Information Security

Hacking OWASP’s Juice Shop Pt. 17: View Basket

Posted on by codeblue04

Challenge: 

Name: View Basket

Description: View another user’s shopping basket.

Difficulty: 2 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

The access controls on this site have proven to be fairly poor, so this shouldn’t be terribly difficult. First, we need to see what information is being sent to the server when we click the “View Basket” link, so log in and fire up Burp and set up FoxyProxy accordingly. Then we click on the basket and wait for a JSON object.

Except it never comes. Curious, that. Let’s look at the destinations for these packets. If it’s not a JSON object being sent, then maybe our user information is being passed to a unique link.

/api/Quantitys/ "rest/basket/9 /rest\user/nhoami

Hmm. I wonder if that ‘9’ (or whatever number is there for you) is an identifier. We know from the Admin Section challenge that there are more than nine users, but let’s set it up to make sure we’re actually viewing another user’s basket.

Your Basket (test@test.com) Eggfruit Juice (500ml) Apple Pomace Juice Shop "Permafrost" 2020 Edition 1 1 1 a a 8.99m 9999.99Ä Total Price: 10009.869999999999m
Juice Shop uses primitives to track money without so much as a round().

First, let’s add a few specific items to our own basket so we can identify it if we can successfully view basket 9 from another account. Then either create another account or log into another one you’ve got access to (any of the Login, Password Reset, or Geo Stalking challenges should have left you with persistent access to those accounts) and go to that user’s shopping basket. Now all that’s needed is to send that user’s initial request packet to Burp’s Repeater, change the number next to “basket/” to whatever number your user had, and send it off.

Request Params Pretty rv•78 Response Headers Actions GET HI-TP Host: local host 3000 User-Agent: MoziIIa/S.O (X ISON web Tokens Pretty 11; Linux x86 64; o) Gecko,'20100101 Firefox/78 application/ j son, text/ plain, * / 4 Accept S Accept -Language: en-US, Accept -Encoding: gzip, deflate Authorization: Bearer ey eyJzdGF0dXMi ZXNz1iwi sinVzZXJuYW11 Ij oiaj aoTmSS1iwiZA1haNwioiJqb2huQGp1a',NN1 LXNoLm9w1iwicGFzcsdvcmQioi1xNmQ ZGRhM2Fk0TNj UAE-3Mj Yl 0Td1 NCIs1nJvbGUi oiJj dXNob211 cils1mR1 b HV4ZVRva2Vu1j o iliwi usxAi oi Iwi_j AuMC4w1iwi szul t ywdl Ij oiYXNzZXRzL381YmxpYy9pbRFnZXM v dxasb2Fkcy9kz,NZh zxQi oi dG12ZS16dHJ1 zswiY3J1 YXRI ZEF 01j oiMj Ay McoxMsowMSAxNzozMToyNi 42Mj kgKz Awoj Awliwi dxakYXR1 ZEF01j oiMj Ay McoxMsowMSAyMTo 1 Nj ozMy 4SNj lgKzAwOj Awliwi ZGVsZXR1 ZEF01j pudnxsf9wi oxNj AOMj glNzM4LCJ1 eHAi oj E2MDQ zMDM3Mzh9. akwaPqqSV19G0 6V41YC6Gj sJEZFNrQqMJMvgn74ssbCMNUGAkmwX xoycpxxeESrj 4zd17KKS 8GgTkxnw-b4FTLisnkl_coczHEtYrTIKvDy 3GEFcn16Mj nJ0g2wV jAZt rDPib4kkTEvqcaJqs1pmf1a3r70 NVI VPEI RGn6NE Connection: close Referer: http // I Ocal host 3000/ 10 Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, cont inuecode=oot , LknnxJfKkRZF71 qNAAAj ; token= eyJzdGF0dXMi ZXNz1iwi ZGFOYS16eyJpZC16MTg slnVzZXJuYW11 Ij oiaj LXNoLm9w1iwicGFzcsdvcmQioi1xNmQ ZGRhM2Fk0TNj o,NE3Mj Yl 0Td1 NCIs1nJvbGUi oiJj dXNob211 cils1mR1 bHV4ZVRva2Vu1j o iliwi usxAi oi Iwi_j AuMC4w1iwi szul t ywdl Ij oiYXNzZXRzL381YmxpYy9pbh'FnZXM v dxasb2Fkcy9kzazh zxQi oi dG12ZS16dHJ1 YXRI ZEF Headers Rendeiö An *ctions Raw 'Productld" : 3 Apple Pomace" , 'name 'description" "Finest pressings of apples price" : O. 89, 'deluxeprice" : O. 89, 'apple _ pressings.jpg", " Image createdAt " " 2020-11-OIT17: 31 26 888Z" , 'updatedAt " 2020-11-OIT17: 31 26 888Z" , 'deletedAt' :null '8asketItem' "id" : 9, quantit createdAt " '2020-11-02T02: 45: 16. S36Z" , 'updatedAt' '2020-11-02T02: 45: 16. S36Z" , ' aasketld "Product Id "id" : 41 Allergy disclaimer: Might contain 'Juice Shop \ '"Permafrost\" 2020 Edition" , 'name 'description" "Exact version of href=\"https://github.com/bkimminich/juice
You successfully solved a challenge: View Basket (View another users shopping basket.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

User 10 should never be able to access user 9’s basket. User 9’s cookie information should reflect their identity, so use that user’s cookie to authenticate and allow access to their private information. Anyone not in possession of that cookie should receive a 403 response code.

Lessons Learned and Things Worth Mentioning: 

It’s been a while since I initially solved this, and had become dependent upon JSON data for my attacks. That probably didn’t cost me more than 30 seconds of confusion, but hopefully after this that delay will be significantly reduced.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s