Name: Forged Review
Description: Post a product review as another user or edit any user’s existing review.
Difficulty: 3 star
Category: Broken Access Control
Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html
This is another instance of the server not comparing the logged in user with the name it’s being given via JSON. The first steps, as usual, are to log in as any user, open Burp Suite, and set up FoxyProxy to intercept the packet. Then, just fill out a review and check the packet.
Now all that needs to be done is change the author. Unfortunately Guenter doesn’t have a user account, so Amy will have to do in a pinch.
Prevention and Mitigation Strategies:
Lessons Learned and Things Worth Mentioning:
This is my first real interaction with the NoSQL database. I’ve never used one before, so future challenges pertaining to product reviews will likely require a little bit more effort than this one does.