Information Security

Hacking OWASP’s Juice Shop Pt. 10: Zero Stars

Posted on by codeblue04

Challenge: 

Name: Zero Stars

Description: Give a devastating zero-star feedback to the store.

Difficulty: 1 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

The first step to leaving nasty feedback is to find out where feedback is submitted. The top link on the drop down menu to the left of the banner, labeled “Customer Feedback” is the obvious choice. Upon entering the feedback screen (which does allow anonymous feedback, by the way), we’re met with a form, which we must fill out.

Customer Feedback v Author anonymous Comment Mr. Madison, what you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even O Max. 160 characters 160/160 Rating CAPTCHA: Result 10 What is 7-1+4 ? Submit
If you’re going to make apps this insecure, then you deserve the Billy Madison quote.

Now for the hack. Fire up Burp Suite, turn on the intercept, set up your proxy to route through Burp, hit “Submit”, and let’s capture a packet!

Raw Actions V POST /api/Feedbacks/ Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, I/ * Accept Accept -Language: en-US, en; q=O.S Accept -Encoding: gzip, deflate Content -Type: application/ j son Content -Length: 226 Origin: http://localhost : 3000 Connection: close Referer: http://localhost : 3000/ rv.78.o) Gecko,'20100101 Firefox,'78.o 12 14 Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, cont 6QPD38L_oe7t Kxkh'Z2; 10=PTFywAET4p, 'captchald" : O, 'captcha 'comment " "Mr. 'rating" : I Madison, what you've just said is one of the most insanely idiotic things I have ever heard At no point In your rambling, incoherent response were you

Now that we know what’s being sent out and only need to change that little ‘1’ to a ‘0’. Hit “Forward” and…

You successfully solved a challenge: Zero Stars (Give a devastating zero-star feedback to the store.) X

Prevention and mitigation strategies:

Input validation needs to be repeated on the server side before it ever reaches a database.

Lessons Learned and Things Worth Mentioning: 

  1. Just because a form is set up to validate inputs, that doesn’t mean the server will reject information in modified packets. I even included the entirety of the Billy Madison quote in the packet and still completed the challenge. Neither field was validated on the server side.
  2. I still feel guilty being mean to inanimate objects. It’s “Bully Chatbot” all over again…

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s