Hi Ashwini,

This is a nice writeup. I was learning insecure deserialization and came across your blog.

I had a query in the approach you took.

On Step 3 under 'Modification in serialization object', you change the data type from string to integer since we need to replace access_token with a blank value.

What if we keep the data type as string with blank value supplied like the example below:

O:4:”User”:2:{s:8:”username”;s:13:”administrator”;s:12:”access_token”;s:0:"";}

can we say that this is also a valid approach?

would this payload work?