Pwning OWASP’s Juice Shop Pt. 6: Admin Section

Challenge: 

Name: Admin Section

Description: Access the administration section of the store.

Difficulty: 2 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Python’s json.tool module, Firefox Developer Tools, MousePad

Resources used:

None.

Prerequisite challenges for this methodology:

Login Admin

Methodology: 

As the expanded description states that this is an easily guessable url, I logged in as admin@juice-sh.op did just that and found it on the first try: http://localhost:3000/administration. Kind of anticlimactic as challenges go, but this is where the keys to the kingdom are held, so it’s a good idea to poke around and see what you can find.

The first thing that jumped out at me was that this page listed all of the registered users. That data had to get to my system somehow, and since it showed that I was logged in it had to contain more than just one piece of data about the users.

Somehow I think Bender would approve of everything we’re doing here, but would also be confused about this whole “white hat” concept.

 To see how much more I could find I decided to use Inspect Element to see what other user data I could find. While the HTML may not contain anything juicy (Get it? Get it?), the networking tab on this site almost certainly would.

Developer Tools - OWASP Juice Shop - http://IocaIhost:3000/#/admini5tration 
Inspector 
Filter URLs 
Method 
GET 
Console 
Domain 
D Debugger 
Style Editor Performance 
Network 
Memory Storage Accessibility What's New 
All HTML CSS JS XHR Fonts Images Media WS other 
Disable Cache 
Size 
No Throttling 
Status 
localhost.3000 
localhost:3000 
localhost.3000 
localhost:3000 
localhost.3000 
localhost:3000 
O cdnjs.cloudflare.com 
cdnjs.cloudffare.com 
O cdnjs.cloudflare.com 
cdnjs.cloudffare.com 
O cdnjs.cloudflare.com 
localhost:3000 
localhost.3000 
localhost:3000 
localhost.3000 
localhost:3000 
localhost.3000 
localhost:3000 
localhost.3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost.3000 
localhost:3000 
localhost.3000 
localhost:3000 
localhost:3000 
localhost:3000 
localhost:3000 
styles.css 
runtime-es2018.js 
polyfiIIs-es2018.js 
vendor-es2018.js 
main-es2018.js 
cookieconsent_min.css 
cookieconsent.min.js 
jquery.min.js 
cookieconsent.min.js 
jquery.min.js 
application-configuration 
enoson 
application-version 
application-configuration 
Board 
whoami 
languages 
applicationa•ersion 
application-configuration 
Board 
application-configuration 
JuiceShop_ Logo.png 
19px.png 
Irest/user/authentication-details/ 
lapi\Feedbacks/ 
nsport 
favicon_js.ico 
-NM11hWU 
NMI 
Initiator 
BrowserTabChiId.jsm•.98 
stylesheet 
script 
script 
script 
script 
stylesheet 
script 
script 
script 
script 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
vendor-es2018.js:I (img) 
vendor-es2018.js:I (img) 
polyfIIs-es2018.js:I (xhr) 
polyfIIs-es2018.js:I (xhr) 
vendor-es2018.js:I 
polyfIIs-es2018.js:I (xhr) 
FaviconLoader.jsm:165 (i. 
Type 
html 
Ison 
Ison 
plain 
Ison 
Ison 
Ison 
Ison 
Ison 
json 
'son 
json 
'son 
json 
png 
png 
Ison 
Ison 
plain 
plain 
I-icon 
Transferred 
cached 
cached 
cached 
cached 
cached 
cached 
39B 
39B 
39B 
39B 
39B 
cached 
cached 
cached 
cached 
cached 
cached 
cached 
353B 
16.75 KB 
463 B 
960 a 
16.75 KB 
cached 
cached 
cached 
cached 
39B 
242 B 
cached 
1.88 KB 
540.49 KB 
221 Ka 
56.88 Ka 
1.33 MB 
363.38 KB 
16.42 KB 
27.11 Ka 
103B 
16.42 KB 
597 a 
129B 
4.58 KB 
20 
16.42 KB 
129B 
597B 
16.42 KB 
7327 KB 
95B 
7.78 KB 
1.40 Ka 
14.73 KB 
34 
42 
45 
145 
421M 
25
There’s a lot to go through here.

Immediately I noticed “/rest/user/authentication-details/”, so I opened it up to take a look. Lo and behold, a JSON file with loads of user data! I quickly copy/pasted to a MousePad file, formatted it using Python’s json.tool module, and saved it for future use.

All that’s missing are the password hashes.

Next I saw “/api/feedback/” tab, so I did the same thing there. I wanted to have as much information as I could possibly get my hands on, because by knowing the format of these JSON objects I could use that formatting data to complete other challenges. I knew that there were challenges related to this file (deleting all of the 5 star reviews, leaving a 0 star review, leaving a review in another user’s name, etc) and this file would certainly make them easier to complete.

After doing the same one more time for the “application-configuration” response, I was satisfied that, at least as far as the things I knew to look for, I had captured the information I was after. The JavaScript scripts are definitely worth grabbing as well, but I already had those.

If you get to the administration page and can’t figure out how to complete “5-Star Feedback”, then you may be wasting your time with this walkthrough.

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

While I couldn’t log into the administration page with a non-admin user, that’s a fairly substantial single point of failure considering the amount of information available on this page. Even though the page itself is not linked to from anywhere else on the site, having such an easy to guess link isn’t a great idea. I’d suggest obfuscating it by changing the url to something much more secure. Heck, you could go nuts and use something like a base 64 encoded password just to find the page. Furthermore, enabling multi-factor authentication and using a very restrictive whitelist would offer additional protection

Lessons Learned: 

  1. The companion guide isn’t joking about “easily guessable”.
  2. There is a deep well of information on an administration page which can be used to craft much more sophisticated attacks on a site’s vulnerabilities. Knowing where the weaknesses are located is of tremendous value.
  3. “python -m json.tool [filename.json] > [output.json]” is a fantastic tool for formatting JSON files. That command is now included in my quick reference notes file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s