Name: Zero Stars
Description: Give a devastating zero-star feedback to the store.
Difficulty: 1 star
Category: Improper Input Validation
Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html
The first step to leaving nasty feedback is to find out where feedback is submitted. The top link on the drop down menu to the left of the banner, labeled “Customer Feedback” is the obvious choice. Upon entering the feedback screen (which does allow anonymous feedback, by the way), we’re met with a form, which we must fill out.
Now for the hack. Fire up Burp Suite, turn on the intercept, set up your proxy to route through Burp, hit “Submit”, and let’s capture a packet!
Now that we know what’s being sent out and only need to change that little ‘1’ to a ‘0’. Hit “Forward” and…
Prevention and mitigation strategies:
Input validation needs to be repeated on the server side before it ever reaches a database.
Lessons Learned and Things Worth Mentioning:
- Just because a form is set up to validate inputs, that doesn’t mean the server will reject information in modified packets. I even included the entirety of the Billy Madison quote in the packet and still completed the challenge. Neither field was validated on the server side.
- I still feel guilty being mean to inanimate objects. It’s “Bully Chatbot” all over again…