Hacking OWASP’s Juice Shop Pt. 29: Login Bender

Challenge: 

Name: Login Bender

Description: Log in with Bender’s user account.

Difficulty: 3 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

None.

Resources used:

Login Admin

Methodology: 

The expanded description for this challenge takes care to point out that this is an “injection” challenge. The last time I logged in using injection it was to access the administrator’s account, because I correctly assumed it would be the account with the lowest user ID number. In this case, I would have to log into a specific user’s account in order to complete the challenge. Knowing how the data is sent from the login screen to the server, and knowing the Email field is vulnerable to SQL injection, it was a fairly simple process of deduction to work out that all that was necessary to complete this challenge would be to identify Bender as the user account I wanted to log into and apply the same SQL injection pattern which had worked for the admin account.

Login 
Email 
bender@juice-sh.op'-- 
Password 
Forgot your password? 
Log in
You successfully solved a challenge: Login Bender (Log in with Bender's user account.) 
x

Prevention and Mitigation Strategies:

OWASP SQL Injection Mitigation Cheat Sheet 

Lessons Learned and Things Worth Mentioning: 

Nothing special. It’s cool to see that the SQL injection trick doesn’t only work for one user, but any user whose email address I know. Since I’ve got a complete list of users from both the Admin Section and Database Schema challenges, that means I can gather everything from addresses to credit card numbers from any user. Not ideal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s