Pwning OWASP’s Juice Shop Pt. 23: Payback Time

Challenge: 

Name: Payback Time

Description: Place an order that makes you rich.

Difficulty: 3 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

In this challenge, the expanded description isn’t of much use. Instead of taking suggestions from the description as I normally would, I opted to look at the packets being sent to the server during the purchase process. First I added the most expensive item in the store to my basket and checked what information was being passed.

Burp Project Intruder Repeater Window 
Dashboard Target 
Intruder 
Help Logger++ H IT P Request Smuggler 
Sequencer Decoder 
Repeater 
Comparer 
history Options 
Extende 
HIT P history WebSockets 
Request to http://localhost:3000 
Forward 
Params 
Drop 
Headers 
[127001] 
tercept o 
ISON web Tokens 
Action 
Open Browser 
Raw An I Actions 
Pretty 
1 POST /api/aasketltems/ H-rrp/l.l 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
Authorization: Bearer eyJOeXAiOiJKVIQiLCJhbGciOiJSUzIINiJ9. eyJzdGFOdXMiOiJzdRNj Z.XI' 
Content -Type: application/ j son 
Content -Length: 44 
10 Origin: http://localhost : 3000 
Il Connection: close 
Referer: http://localhost : 3000/ 
IS Cookle: language=en; welcomebanner status=dismiss; 
"Product Idl 
' aasketld 
quantity 
cookleconsent 
status=dismiss,

The “quantity” field stood out like a sore thumb, so I decided to see what would happen if, instead of 1, I added -111 items to my basket.

Your Basket (test@test.com) 
Juice Shop "Permafrost" 2020 
Edition 
Checkout 
-111 
9999.99B 
Total Price: 
-1109998.89m 
You will gain -111000 Bonus Points from this order!

Well that looks promising.

My Payment Options 
O 
Add new card 
Pay using wallet 
Add a coupon 
Other payment options 
Back 
Alfred J. Goldman 
Add a credit or debit card 
Wallet Balance 
1386.00 
12/2094 
$ pay -1109997.90Ä 
Add a coupon code to receive discounts 
You can review this order before it is finalized. 
> Continue

At this point it was fairly clear that pressing “Pay -xxx.xx” would be the easiest way to transfer that money into my account. This method is much easier than, say, adding that money onto a credit card.

Delivery Address 
Alfred J. Goldman 
123 Mostly_Fake street, 
The moon, Washington, 
12345 
USA 
Phone Number 1234567890 
Payment 
Method 
Digital Wallet 
Order Summary 
Your Basket (test@test.com) 
Items 
Delivery 
Promotion 
Total Price 
-1109998.89Ä 
O. 99Ä 
o. ooz 
-1109997.90Ä 
Juice Shop 
" Permafrost" 
2020 Edition 
-111 
9999.9 
'place your order and pay 
You will gain -111000 Bonus Points from 
this order!
In hindsight, Alfred E. Newman would have been funnier. It’s getting harder to come up with fancy names.

After entering my user’s name and address, I placed the order and completed the challenge.

You successfully solved a challenge: Payback Time (Place an order that makes you rich.) 
x

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

  1. There is no reason to assume that a field which should be a positive value is enforced as such on the server side. While I couldn’t add -1 items from the user interface, using Burp Suite it was a trivial task to complete. One which was very lucrative in Juice Shop currency, which unfortunately has no exchange rate to USD.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s