Pwning OWASP’s Juice Shop Pt. 14: Repetitive Registration

Challenge: 

Name: Repetitive Registration

Description: Follow the DRY principle while registering a user.

Difficulty: 1 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

A quick google search revealed that the “DRY Principle” means Don’t repeat yourself. So while registering a new user, I shouldn’t repeat myself.  But I repeat myself…

In that case, let’s create a new user.

User Registration 
Email 
test2@test.com 
Password 
O Password must be 5-20 characters long. 
Repeat Password 
Show password advice 
Security Question 
Your eldest siblings middle name? 
O This cannot be changed later:' 
Ansner 
Winston Eldrich, Esquire 
+• Register 
8/20 
8/20
I like to pretend my family’s more respectable than it actually is. Don’t judge me.

Now, let’s take a look at what’s being sent to the server by opening Burp and setting up FoxyProxy.

Referer: http://localhost : 3000/ 
12 Cookle: language=en; welcomebanner status=dismiss; 
14 { 
email " "test2@test . com' , 
password 
" "test 1234" , 
passwordRepeat 
" "test1234" , 
securityQuestion" :{ 
"icl" : I 
question 
createdAt " 
'updatedAt' 
'Your eldest siblings 
2020-11-OIT17: 31 26 S98Z" , 
2020-11- OIT17: 31 26 598? 
securityAnswer' 
'Rinston Eldrich, 
middle name? , 
Esqui re
Don’t REPEAT yourself.

Let’s see what happens when we modify the contents of the password repeat field to “literally_nothing” and submit it.

You successfully solved a challenge: Repetitive Registration (Follow the DRY principle while registering a user.) 
x

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

If your client-side forms validate that the passwords match, there isn’t really a reason to send both pieces of data to the server. It’s not useful for anything and just adds to your attack surface.

Lessons Learned and Things Worth Mentioning: 

  1. Not every piece of data needs to be sent to the server, especially if it’s not used for anything once it gets there.
  2. Dad jokes. I has them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s