├── Challenge
    ├── log.txt
    ├── images
    │   ├── image1.jpg
    │   ├── image2.jpeg
    │   ├── image3.jpg
    │   ├── image4.jpeg
    │   └── image5.jpg
    ├── serialize.php
    ├── unserialize.php
    ├── download.php
    └── index.php
├── Insecure Deserialization Presentation.pdf
└── README.md


/Challenge/log.txt:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/Challenge/images/image1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/raadfhaddad/Insecure-Deserialization/HEAD/Challenge/images/image1.jpg


--------------------------------------------------------------------------------
/Challenge/images/image2.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/raadfhaddad/Insecure-Deserialization/HEAD/Challenge/images/image2.jpeg


--------------------------------------------------------------------------------
/Challenge/images/image3.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/raadfhaddad/Insecure-Deserialization/HEAD/Challenge/images/image3.jpg


--------------------------------------------------------------------------------
/Challenge/images/image4.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/raadfhaddad/Insecure-Deserialization/HEAD/Challenge/images/image4.jpeg


--------------------------------------------------------------------------------
/Challenge/images/image5.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/raadfhaddad/Insecure-Deserialization/HEAD/Challenge/images/image5.jpg


--------------------------------------------------------------------------------
/Insecure Deserialization Presentation.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/raadfhaddad/Insecure-Deserialization/HEAD/Insecure Deserialization Presentation.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Insecure-Deserialization
2 | Insecure Deserialization is a critical bug, that based on the application behavior with the object.
3 | 
4 | You can find here:
5 |   - The Lab (the challenge, written in PHP) 
6 |   - Presentation was represented in OWASP Amman Chapter 2nd meetup (in PDF format).
7 | 


--------------------------------------------------------------------------------
/Challenge/serialize.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /*
 3 | Code by: Raad Haddad (@raadfhaddad)
 4 | */
 5 | class Car {
 6 | 	public $price;
 7 | 	public $color;
 8 | 	public $name;
 9 | 	public function __construct($pricex,$colorx,$namex){
10 | 		$this->price = $pricex;
11 | 		$this->color = $colorx;
12 | 		$this->name = $namex;
13 | 	}
14 | 	
15 | }
16 | 
17 | $obj = new Car(14000,"black","Mercedes");
18 | echo serialize($obj);
19 | ?>


--------------------------------------------------------------------------------
/Challenge/unserialize.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /*
 3 | Code by: Raad Haddad (@raadfhaddad)
 4 | */
 5 | class Car {
 6 | 	public $price;
 7 | 	public $color;
 8 | 	public $name;
 9 | 	public function __construct($pricex,$colorx,$namex){
10 | 		$this->price = $pricex;
11 | 		$this->color = $colorx;
12 | 		$this->name = $namex;
13 | 	}
14 | 	
15 | }
16 | 
17 | $ready_serialized_object=unserialize($_GET['obj']);
18 | echo var_dump($ready_serialized_object);
19 | ?>


--------------------------------------------------------------------------------
/Challenge/download.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | /*
 3 | Code by: Raad Haddad (@raadfhaddad)
 4 | */
 5 | class Download_Image {
 6 |     public $path;
 7 |     public $operation;
 8 |     public $logfile;
 9 |     function __wakeup() {
10 |         $image_path=base64_decode($this->path);
11 |         if(file_exists($image_path) && $this->operation == "Download") {
12 |             header('Content-Description: File Transfer');
13 |             header('Content-Type: image/jpeg');
14 |             header('Content-Disposition: attachment; filename="'.basename($image_path).'"');
15 |             header('Expires: 0');
16 |             header('Cache-Control: must-revalidate');
17 |             header('Pragma: public');
18 |             header('Content-Length: ' . filesize($image_path));
19 |             flush();
20 |             readfile($image_path);
21 |             file_put_contents(__DIR__.'/'.$this->logfile,"image :".base64_decode($this->path)." has been downloaded by ".$_SERVER['REMOTE_ADDR']." and is comming from ".$_SERVER['HTTP_REFERER']."\r\n",FILE_APPEND);
22 |         }
23 |     }
24 | }
25 | 
26 | $obj_image=base64_decode($_POST['image_path']);
27 | $get_image=unserialize($obj_image);
28 | ?>
29 | 


--------------------------------------------------------------------------------
/Challenge/index.php:
--------------------------------------------------------------------------------
 1 | <!--
 2 | Code by: Raad Haddad (@raadfhaddad)
 3 | -->
 4 | <html>
 5 | 	<h1>Welcome to our new website!</h1>
 6 | 
 7 | 	<h3>Check out new Collection of images:</h3><br/><br/>
 8 | 	<form action="download.php" method="POST">
 9 | 		<center>
10 | 		<table border="1px solid">
11 | 			<tr style="background:black;color:white">
12 | 				<td>Image
13 | 				</td>
14 | 				<td>Select
15 | 				</td>
16 | 
17 | 			</tr>
18 | 			<tr>
19 | 				<td><img src="images/image1.jpg" height="200px" width="auto"/></td>
20 | 				<td><input type="radio" name="image_path" value="TzoxNDoiRG93bmxvYWRfSW1hZ2UiOjM6e3M6NDoicGF0aCI7czoyNDoiYVcxaFoyVnpMMmx0WVdkbE1TNXFjR2M9IjtzOjk6Im9wZXJhdGlvbiI7czo4OiJEb3dubG9hZCI7czo3OiJsb2dmaWxlIjtzOjc6ImxvZy50eHQiO30="/></td>
21 | 			</tr>
22 | 			<tr>
23 | 				<td><img src="images/image2.jpeg" height="200px" width="auto"/></td>
24 | 				<td><input type="radio" name="image_path" value="TzoxNDoiRG93bmxvYWRfSW1hZ2UiOjM6e3M6NDoicGF0aCI7czoyNDoiYVcxaFoyVnpMMmx0WVdkbE1pNXFaWEJuIjtzOjk6Im9wZXJhdGlvbiI7czo4OiJEb3dubG9hZCI7czo3OiJsb2dmaWxlIjtzOjc6ImxvZy50eHQiO30="/></td>
25 | 			</tr>
26 | 			<tr>
27 | 				<td><img src="images/image3.jpg" height="200px" width="auto"/></td>
28 | 				<td><input type="radio" name="image_path" value="TzoxNDoiRG93bmxvYWRfSW1hZ2UiOjM6e3M6NDoicGF0aCI7czoyNDoiYVcxaFoyVnpMMmx0WVdkbE15NXFjR2M9IjtzOjk6Im9wZXJhdGlvbiI7czo4OiJEb3dubG9hZCI7czo3OiJsb2dmaWxlIjtzOjc6ImxvZy50eHQiO30="/></td>
29 | 			</tr>
30 | 			<tr>
31 | 				<td><img src="images/image4.jpeg" height="200px" width="auto"/></td>
32 | 				<td><input type="radio" name="image_path" value="TzoxNDoiRG93bmxvYWRfSW1hZ2UiOjM6e3M6NDoicGF0aCI7czoyNDoiYVcxaFoyVnpMMmx0WVdkbE5DNXFjR1ZuIjtzOjk6Im9wZXJhdGlvbiI7czo4OiJEb3dubG9hZCI7czo3OiJsb2dmaWxlIjtzOjc6ImxvZy50eHQiO30="/></td>
33 | 			</tr>
34 | 			<tr>
35 | 				<td><img src="images/image5.jpg" height="200px" width="auto"/></td>
36 | 				<td><input type="radio" name="image_path" value="TzoxNDoiRG93bmxvYWRfSW1hZ2UiOjM6e3M6NDoicGF0aCI7czoyNDoiYVcxaFoyVnpMMmx0WVdkbE5TNXFjR2M9IjtzOjk6Im9wZXJhdGlvbiI7czo4OiJEb3dubG9hZCI7czo3OiJsb2dmaWxlIjtzOjc6ImxvZy50eHQiO30="/></td>
37 | 			</tr>
38 | 			<tr><td><center><button>Download</button></center></td></tr>
39 | 		</table>
40 | 	</center>
41 | 	</form>
42 | </html>


--------------------------------------------------------------------------------