Pwning OWASP’s Juice Shop Pt 3: Bully Chatbot

Challenge: 

Name: Bully Chatbot

Description: Receive a coupon code from the support chatbot.

Difficulty: 1 star

Category: Miscellaneous

Expanded Description: None available.

Tools used:

Burp Suite Community Edition, FoxyProxy

Resources used:

None

Methodology: 

After a brief glance at the difficulty and description, I immediately came to the conclusion that I could solve this by just asking the chat bot for a coupon, but there’s very little learning involved in that, so I opted to work harder and get a better idea for how the chat bot works.

Because there is no chat bot available without being logged in, I created a new bare-bones user account and logged in. Then I clicked on the drop down menu on the header bar and selected “Support Chat”.

I was greeted by the chat bot, who immediately wanted to know my name. Because I wanted to know what was happening “under the hood”, I fired up Burp Suite Community Edition using default settings, changed my FoxyProxy settings to match Burp’s proxy settings, went to the Proxy tab, then the Intercept tab, and finally returned to the chat bot to start the internet version of poking it with a stick.

After submitting a name, I switched to Burp’s Proxy/HTTP tab to analyze both the data I sent and the response from the server. I noted that my submission consisted of “action” and “query” fields, with the current action being set to “setname”. This made me wonder how many other actions were available, and which sequence of actions and queries would be sufficient to elicit a coupon code. The response from the server consisted of “action”, “body” and “token” fields, with the current action being “response”.

Now it was time to start bullying. The second message I sent was a fairly simple request for a discount, with the action field on my end now being set to “query”. Chatbot responded by suggesting that I buy a Deluxe membership.

I again requested a discount. This response was new and interesting, but not what I wanted, so I requested a discount again. And again. And again.

I made no such promise.

Finally, the poor chatbot gave up its secrets and I got a 10% discount code.

OK, now I can go back to being nice.

Prevention and mitigation strategies:

Don’t program chatbot to acquiesce to customers’ repeated requests for discounts. You may not even want people like that as customers.

Lessons Learned and Things Worth Mentioning: 

  1. Chatbot won’t stand up for itself.
  2. I feel bad for bullying code.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s