Deserialisation Lab 3 - Auth Bypass via Deserialised Token

Persistent Login Portal

This site uses a serialized RememberMeToken cookie for persistent logins.

Token loaded — user: user_42, authenticated: false, role: viewer

Fresh token issued. Refresh the page to load it.

Your current token (decoded):

(loading...)

Hint (click to reveal)

Decode the remember_token cookie from base64. Modify the serialized object:
— Set isAuthenticated to b:1
— Set role to admin
Re-encode to base64 and replace the cookie.

Target payload example:
O:15:"RememberMeToken":4:{s:6:"userId";s:7:"user_42";s:4:"role";s:5:"admin";s:15:"isAuthenticated";b:1;s:7:"expires";s:10:"2025-12-31";}

Back to Deserialisation Labs