Information Security

Pwning OWASP’s Juice Shop Pt. 14: Repetitive Registration

Posted on by codeblue04

Challenge: 

Name: Repetitive Registration

Description: Follow the DRY principle while registering a user.

Difficulty: 1 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

A quick google search revealed that the “DRY Principle” means Don’t repeat yourself. So while registering a new user, I shouldn’t repeat myself.  But I repeat myself…

In that case, let’s create a new user.

User Registration Email test2@test.com Password O Password must be 5-20 characters long. Repeat Password Show password advice Security Question Your eldest siblings middle name? O This cannot be changed later:' Ansner Winston Eldrich, Esquire +• Register 8/20 8/20
I like to pretend my family’s more respectable than it actually is. Don’t judge me.

Now, let’s take a look at what’s being sent to the server by opening Burp and setting up FoxyProxy.

Referer: http://localhost : 3000/ 12 Cookle: language=en; welcomebanner status=dismiss; 14 { email " "test2@test . com' , password " "test 1234" , passwordRepeat " "test1234" , securityQuestion" :{ "icl" : I question createdAt " 'updatedAt' 'Your eldest siblings 2020-11-OIT17: 31 26 S98Z" , 2020-11- OIT17: 31 26 598? securityAnswer' 'Rinston Eldrich, middle name? , Esqui re
Don’t REPEAT yourself.

Let’s see what happens when we modify the contents of the password repeat field to “literally_nothing” and submit it.

You successfully solved a challenge: Repetitive Registration (Follow the DRY principle while registering a user.) x

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

If your client-side forms validate that the passwords match, there isn’t really a reason to send both pieces of data to the server. It’s not useful for anything and just adds to your attack surface.

Lessons Learned and Things Worth Mentioning: 

  1. Not every piece of data needs to be sent to the server, especially if it’s not used for anything once it gets there.
  2. Dad jokes. I has them.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s