Pwning OWASP’s Juice Shop Pt. 18: Deprecated Interface

Challenge: 

Name: Deprecated Interface

Description: Use a deprecated B2B interface that was not properly shut down.

Difficulty: 2 star

Category: Security Misconfiguration

Expanded Description: https://pwning.owasp-juice.shop/part2/security-misconfiguration.html

Tools used:

Grep, jsbeautifier

Resources used:

Grep formatting

Methodology: 

If there’s a deprecated interface with remnants still existing within the current code, then the challenge is simply to find something which isn’t in use anymore. Thus far, after 22 walkthroughs, the only file extensions I’ve seen have been .js and .json. That leaves an awful lot of code to look through for any of a dozen common file extensions. Grep to the rescue!

Step 1: Download a copy of “main-es2018.js” from Firefox’s Developer Tools window along with a JavaScript beautifier (I’m using a pip package called jsbeautifier) for easy formatting. Without this, grep is basically useless as everything is on the same line.

Step 2: Create a wordlist file containing common web file extensions (php, apsx, et cetera) and format it for grep (link in Resources).

Step 3: ???

Step 4: Profit!

1: Colby@kali: m/Hack/Juice Shop 
Shop$ js-beautify main-es2ø18.js > main.js 
Shop$ grep main . js 
n/xml " 
, "text/ 
xml" 
t/x-zip"]' 
con " 
"star" 
576 512", " 
allowedMimeType: ["application/pdf", "applicatio 
"application/zip" , 
"application/x-zip-compressed", "multipar 
["aria-hidden", "true", 
"data-prefix", "fa 
"data-i 
"role", "img , 
"xrnln 
"http://www.w3.org/2øøø/svg" , 
"viewBox " 
data 
-fa-i2svg" , 
, "stroke-width", "10 
"svg-inline--fa", "f 
a-star", "fa-w-18", "star-border"], 
["viewBox", " 
w3.org/2øøø/svg"], 
["color" 
"primary" 
720 720" 
"fxLayout", "column" 
, "xrnlns", "http://www. 
"xmln 
"htt 
1, "mat-elevation-z6 ] 
p://wvqw.w3.org/1999/html " , 
Colbyökali Shop$

Well that certainly looks incompletely deprecated to me, so let’s try to use it and see if we can’t complete this challenge. Go ahead and create an empty XML file (naming an empty text file test.xml works). Now we just need to find where we can submit this.

OWASP Juice Shop 
Contact 
Customer Feedback 
Complaint 
Support Chat

In the Complaint tab on the left side menu, there’s a place to upload files. But after inspecting the code, it’s limited to PDF and ZIP files. Knowing that the input validation here is highly suspect, let’s see if we can’t find a workaround.

By renaming the file “test.xml.zip”, it’s now possible to upload into that box. Once that’s done, set up Burp and FoxyProxy to capture the packet for modification.

- - 48134477738668905444170103525 
Content -Disposition: form-data; name= "file' 
filename= "test . xml 
Content -Type: application/ zip

Delete the “.zip” from the file name and send it off to its fate.

You successfully solved a challenge: Deprecated Interface (Use a deprecated B2B interface that was not properly shut down.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

Validate all inputs on both the client and server side. Even with the Content-Type field set to ZIP, the upload went through without a hitch. Even a simple test to ensure the file name matched the content type listed would have caught this.

Lessons Learned and Things Worth Mentioning: 

  1. This is admittedly a challenge which stumped me the first time through. I couldn’t figure out what they meant by “interface”, and especially why B2B was relevant. Personally I’m much more comfortable doing back end development, and the front end is somewhere I’m still finding my bearings. That said, it’s been a couple of months since I first solved it and I didn’t remember the solution. This time I was able to work it out on my own fairly quickly, which was nice.
  2. While I obviously already knew this, computers are dumb. This empty file was clearly not a ZIP file, but as long as I write the correct extension on the end of a file, unless the programmers on the other end are validating inputs I can upload whatever I want. Whether I can execute an uploaded reverse shell is another issue, but pushing the wrong file type to a database which regularly accesses all of the files it contains would probably be a decent way to plant a logic bomb or something similar and take the system offline.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s