Information Security

Hacking OWASP’s Juice Shop Pt. 30: Forged Review

Posted on by codeblue04

Challenge: 

Name: Forged Review

Description: Post a product review as another user or edit any user’s existing review.

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp, FoxyProxy

Resources used:

None.

Methodology: 

This is another instance of the server not comparing the logged in user with the name it’s being given via JSON. The first steps, as usual, are to log in as any user, open Burp Suite, and set up FoxyProxy to intercept the packet. Then, just fill out a review and check the packet.

Banana Juice (IOOOmI) Monkeys love it the most. 1.99m Reviews (1) Write a review Review All I want is to be a monkey of moderate intelligence who wears a suit... that's why I've decided to transfer to business school. O Max. 160 characters X Close 129/160 Submit
Burp Project Intruder Repeater Window Dashboard Target Intruder Help Logger++ HIT P Request Smuggler Sequencer Decoder Repeater Comparer Extender Project options User options ISON web Tokens Logger++ HIT P history WebSockets history Options Request to http://localhost:3000 [12700 Forward Params Drop Headers 1] Intercept is o ISON web Tokens Action Open Browser Pretty Raw Actions V PUT / rest/ products/ 6/ reviews HIT P/ 1.1 Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, I/ * Accept Accept -Language: en-lJS, en; q=O.S Accept -Encoding: gzip, deflate rv.78.o) Gecko,'20100101 Firefox,'78.o Authorization: Bearer eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGFodXMioiJzdRNj ZXNz1iwiZGFOYS16eyJpZC16MywidXN1cmshbnuioi1iLCJ1bRFpbC161mJ1bmR1ck8( Content -Type: application/ j son Content -Length: 17 Origin: http• // I Ocal host 3000 Connection: close Referer: http://localhost : 3000/ Cookle: language=en; welcomebanner status=dismiss, cookieconsent status=dismiss, cont inueCode=xI h 4t x Ij s Li ZUPH8uxhgt ITXFRf pS8H2uot msg i rfPSpJuvvhOYcI 'message author' 'All I want is to be a 'bender@j uice-sh.op' monkey of moderate intelligence who wears a suit that 's why I 've decided to transfer to business school

Now all that needs to be done is change the author. Unfortunately Guenter doesn’t have a user account, so Amy will have to do in a pinch.

Referer: http://localhost : 3000/ Cookle: language=en; welcomebanner sti 'message author' 'All I want is to be a mot amy@j uice-sh op'
You successfully solved a challenge: Forged Review (Posta product review as another user or edit any user's existing review.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning:

This is my first real interaction with the NoSQL database. I’ve never used one before, so future challenges pertaining to product reviews will likely require a little bit more effort than this one does.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s