Hacking OWASP’s Juice Shop Pt. 37: Manipulate Basket

The last of the 3 star challenges!

Challenge: 

Name: Manipulate Basket

Description: Put an additional product into another user’s shopping basket

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp, FoxyProxy

Resources used:

Solutions Guide

Methodology: 

“This challenge requires a bit more sophisticated tampering than others of the same ilk” is not what I expected to see when I read the expanded description to this challenge.

Request 
Params 
Pretty 
Headers 
Actions 
ISON web Tokens 
1 POST /api/aasketltems/ HI-rp/l.l 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, I/ * 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
rv.78.o) 
Gecko,'20100_ 
Authorization: Bearer eyJOeXA101JKVIQiLCJhbGciOiJSUzIINiJ9. eyJzd( 
Content -Type: application/ j son 
Content -Length: 44 
10 Origin: http://localhost : 3000 
Il Connection: close 
Referer: http• 
// I Ocal host 3000/ 
IS Cookle: language=en; welcomebanner status=dismiss; 
cookieconsent 
ISI{ 
"Product Id 
Basket Id 
quantity 
•24,

When my normal trick didn’t work, I started charting out the packet traffic both for adding and removing items from baskets. I assumed this would have something to do with the URLs involved rather than the JSON fields, so I dug into the packet sequences more than I normally do.

db_contents.txt 
Untitled 
add sequence - 
user 1 product 24 
GET /rest/basket/l HTTP/I.I 
POST /api/Basket1tems/ HTTP/I.I {"Productid" :24, "Basketld" " 
GET HTTP/I.I 
GET /rest/basket/l HTTP/I.I 
delete sequence - 
user 1 product 24 
DELETE /api/Basket1tems/1ø HTTP/I.I 
GET /rest/basket/l HTTP/I.I 
GET /rest/basket/l HTTP/I.I 
add sequence - 
user 3 
GET /rest/basket/3 HTTP/I.I 
POST /api/Basket1tems/ HTTP/I.I 
ET 
GET /rest/basket/3 HTTP/I.I 
: "1 , "quantity" :1} 
"quantity" 
HTTP/I.I

But that rabbit hole led nowhere. None of the URL changes I made, the PUT/POST changes I made, or the JSON changes I made did anything.

After an hour of beating my head against the wall, and in no small part because this was my last 3 star challenge, I checked the Solutions Guide and found that I could update multiple database entries in the same JSON object, so that’s what I did. Adding a second “BasketId” field and populating it with Bender’s User ID, then forwarding the packet finally solved the challenge.

Request 
Params 
Pretty 
Raw 
Headers 
•Actions 
ISON web Tokens 
1 'POST ,'api/aasketltems/ HI-rp/l.l 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
Authorization: Bearer eyJOeXAiOiJKVIQiLCJhbGciOi: 
Content -Type: application/ j son 
9 Content -Length: 58 
Origin: http://localhost : 3000 
Il Connection: close 
Referer: http• 
// I Ocal host 3000/ 
IS Cookle: language=en; welcomebanner status=dismiss 
ISI{ 
"Product Id 
Basket Id 
quantit 
Basket Id
hop 
Your Basket (bender@juice-sh.op) 
Raspberry Juice (1000ml) 
Apple Pomace 
4.99m 
0.89m 
Q 
Total Price: 5.88m 
e Account Your Basket 
e 
bender@juice-sh.op 
Orders & Payment 
Privacy & Security 
Logout
Shop 
Your Basket (admin@juice-sh.op) 
Apple Pomace 
0.89m 
Q 
Total Price: 0.89m 
e Account Your Basket 
admin@juice-sh.op 
Orders & Payment 
Privacy & Security 
Logout 
Checkout 
You will gain O Bonus Points from this order!

Prevention and Mitigation Strategies:

OWASP Access Control Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

You can update multiple database entries with the same packet. I had no idea this was possible, and am not sure why it never occurred to me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s