Name: Product Tampering
Description: Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com
Difficulty: 3 star
Category: Broken Access Control
Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html
First, it’s important to read the expanded description in order to acquire the payload you’re supposed to be pushing to the product database.
Payload acquired, it’s time to find out more about the product which is to be modified.
After making note of product ID number, I fired up Burp Suite and set up FoxyProxy to start tinkering with packets. I knew, thanks to the expanded description, that this challenge would require direct modification of the database via the API. That pointed me in the direction of crafting a packet to use the PUT command, to send to that product’s URL. Thanks to all of the database information I collected in the Database Schema challenge, I even knew which field to update and how to accomplish that.
After sending that packet off, this was the response:
Prevention and Mitigation Strategies:
OWASP REST Security Cheat Sheet
Lessons Learned and Things Worth Mentioning:
PUT commands are something I’ve only used a couple of times before, so I could certainly use more practice with it. Fortunately what I already knew was sufficient for this challenge.