Name: Forged Feedback
Description: Post some feedback in another user’s name.
Difficulty: 3 star
Category: Broken Access Control
Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html
Because once more the expanded description points to intercepting the communication with the RESTful backend, I opened Burp and set up FoxyProxy, then navigated to the Customer Feedback form from Amy’s user account. After filling it in it was time to intercept a packet and figure out how to exploit it.
Since it’s been proven time and again that Juice Shop’s servers basically never validate anything they receive, I knew I’d just have to update the “UserId” field. Now I had to decide who I was going to pin this on.
Target selected, it was just a matter of updating the “UserId” field in the JSON object to make Bender look slightly more guilty than normal. Not a particularly tall order.
Now just send it in and….
The form also limits inputs to 140 characters. That limit is not enforced on the server side, meaning that with a sufficiently large text file you may be able to mangle the database.
Prevention and Mitigation Strategies:
Matching the user’s cookie data to the JSON fields would go a long way to solving this type of thing. If User A’s cookie is submitting things tagged as User B, then simply reject them as unauthorized.
Second, actually enforce the text size limits on the server side. You don’t want someone uploading War and Peace into a field designed to hold a tweet.
Lessons Learned and Things Worth Mentioning:
All of those years of watching Futurama are really paying off for me. And my parents said I’d never get anywhere by watching cartoons…