Token Deserialization
PHP tokens
PHP tokens look like:
O:4:"User":2:{s:8:"username";s:6:"user";s:12:"access_token";s:32:"dxirusitse16p7j5615qj7zot5l7dqom";}
How to inject a payload:
- Break the token to try and guess the PHP framework by an error message.
-
Check if
/cgi-bin/phpinfo.phpexists and any secret can be found there. - Run the phpggc tool for the correct Framework.
Java tokens
- Look for any "Java", "Commons" or "Collections" in token decoding.
- Run Burp Deserialization Scanner.
- If it doesn't find anything run the Burp Scanner.
- If needing to go blind, try different payloads with different Java CommonsCollections libraries with the Deserialization Scanner extension.