Hacking OWASP’s Juice Shop Pt. 14: Repetitive Registration


Name: Repetitive Registration

Description: Follow the DRY principle while registering a user.

Difficulty: 1 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:



A quick google search revealed that the “DRY Principle” means Don’t repeat yourself. So while registering a new user, I shouldn’t repeat myself.  But I repeat myself…

In that case, let’s create a new user.

User Registration 
O Password must be 5-20 characters long. 
Repeat Password 
Show password advice 
Security Question 
Your eldest siblings middle name? 
O This cannot be changed later:' 
Winston Eldrich, Esquire 
+• Register 
I like to pretend my family’s more respectable than it actually is. Don’t judge me.

Now, let’s take a look at what’s being sent to the server by opening Burp and setting up FoxyProxy.

Referer: http://localhost : 3000/ 
12 Cookle: language=en; welcomebanner status=dismiss; 
14 { 
email " "test2@test . com' , 
" "test 1234" , 
" "test1234" , 
securityQuestion" :{ 
"icl" : I 
createdAt " 
'Your eldest siblings 
2020-11-OIT17: 31 26 S98Z" , 
2020-11- OIT17: 31 26 598? 
'Rinston Eldrich, 
middle name? , 
Esqui re
Don’t REPEAT yourself.

Let’s see what happens when we modify the contents of the password repeat field to “literally_nothing” and submit it.

You successfully solved a challenge: Repetitive Registration (Follow the DRY principle while registering a user.) 

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

If your client-side forms validate that the passwords match, there isn’t really a reason to send both pieces of data to the server. It’s not useful for anything and just adds to your attack surface.

Lessons Learned and Things Worth Mentioning: 

  1. Not every piece of data needs to be sent to the server, especially if it’s not used for anything once it gets there.
  2. Dad jokes. I has them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s