Hacking OWASP’s Juice Shop Pt. 39: Christmas Special

Challenge: 

Name: Christmas Special

Description: Order the Christmas special offer of 2014.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp, FoxyProxy

Resources used:

Database Schema

Methodology: 

Yet again the database dump I performed during the Database Schema challenge pays dividends. While the expanded description for this challenge makes it clear that this is intended to be a much more difficult task, being able to simply search the product table for the word “Christmas” means that it’s basically a 3 star challenge.

[41 entries] 
I id | 255 | name 
2020-11-02 
21 
2020-11-02 
21 
2020-11-02 
21 
: 00 
2020-11-02 
21 
2020-11-02 
21 
2020-11-02 
21 
2020-11-02 
21 
: 00 
2020-11-02 
21 
2020-11-02 
21 
2020-11-02 
21 
+00: 00 
2014-12-27 
2020-11-02 
21 
2019-02-01 
2020-11-02 
21 
2017-04-28 
2020-11-02 
Apple Juice (løøøml) 
Orange Juice (løøøml) 
Eggfruit Juice (5øøml) 
Raspberry Juice (løøøml) 
Lemon Juice (500ml) 
Banana Juice (løøøml) 
OWASP Juice Shop T-Shirt 
OWASP Juice Shop CTF Girlie-shirt 
OWASP SSL Advanced Forensic Tool (o-saft) 
Christmas Super-surprise-Box (2014 Edition) 
Rippertuer Special Juice 
OWASP Juice Shop sticker (2015/2016 design) 
OWASP Juice Shop Iron-ons (16pcs) 
image 
apple_juice. jpg 
orange_juice. jpg 
eggfruit_juice. jpg 
raspberry_juice. jpg 
lemon_juice. jpg 
banana_juice. jpg 
fan_shirt . jpg 
fan_girlie. jpg 
orange_juice. jpg 
undefined. jpg 
undefined . jpg 
sticker. png 
iron-on . jpg 
price 
1.99 
2 .99 
8.99 
4.99 
2.99 
1.99 
22 .49 
22 .49 
0.01 
29.99 
16.99 
999.99 
14.99 
createdAt 
1 
3 
4 
5 
6 
8 
9 
10 
11 
12 
13 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
255 
I deletedAt 
NULL 
NULL 
NULL 
NULL 
NULL 
NULL 
NULL 
NULL 
NULL 
NULL

Once I found the product ID number from the database, I simply used Burp Suite and FoxyProxy to solve this. I merely logged into a user account, added a random product to that user’s basket, intercepted that packet, and updated the “ProductId” field to match the product ID number of the 2014 Christmas Super Surprise Box. With that done, I sent off the packet and crossed this challenge off the list.

Request 
Params 
Headers 
"SON web Tokens 
Pretty 
Raw Actions VI 
1 'POST /api/aasketltems/ HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 1/ * 
4 Accept 
S Accept -Language: en-LlS, 
Accept -Encoding: gzip, deflate 
rv.7; 
Authorization: Bearer eyJOeXA101JKVIQiLCJhbGciOi 
Content -Type: application/ j son 
9 Content -Length: 43 
Origin: http 
// I Ocal host 3000 
LI Connection: close 
Referer: http://localhost : 3000/ 
LS Cookie: language=en; welcomebanner status=dismis: 
LSI{ 
'Product Id 
Basket Id 
quantity
Response 
Headers 
Render 
Pretty 
Raw 
200 0K 
1 *ctions v 
Access-Cont rol -Allow-Origin: 
S X-Content -Type-options: nosniff 
SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: application/ j son; charset=utf- 
7 Content -Length: 158 
a-rag: R,' '9e-M8uaR7h1Ag1feSXsvoS9pYfZve1" 
Vary: Accept -Encoding 
10 Date: Thu, OS Nov 2020 23:21 Gl•rr 
Il Connection: 
13 { 
status 
data" 
"id" : 18, 
cl ose 
success , 
"Product Id 
' aasketld 
quantit 
'updatedAt' 
createdAt' 
'2020-11-OST2S: 21 21 817?' , 
2020-11- OST2S: 21 21 817?'
Your Basket (admin@juice-sh.op) 
Christmas 
Super- 
Christmas Super-Surprise-Box 
Surprise-Box 
(2014 Edition) 
(2014 
Edition) 
Checkout 
1 
Total Price: 29.99m 
You will gain 3 Bonus Points from this order!
You successfully solved a challenge: Christmas Special (Order the Christmas special offer of 2014.) 
Thank you for your purchase! 
Your order has been placed and is being processed. You can 
check for status updates on our Track Orders page. 
Your order will be delivered in 5 days. 
Delivery Address 
Administrator 
0815 Test street, Test, Test, 4711 
Test 
Phone Number 1234567890 
Order Summary 
x 
Product 
Christmas 
Super- 
Surprise-Box 
(2014 
Edition) 
Price 
29.99Ä 
Quantity 
1 
Items 
Delivery 
Promotion 
Total Price 
Total Price 
29.99Ä 
29.99Ä 
O. OOZ 
O. OOZ 
29.99Ä

Prevention and Mitigation Strategies:

OWASP SQL Injection Prevention Cheat Sheet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s