Skip to content

Lab 08 Insecure Deserialization

Jump to bottom
Tomas Rosenqvist edited this page Nov 19, 2018 · 10 revisions

Challenge "Give a devastating zero-star feedback to the store"

  1. Attempt to submit a zero-star rating from the web UI
    • Go to the "Contact us" section.
    • Open the Developer tools (F12) in your browser.
    • Enter a comment and solve the CAPTCHA equation, but do not select any stars for your rating.
    • Notice how the submit button is disabled? Go to the Elements tab of the Developer tools and select the corresponding <button> tag.
    • Remove the disabled="disabled" attribute from the button.
    • Submit the review.
    • Go to the Network tab of the developer tools and inspect the request.
    • Do you think the rating was accepted by the system?
  2. Attempt to submit a three-star rating from the web UI
    • Click the stars to give a three-star rating.
    • Solve the CAPTCHA and submit as normal
    • Inspect the corresponding request.
    • Notice any difference? Do you think this rating was accepted by the system?
    • Keep the request open in devtools for the next step!
  3. Forge a zero-star rating using Postman
    • Copy the request payload JSON from your previously created three-star rating.
    • Open Postman and create a new request (save it to your previous collection if you want).
    • Change the request type to POST.
    • Set the Body content type to Raw and change the mime type from Text to JSON(application/json).
    • Paste the request payload as the body, but change the rating to 0.
    • Copy the request URL from the developer tools into Postman.
    • Send the request from Postman.

Questions

  • How could the application be protected against this type of attacks?
  • What do you think of the CAPTCHA implementation in this application?

Challenge "Upload a file that has no .pdf extension"

  1. Upload a valid PDF file using the web UI
    • Log in as any user.
    • Go to the complaints section.
    • Open the Developer tools (F12) and go to the Network tab.
    • Submit a valid complaint (i.e. use a PDF file smaller than 100Kb).
    • Inspect the corresponding request(s) in the network tab.
    • Keep the request open in devtools for the next part!
  2. Forge a complaint upload using Postman
    • Create a new request in Postman.
    • Set the type to POST
    • Copy the request URL from the request in devtools
    • Set the Body type to form-data
    • Add a new row with the key file.
    • Set the row type to "File" and set it to a non-pdf file.
    • Send the request.

Questions

  • What is the risk posed to the application here?
  • How could the risk be mitigated?
  • If you have the time, try experimenting with the developer tools and the UI to see if you can upload a non-pdf file without using Postman.

Recommended reading

Clone this wiki locally