Pwning OWASP’s Juice Shop Pt. 10: Zero Stars

Challenge: 

Name: Zero Stars

Description: Give a devastating zero-star feedback to the store.

Difficulty: 1 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

The first step to leaving nasty feedback is to find out where feedback is submitted. The top link on the drop down menu to the left of the banner, labeled “Customer Feedback” is the obvious choice. Upon entering the feedback screen (which does allow anonymous feedback, by the way), we’re met with a form, which we must fill out.

Customer Feedback 
v Author 
anonymous 
Comment 
Mr. Madison, what you've just said is one of the most 
insanely idiotic things I have ever heard. At no point in 
your rambling, incoherent response were you even 
O Max. 160 characters 
160/160 
Rating 
CAPTCHA: 
Result 
10 
What is 
7-1+4 ? 
Submit
If you’re going to make apps this insecure, then you deserve the Billy Madison quote.

Now for the hack. Fire up Burp Suite, turn on the intercept, set up your proxy to route through Burp, hit “Submit”, and let’s capture a packet!

Raw Actions V 
POST /api/Feedbacks/ 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, I/ * 
Accept 
Accept -Language: en-US, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 226 
Origin: http://localhost : 3000 
Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
12 
14 
Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent 
status=dismiss, 
cont 6QPD38L_oe7t Kxkh'Z2; 
10=PTFywAET4p, 
'captchald" : O, 
'captcha 
'comment " "Mr. 
'rating" : I 
Madison, 
what 
you've just 
said is one of the most 
insanely idiotic things I have ever heard 
At 
no point 
In your 
rambling, 
incoherent 
response were you

Now that we know what’s being sent out and only need to change that little ‘1’ to a ‘0’. Hit “Forward” and…

You successfully solved a challenge: Zero Stars (Give a devastating zero-star feedback to the store.) X

Prevention and mitigation strategies:

Input validation needs to be repeated on the server side before it ever reaches a database.

Lessons Learned and Things Worth Mentioning: 

  1. Just because a form is set up to validate inputs, that doesn’t mean the server will reject information in modified packets. I even included the entirety of the Billy Madison quote in the packet and still completed the challenge. Neither field was validated on the server side.
  2. I still feel guilty being mean to inanimate objects. It’s “Bully Chatbot” all over again…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s