Musings

Hacking OWASP’s Juice Shop Pt. 37: Manipulate Basket

Posted on by codeblue04

The last of the 3 star challenges!

Challenge: 

Name: Manipulate Basket

Description: Put an additional product into another user’s shopping basket

Difficulty: 3 star

Category: Broken Access Control

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-access-control.html

Tools used:

Burp, FoxyProxy

Resources used:

Solutions Guide

Methodology: 

“This challenge requires a bit more sophisticated tampering than others of the same ilk” is not what I expected to see when I read the expanded description to this challenge.

Request Params Pretty Headers Actions ISON web Tokens 1 POST /api/aasketltems/ HI-rp/l.l Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, I/ * 4 Accept S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate rv.78.o) Gecko,'20100_ Authorization: Bearer eyJOeXA101JKVIQiLCJhbGciOiJSUzIINiJ9. eyJzd( Content -Type: application/ j son Content -Length: 44 10 Origin: http://localhost : 3000 Il Connection: close Referer: http• // I Ocal host 3000/ IS Cookle: language=en; welcomebanner status=dismiss; cookieconsent ISI{ "Product Id Basket Id quantity •24,

When my normal trick didn’t work, I started charting out the packet traffic both for adding and removing items from baskets. I assumed this would have something to do with the URLs involved rather than the JSON fields, so I dug into the packet sequences more than I normally do.

db_contents.txt Untitled add sequence - user 1 product 24 GET /rest/basket/l HTTP/I.I POST /api/Basket1tems/ HTTP/I.I {"Productid" :24, "Basketld" " GET HTTP/I.I GET /rest/basket/l HTTP/I.I delete sequence - user 1 product 24 DELETE /api/Basket1tems/1ø HTTP/I.I GET /rest/basket/l HTTP/I.I GET /rest/basket/l HTTP/I.I add sequence - user 3 GET /rest/basket/3 HTTP/I.I POST /api/Basket1tems/ HTTP/I.I ET GET /rest/basket/3 HTTP/I.I : "1 , "quantity" :1} "quantity" HTTP/I.I

But that rabbit hole led nowhere. None of the URL changes I made, the PUT/POST changes I made, or the JSON changes I made did anything.

After an hour of beating my head against the wall, and in no small part because this was my last 3 star challenge, I checked the Solutions Guide and found that I could update multiple database entries in the same JSON object, so that’s what I did. Adding a second “BasketId” field and populating it with Bender’s User ID, then forwarding the packet finally solved the challenge.

Request Params Pretty Raw Headers •Actions ISON web Tokens 1 'POST ,'api/aasketltems/ HI-rp/l.l Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, 4 Accept S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate Authorization: Bearer eyJOeXAiOiJKVIQiLCJhbGciOi: Content -Type: application/ j son 9 Content -Length: 58 Origin: http://localhost : 3000 Il Connection: close Referer: http• // I Ocal host 3000/ IS Cookle: language=en; welcomebanner status=dismiss ISI{ "Product Id Basket Id quantit Basket Id
hop Your Basket (bender@juice-sh.op) Raspberry Juice (1000ml) Apple Pomace 4.99m 0.89m Q Total Price: 5.88m e Account Your Basket e bender@juice-sh.op Orders & Payment Privacy & Security Logout
Shop Your Basket (admin@juice-sh.op) Apple Pomace 0.89m Q Total Price: 0.89m e Account Your Basket admin@juice-sh.op Orders & Payment Privacy & Security Logout Checkout You will gain O Bonus Points from this order!

Prevention and Mitigation Strategies:

OWASP Access Control Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

You can update multiple database entries with the same packet. I had no idea this was possible, and am not sure why it never occurred to me.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s