Pwning OWASP’s Juice Shop Pt. 17: View Basket

Challenge: 

Name: View Basket

Description: View another user’s shopping basket.

Difficulty: 2 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

The access controls on this site have proven to be fairly poor, so this shouldn’t be terribly difficult. First, we need to see what information is being sent to the server when we click the “View Basket” link, so log in and fire up Burp and set up FoxyProxy accordingly. Then we click on the basket and wait for a JSON object.

Except it never comes. Curious, that. Let’s look at the destinations for these packets. If it’s not a JSON object being sent, then maybe our user information is being passed to a unique link.

/api/Quantitys/ 
"rest/basket/9 
/rest\user/nhoami

Hmm. I wonder if that ‘9’ (or whatever number is there for you) is an identifier. We know from the Admin Section challenge that there are more than nine users, but let’s set it up to make sure we’re actually viewing another user’s basket.

Your Basket (test@test.com) 
Eggfruit Juice (500ml) 
Apple Pomace 
Juice Shop "Permafrost" 2020 
Edition 
1 
1 
1 
a 
a 
8.99m 
9999.99Ä 
Total Price: 10009.869999999999m
Juice Shop uses primitives to track money without so much as a round().

First, let’s add a few specific items to our own basket so we can identify it if we can successfully view basket 9 from another account. Then either create another account or log into another one you’ve got access to (any of the Login, Password Reset, or Geo Stalking challenges should have left you with persistent access to those accounts) and go to that user’s shopping basket. Now all that’s needed is to send that user’s initial request packet to Burp’s Repeater, change the number next to “basket/” to whatever number your user had, and send it off.

Request 
Params 
Pretty 
rv•78 
Response 
Headers 
Actions 
GET HI-TP 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
ISON web Tokens 
Pretty 
11; Linux x86 
64; 
o) 
Gecko,'20100101 
Firefox/78 
application/ j son, text/ plain, * / 
4 Accept 
S Accept -Language: en-US, 
Accept -Encoding: gzip, deflate 
Authorization: Bearer 
ey eyJzdGF0dXMi ZXNz1iwi 
sinVzZXJuYW11 Ij oiaj aoTmSS1iwiZA1haNwioiJqb2huQGp1a',NN1 LXNoLm9w1iwicGFzcsdvcmQioi1xNmQ 
ZGRhM2Fk0TNj UAE-3Mj Yl 0Td1 NCIs1nJvbGUi oiJj dXNob211 cils1mR1 b HV4ZVRva2Vu1j o 
iliwi usxAi oi Iwi_j AuMC4w1iwi szul t ywdl Ij oiYXNzZXRzL381YmxpYy9pbRFnZXM 
v dxasb2Fkcy9kz,NZh zxQi oi dG12ZS16dHJ1 zswiY3J1 YXRI ZEF 
01j oiMj Ay McoxMsowMSAxNzozMToyNi 42Mj kgKz Awoj Awliwi dxakYXR1 ZEF01j oiMj Ay McoxMsowMSAyMTo 
1 Nj ozMy 4SNj lgKzAwOj Awliwi ZGVsZXR1 ZEF01j pudnxsf9wi oxNj AOMj glNzM4LCJ1 eHAi oj E2MDQ 
zMDM3Mzh9. akwaPqqSV19G0 6V41YC6Gj sJEZFNrQqMJMvgn74ssbCMNUGAkmwX xoycpxxeESrj 4zd17KKS 
8GgTkxnw-b4FTLisnkl_coczHEtYrTIKvDy 3GEFcn16Mj nJ0g2wV jAZt rDPib4kkTEvqcaJqs1pmf1a3r70 
NVI VPEI RGn6NE 
Connection: close 
Referer: http 
// I Ocal host 3000/ 
10 Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
cont inuecode=oot , 
LknnxJfKkRZF71 qNAAAj ; 
token= 
eyJzdGF0dXMi ZXNz1iwi ZGFOYS16eyJpZC16MTg 
slnVzZXJuYW11 Ij oiaj LXNoLm9w1iwicGFzcsdvcmQioi1xNmQ 
ZGRhM2Fk0TNj o,NE3Mj Yl 0Td1 NCIs1nJvbGUi oiJj dXNob211 cils1mR1 bHV4ZVRva2Vu1j o 
iliwi usxAi oi Iwi_j AuMC4w1iwi szul t ywdl Ij oiYXNzZXRzL381YmxpYy9pbh'FnZXM 
v dxasb2Fkcy9kzazh zxQi oi dG12ZS16dHJ1 YXRI ZEF 
Headers 
Rendeiö An *ctions 
Raw 
'Productld" : 3 
Apple Pomace" , 
'name 
'description" "Finest pressings of apples 
price" : O. 89, 
'deluxeprice" : O. 89, 
'apple _ pressings.jpg", 
" Image 
createdAt " 
" 2020-11-OIT17: 31 26 888Z" , 
'updatedAt " 
2020-11-OIT17: 31 26 888Z" , 
'deletedAt' 
:null 
'8asketItem' 
"id" : 9, 
quantit 
createdAt " 
'2020-11-02T02: 45: 16. S36Z" , 
'updatedAt' 
'2020-11-02T02: 45: 16. S36Z" , 
' aasketld 
"Product Id 
"id" : 41 
Allergy disclaimer: 
Might 
contain 
'Juice Shop \ '"Permafrost\" 2020 Edition" , 
'name 
'description" "Exact version of href=\"https://github.com/bkimminich/juice
You successfully solved a challenge: View Basket (View another users shopping basket.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

User 10 should never be able to access user 9’s basket. User 9’s cookie information should reflect their identity, so use that user’s cookie to authenticate and allow access to their private information. Anyone not in possession of that cookie should receive a 403 response code.

Lessons Learned and Things Worth Mentioning: 

It’s been a while since I initially solved this, and had become dependent upon JSON data for my attacks. That probably didn’t cost me more than 30 seconds of confusion, but hopefully after this that delay will be significantly reduced.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s