We can modify the serialized string to show all the columns by changing the b:0 entries to b:1, re-encoding it in Base64, and replacing the value of the cookie. For instance, the following line at the Terminal will display a Base64-encoded string representing our serialized data where all the array values are "on":

echo -n 'a:5:{s:4:"name";b:1;s:5:"email";b:1;s:5:"phone";b:1;s:8:"summary";b:1;s:6:"pay";b:1;}' | base64 -w0
curl -H 'Origin: https://example.site' -X POST https://example.site -b "columns=YOUR_COOKIE_VALUE"

Replace "YOUR_COOKIE_VALUE" with your modified Base64-encoded string, through to the ending = sign, as created in the command above.

This can be used to prove that, on the server side, an unserialize() function call was made to fetch the sensitive backend data.

We're now going to tamper with the existing cookie to use this value instead. This can be done using a browser extensions and dedicated tools like BurpSuite, CyberChef, , or even a web proxy. In this case, we can also just use at the Terminal by passing the -b option:

serialized
this article
Postman
curl