Hacking OWASP’s Juice Shop Pt. 23: Payback Time

Challenge:

Name: Payback Time

Description: Place an order that makes you rich.

Difficulty: 3 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology:

In this challenge, the expanded description isn’t of much use. Instead of taking suggestions from the description as I normally would, I opted to look at the packets being sent to the server during the purchase process. First I added the most expensive item in the store to my basket and checked what information was being passed.

Burp Project Intruder Repeater Window
Dashboard Target
Intruder
Help Logger++ H IT P Request Smuggler
Sequencer Decoder
Repeater
Comparer
history Options
Extende
HIT P history WebSockets
Request to http://localhost:3000
Forward
Params
Drop
Headers
[127001]
tercept o
ISON web Tokens
Action
Open Browser
Raw An I Actions
Pretty
1 POST /api/aasketltems/ H-rrp/l.l
Host: local host 3000
User-Agent: MoziIIa/S.O (X
11; Linux x86 64;
application/ j son, text/ plain,
4 Accept
S Accept -Language: en-lJS,
Accept -Encoding: gzip, deflate
rv.78.o)
Gecko,'20100101 Firefox,'78.o
Authorization: Bearer eyJOeXAiOiJKVIQiLCJhbGciOiJSUzIINiJ9. eyJzdGFOdXMiOiJzdRNj Z.XI'
Content -Type: application/ j son
Content -Length: 44
10 Origin: http://localhost : 3000
Il Connection: close
Referer: http://localhost : 3000/
IS Cookle: language=en; welcomebanner status=dismiss;
"Product Idl
' aasketld
quantity
cookleconsent
status=dismiss,

The “quantity” field stood out like a sore thumb, so I decided to see what would happen if, instead of 1, I added -111 items to my basket.

Your Basket (test@test.com)
Juice Shop "Permafrost" 2020
Edition
Checkout
-111
9999.99B
Total Price:
-1109998.89m
You will gain -111000 Bonus Points from this order!

Well that looks promising.

My Payment Options
O
Add new card
Pay using wallet
Add a coupon
Other payment options
Back
Alfred J. Goldman
Add a credit or debit card
Wallet Balance
1386.00
12/2094
$ pay -1109997.90Ä
Add a coupon code to receive discounts
You can review this order before it is finalized.
> Continue

At this point it was fairly clear that pressing “Pay -xxx.xx” would be the easiest way to transfer that money into my account. This method is much easier than, say, adding that money onto a credit card.

Delivery Address
Alfred J. Goldman
123 Mostly_Fake street,
The moon, Washington,
12345
USA
Phone Number 1234567890
Payment
Method
Digital Wallet
Order Summary
Your Basket (test@test.com)
Items
Delivery
Promotion
Total Price
-1109998.89Ä
O. 99Ä
o. ooz
-1109997.90Ä
Juice Shop
" Permafrost"
2020 Edition
-111
9999.9
'place your order and pay
You will gain -111000 Bonus Points from
this order! — _{In hindsight, Alfred E. Newman would have been funnier. It’s getting harder to come up with fancy names.}

After entering my user’s name and address, I placed the order and completed the challenge.

You successfully solved a challenge: Payback Time (Place an order that makes you rich.)
x

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning:

There is no reason to assume that a field which should be a positive value is enforced as such on the server side. While I couldn’t add -1 items from the user interface, using Burp Suite it was a trivial task to complete. One which was very lucrative in Juice Shop currency, which unfortunately has no exchange rate to USD.

Curiosity Kills Colby

Northwestern Misadventures

Hacking OWASP’s Juice Shop Pt. 23: Payback Time

Leave a Reply Cancel reply

Share this:

Like this:

Related

Leave a Reply Cancel reply