Challenge:
Name: Outdated Whitelist
Description: Let us redirect you to one of our crypto currency addresses which are not promoted any longer.
Difficulty: 1 star
Category: Unvalidated Redirects
Expanded Description: https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html
Tools used:
Firefox Developer Tools
Resources used:
None.
Methodology:
As the category of this challenge is “Unvalidated Redirects”, and the word “redirect” also appears in the brief description, it’s a good bet that there’s an unused link somewhere in the code for this site. To analyze that code, click “Inspect Element”, then head over to the “Debugger” tab, where all of the .js files are located.
Anything with the word “main” in it is probably important enough to warrant a glance, so open that, right click on the “main-es2018.js” tab, scroll to the bottom of that menu and select “Pretty print source”. This will make the code infinitely easier to read.
Since we know we’re looking for a redirect link involving crypto currency, save yourself a few hours of scrolling through 20k lines of JavaScript and type “redirect” into the search bar, then scan through the 20 results until you find a redirect to a crypto wallet.
Now add that redirect to the site address and hit enter.
Prevention and mitigation strategies:
Clean up your code whenever you change things. If you’ve got spaghetti code with unused lines somehow being necessary for things to work properly, maybe invest some time in reducing your technical debt before it gets even more out of hand.
Lessons Learned and Things Worth Mentioning:
- “Pretty print source” is super handy. Imagine reading 20 thousand lines of code on one line.
Nice work with these. Bikes and code, this continues to be one of my favorite blogs.
LikeLike