Pwning OWASP’s Juice Shop Pt. 11: Outdated Whitelist

Challenge: 

Name:  Outdated Whitelist

Description: Let us redirect you to one of our crypto currency addresses which are not promoted any longer.

Difficulty: 1 star

Category: Unvalidated Redirects

Expanded Description: https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html

Tools used:

Firefox Developer Tools

Resources used:

None.

Methodology: 

As the category of this challenge is “Unvalidated Redirects”, and the word “redirect” also appears in the brief description, it’s a good bet that there’s an unused link somewhere in the code for this site. To analyze that code, click “Inspect Element”, then head over to the “Debugger” tab, where all of the .js files are located.

Inspector 
Sources 
Main Thread 
localhost:3000 
Console 
D Debugger 
Outline 
[3 
'S 
'S 
'S 
(index) 
main 
polyfiIIs-es2018.js 
runtime-es2018.js 
sandbox eval code 
vendor-es2018.js 
cdnjs.cloudflare.com 
resource://gre

Anything with the word “main” in it is probably important enough to warrant a glance, so open that, right click on the “main-es2018.js” tab, scroll to the bottom of that menu and select “Pretty print source”. This will make the code infinitely easier to read.

Close tab 
Il (window.webg 
Close other tabs 
Close tabs to the right 
Close all tabs 
Copy to clipboard 
Copy source URI 
Reveal in tree 
Blackbox source 
Pretty print source

Since we know we’re looking for a redirect link involving crypto currency, save yourself a few hours of scrolling through 20k lines of JavaScript and type “redirect” into the search bar, then scan through the 20 results until you find a redirect to a crypto wallet.

12S24 
12525 
12526 
12527 
12528 
12523 
12530 
showditcoinQrCode() { 
this.dialog. open (Hn, { 
data: { 
data: • bitcoin : IAbKfgvw9psQ41NbLi8kufDQTezwG8DRZm , 
url• ' ./redirect?to=https://bLockchain.info/address/IAbKfgvw9psQ41NbLi8kufDOTezwG8DRZm' , 
address: 
'IAbKfgvw9psQ41NbLi8kufDQTezwG8DRZm , 
title: 'TITLE BITCOIN ADDRESS' 
Q redirect

Now add that redirect to the site address and hit enter.

You successfully solved a challenge: Outdated Whitelist (Let us redirect you to one of our crypto 
currency addresses which are not promoted any longer.) 
x

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

Clean up your code whenever you change things. If you’ve got spaghetti code with unused lines somehow being necessary for things to work properly, maybe invest some time in reducing your technical debt before it gets even more out of hand.

Lessons Learned and Things Worth Mentioning: 

  1. “Pretty print source” is super handy. Imagine reading 20 thousand lines of code on one line.

One comment

  1. ctag · 18 Days Ago

    Nice work with these. Bikes and code, this continues to be one of my favorite blogs.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s