Name: Deprecated Interface
Description: Use a deprecated B2B interface that was not properly shut down.
Difficulty: 2 star
Category: Security Misconfiguration
Expanded Description: https://pwning.owasp-juice.shop/part2/security-misconfiguration.html
If there’s a deprecated interface with remnants still existing within the current code, then the challenge is simply to find something which isn’t in use anymore. Thus far, after 22 walkthroughs, the only file extensions I’ve seen have been .js and .json. That leaves an awful lot of code to look through for any of a dozen common file extensions. Grep to the rescue!
Step 2: Create a wordlist file containing common web file extensions (php, apsx, et cetera) and format it for grep (link in Resources).
Step 3: ???
Step 4: Profit!
Well that certainly looks incompletely deprecated to me, so let’s try to use it and see if we can’t complete this challenge. Go ahead and create an empty XML file (naming an empty text file test.xml works). Now we just need to find where we can submit this.
In the Complaint tab on the left side menu, there’s a place to upload files. But after inspecting the code, it’s limited to PDF and ZIP files. Knowing that the input validation here is highly suspect, let’s see if we can’t find a workaround.
By renaming the file “test.xml.zip”, it’s now possible to upload into that box. Once that’s done, set up Burp and FoxyProxy to capture the packet for modification.
Delete the “.zip” from the file name and send it off to its fate.
Prevention and mitigation strategies:
Validate all inputs on both the client and server side. Even with the Content-Type field set to ZIP, the upload went through without a hitch. Even a simple test to ensure the file name matched the content type listed would have caught this.
Lessons Learned and Things Worth Mentioning:
- This is admittedly a challenge which stumped me the first time through. I couldn’t figure out what they meant by “interface”, and especially why B2B was relevant. Personally I’m much more comfortable doing back end development, and the front end is somewhere I’m still finding my bearings. That said, it’s been a couple of months since I first solved it and I didn’t remember the solution. This time I was able to work it out on my own fairly quickly, which was nice.
- While I obviously already knew this, computers are dumb. This empty file was clearly not a ZIP file, but as long as I write the correct extension on the end of a file, unless the programmers on the other end are validating inputs I can upload whatever I want. Whether I can execute an uploaded reverse shell is another issue, but pushing the wrong file type to a database which regularly accesses all of the files it contains would probably be a decent way to plant a logic bomb or something similar and take the system offline.