Hacking OWASP’s Juice Shop Pt. 32: Upload Size + Upload Type

Challenge 1: 

Name: Upload Size

Description: Upload a file larger than 100 kB.

Difficulty: 3 star

Category: Improper Input Validation

Challenge 2: 

Name: Upload Type

Description: Upload a file that has no .pdf or .zip extension.

Difficulty: 3 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp, FoxyProxy, Mousepad

Resources used:

None.

Methodology: 

While the number of images in this walkthrough might suggest that this was a difficult challenge, in reality it was mostly just tedious. The first thing I did was log in (I used the admin account, but any account would work) and test out the Complaint form’s parameters. It would only allow two file types: PDF and ZIP. That’s easy enough to circumvent. Simply renaming a text file “filename.txt.zip” is enough to fool this form, but there’s also a 100kb limit involved.

This file is clearly above that limit, so after copying the original to a safe location where it wouldn’t be at risk of destruction if I were to make a mistake, I opened the text file, created a second text file in another tab, and copied over the majority of “db_contents.txt” to that temporary file.

german_pet_name 
names.txt 
s.txt 
"db_contents.txt": 190.6 KiB (195,150 bytes) plain text document
•Untitled 2 - Mousepad 
File Edit Search 
db_contents.txt 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
2020-11-02 
21 
2020-11-02 
21 :ø6. 
2020-11-02 
21:06. 
1.99 
2020-11-02 
21 
2.99 
2020-11-02 
: 00 
8.99 
2020-11-02 
21 
4.99 
2020-11-02 
21 
2.99 
2020-11-02 
21 
1.99 
2020-11-02 
21 
: 00 
2020-11-02 
21 
View Document 
Untitled 2 
Help 
9 
15 
1 
11 
3 
4 
12 
13 
14 
5 
17 
19 
18 
8 
7 
6 
16 
10 
Table: 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
admin 
customer 
customer 
admin 
deluxe 
admin 
customer 
customer 
admin 
admin 
customer 
admin 
deluxe 
customer 
accounting 
customer 
customer 
customer 
customer 
J129340juice-sh.op 
accountantajuice-sh . op 
admi najuice-sh . op 
amyojuice-sh . op 
benderajuice-sh . op 
bjoern . kimminichagmail 
. com 
bjoernöjuice-sh . op 
bjoernö)owasp.org 
chris . pikeajuice-sh. op 
cisoajuice-sh . op 
demo 
emmaajuice-sh . op 
jimjjuice-sh.op 
johnöjuice-sh . op 
mc . safesearchajuice-sh. op 
mortyajuice-sh . op 
supportajuice-sh . op 
uvoginö)juice-sh . op 
wurstbrotajuice-sh . op 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
1 
0192023a7bbd73250516f069df18b5øø 
e541coecf72b8d1286474fc613e5e45 
øc36e517e3fa95aabf1bbffc6744a4ef 
6edd9d726cbdc873c53ge41ae8757b8c 
861917d5fa5f1172f931dc700d81a8fb 
d57386e761071øøa7d6c2782978b2e7b 
f2f933d0bb0baø57bc8e33b8ebd6d9e8 
b03f4b0ba8b458faøacdcø2cdb953bc8 
3c2abc04e4a6ea8f1327døaae3714b7d 
gad5bø492bbe528583e128d2a8941de4 
030f05e45e3071øc3ad3c32f00deø473 
7f311911af16fa8f418dd1a3051d6810 
9283f1b2e9669749081963beø462e466 
1øa783bged1gea1c67c3ü7699f0095b 
963e10f92a70b4b46322øcb4c5d636dc 
05f92148b4b60f7dacd04cceebb8f1af 
fe01ce2üfbac8fafaed7c982aø4e229 
øø479e957b6b42c459ee5746478e4d45 
402f1c4a75e316afec%6ea63147f739 
image 
apple_juice. jpg 
orange_juice. jpg 
eggfrui t_juice. jpg 
raspberry_juice. jpg 
lemon_juice. jpg 
banana_juice. jpg 
fan _ shirt . jpg 
bkimminich 
wurstbrot 
jøhNny 
E-ma 
price 
22.49 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
+00 
:06.594 
.06.594 
.06.594 
Products 
[41 entries] 
I id | 255 | name 
createdAt 
1 
3 
4 
5 
6 
7 
255 
255 
255 
255 
255 
255 
255 
Apple Juice (løøøml) 
Orange Juice (løøøml) 
Eggfruit Juice (5øøml) 
Raspberry Juice (løøøml) 
Lemon Juice (5øøml) 
Banana Juice (løøøml) 
OWASP Juice Shop T-Shirt
db_contents.txt x 
Table: sqlite_sequence 
[18 entries] 
seq I name 
CIPtitled2 
14 
19 
18 
6 
6 
8 
100 
41 
5 
8 
1 
9 
41 
19 
3 
5 
SecurityQuestions 
Users 
SecurityAnswers 
Addresses 
Cards 
Feedbacks 
Challenges 
Products 
Baskets 
Basketltems 
Complaints 
Recycles 
Quantities 
purchaseQuantities 
Wallets 
Deliveries 
Memories 
Captchas

After saving db_contents.txt as a ZIP archive and ensuring that the contents of that file were below the 100KB threshold, I set up Burp to intercept the packet and submitted it via the Complaint form.

german_pet_name 
s.txt 
"db_contents.txt.zip": 674 bytes Zip archive 
names.txt
Complaint 
Customer • 
admin@juice-sh.op 
Message 
test 
O Max. 160 characters 
4/160 
Invoice: 
Browse... 
db_contents.txt.zip 
Submit
Dashboard Target 
Intruder Repeater 
Sequencer 
Decoder 
Comparer 
Exter 
HIT P history WebSockets 
history Options 
Request to http://localhost:3000 
[127001] 
Intercept iso 
Forward 
Params 
P retty 
Drop 
Headers 
Actions 
Action 
Open Browser 
"SON web Tokens 
\n 
Referer: http://localhost : 3000/ 
IS Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss. 
n Qhpt vhan FLfosoixf3S6buLLhsqfbXSZnUELumL18Ys9bUXYH8j C6j snsfovul Xt VSC• 
eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGFodXMioiJzdh'Nj ZXNz1iwi 
11 MDUxNmYwNj 1 kzj E-4Yj WMC1s1nJvbGUioiJhZG1pbi1s1mR1 bHV4ZVRva2Vu1j oiliwibGFzdExvz: 
szn1iwidG90cFN1 dc161i1s1m1 z%NoaXZ1 Ij pocnvl LCJj cm vhdGVkQXQi oily MDIwLTExLTA1: 
dGVkQXQi oj E2MDQ10TgxNj kslm E20X0 DsDnF78zsoee 
TkwysbM6Q8MPw1 mimgp Vmot_u9Ucn0AxC6bE4Xe8Lxaaqf120nHg 
- 217611818013985740571153189403 
16 Content -Disposition: form-data; 
contents.txt 
17 Content -Type: application/ zip 
19 Table: sqlite_sequence 
[18 entries] 
. zlp 
seq 
41 
41 
name 
SecurityQuestions 
Users 
SecurityAnswers 
Addresses 
Ca rds 
Feedbacks 
Chall enges 
Products 
Baskets 
Basket It ems 
Compl aints 
Recycles 
Quantities 
PurchaseQuantities 
"all ets 
Deliveries 
Memories 
Capt chas 
- 217611818013985740571153189403

Now it was just a case of adding back the original contents of db_contents.txt to the packet and eliminating the .zip file suffix.

Burp Project Intruder Repeater Window 
+00 • oo 
00: oo 
00 • oo 
Dashboard Target 
Intruder 
Help Logger++ HIT P Request Smuggler 
Sequencer Decoder 
Repeater 
Comparer 
Extender 
HIT P history WebSockets 
Request to http://localhost:3000 
Forward 
aw Params 
Pretty 
Drop 
Headers 
Actions v 
history Options 
[127 001] 
nterceptis on 
ISON web Tokens 
Action 
Open Browser 
- 217611818013985740571153189403 
16 Content -Disposition: form-data; 
17 Content -Type: application/ zip 
19 Table: sqlite_sequence 
[18 entries] 
seq name 
24 Table: Users 
contents.txt' 
[19 entries] 
id 1 255 
profilelmage 
role 
admin 
updatedAt 
J12934@j uice-sh op 
2020-11-02 21 06: 06. 591 
isActive 
totpSecret 
assets/ public/ images/ uploads/ default . svg 
I 255 customer 
accountant@j uice-sh.op 
2020 
-11-02 21 : 06: 06. 591 
assets/ public/ images/ uploads/ default . svg 
admin@j uice-sh.op 
I 255 customer 
2020 
-11-02 21 : 06: 06. 591 
assets/ public/ images/ uploads/ default . svg 
admin 
amy@j uice-sh.op 
2020-11- 
02 21 06: 06. 592 
assets/ public/ images/ uploads/ default . svg 
255 deluxe 
bender@j uice-sh.op 
2020-11-02 21 : 06:06 
assets/ public/ images/ uploads/ default . svg 
592 
admin 
bjoern.kimminich@gmail 
2020 
-02 21 06: 06. 592 
com 
lank > 
lank > 
lank > 
ank> 
lank > 
ank> 
assets/ public/ images/ uploads/ default . svg 
255 customer 
bjoern@juice-sh.op 
Search 
password 
0192023a 7b bd7± 
es41ca7ecf72bE 
oc36eS17e3fa9f 
6edd9d726cbdcE 
861917dsfasf11 
761071 c 
f2f933dobbobac

Then hitting “Forward”.

You successfully solved a challenge: Upload Size (Upload a file larger than 100 kB.) 
x 
You successfully solved a challenge: Upload Upe (Upload a file that has no .pdf or .zip extension.) X

Prevention and Mitigation Strategies:

OWASP Mitigation Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

The first time I ever attended a CTF event, the very first flag I ever captured was simply because I knew enough to disregard filetype designators. Opening that .png as a text file gave me the flag, and I’ve never trusted filetypes since. The server here should have learned that lesson.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s