{% extends "base.html" %}

{% block title %}
<title>Insecure Deserialization Lab</title>
{% endblock %}

{% block content %}

<div class="content">
    <h3>Insecure Deserialization</h3>
    <div class="box">
        <h4>What is Insecure Deserialization</h4>
        <p class="bp">
            Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or
            tweaks to the underlying exploit code.
            This issue is included in the Top 10 based on an industry survey and not on quantifiable data.
            Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem.
            It is expected that prevalence data for deserialization flaws will increase as tooling is developed to help
            identify and address it.
            The impact of deserialization flaws cannot be overstated. These flaws can lead to remote code execution attacks,
            one of the most serious attacks possible.
            The business impact depends on the protection needs of the application and data.
        </p>

        <div class="lab">
            <p class="bp">
                This Lab consists of a Page that has some content only available to for the admin to see. How can we access that
                page as admin? How is our role defined?
            </p>
            <p class="bp">If we check the cookie we see that it is base64 encoded, on decoding we realise it is pickle
                serialised and we can see some attributes, can you change the attributes to make the page readable?
            </p>
            <p class="bp">Hint: try to flip the bit of the admin from ...admin\x94K\x00... to ...admin\x94K\x01...
            </p>
        </div>

        <h4>Types of Attacks</h4>
        <p class="bp">
            Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker.
            This can result in two primary types of attacks:
        </p>
        <ul>
            <li>Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary
                remote code execution if there are classes available to the application that can change behavior during or after
                deserialization.</li>
            <li>Typical data tampering attacks such as access-control-related attacks where existing data structures are used
                but the content is changed.</li>
        </ul>

        <h4>Common Uses of Serialization</h4>
        <ul>
            <li>Remote- and inter-process communication (RPC/IPC)</li>
            <li>Wire protocols, web services, message brokers</li>
            <li>Caching/Persistence</li>
            <li>Databases, cache servers, file systems</li>
            <li>HTTP cookies, HTML form parameters, API authentication tokens</li>
        </ul>

        <div class="section">
            <h2>Create User</h2>
            <form action="/serialize" method="POST">
                <input type="text" name="username" placeholder="Enter username" required>
                <button type="submit">Create User</button>
            </form>
        </div>
        
        <div class="section">
            <h2>View Admin Content</h2>
            <form action="/deserialize" method="POST">
                <textarea name="serialized_data" placeholder="Enter base64-encoded serialized data" required></textarea>
                <button type="submit">View Content</button>
            </form>
        </div>

        <div class="info">
            <h4>How to Prevent</h4>
            <p>The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types. If that is not possible, consider:</p>
            <ul>
                <li>Implementing integrity checks such as digital signatures on any serialized objects</li>
                <li>Enforcing strict type constraints during deserialization before object creation</li>
                <li>Isolating and running code that deserializes in low privilege environments</li>
                <li>Logging deserialization exceptions and failures</li>
                <li>Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize</li>
                <li>Monitoring deserialization, alerting if a user deserializes constantly</li>
            </ul>
        </div>
    </div>
</div>
{% endblock %}