Challenge: 

Name: Missing Encoding

Description: Retrieve the photo of Bjoern’s cat in “melee combat-mode”.

Difficulty: 1 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

None.

Resources used:

URL Encoding table: https://www.eso.org/~ndelmott/url_encode.html

Emoji use in filename: https://www.howtogeek.com/682868/%E2%9C%A8-you-can-use-emoji-in-file-names-on-windows-10/#:~:text=This%20is%20easy%20thanks%20to,file%20to%20open%20the%20picker.

Methodology: 

First thing’s first, I went to the site’s Photo Wall to see what was there.

It looks like all but one photo are loading properly, obviously leaving the photo of kitty combat. Since the challenge is named “Missing Encoding”, it’s now time to inspect the page’s code to see what makes this photo different than the others.

After comparing the filenames of the missing photo with the four which loaded as intended, there were two things which stood out to me: 1. Who uses emojis in filenames? Is that even a thing? 2. Those hashes should probably be URL encoded.

While I knew there would be a way to figure out the emoji encoding, I also knew that the hashes were low hanging fruit. After finding a URL encoding table and finding the code for ‘#’, I swapped out the two hashes in the code to see if that was enough. I really didn’t want to have to dig into encoding an emoji, since that was definitely going to take more legwork.

Now to check the page…

Prevention and mitigation strategies:

Validate inputs. They only work if they are properly URL encoded.

Lessons Learned: 

1. Emojis are encodable for filenames and URLs.