Hacking OWASP’s Juice Shop Pt. 40: Vulnerable Library

Challenge: 

Name:  Vulnerable Library

Description: Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)

Difficulty: 4 star

Category: Vulnerable Components

Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html

Tools used:

None.

Resources used:

https://snyk.io/

Poison Null Byte && Developer Backup

Methodology: 

In the expanded description of this challenge, we are instructed to use the “Contact Us” form to inform the shop about a vulnerable library it is using. It is also recommended that we look for “… possible dependencies related to security in the package.json.bak you probably harvested earlier during the Access a developer’s forgotten backup file challenge.”

That’s easy enough. Let’s see how many dependencies we’re dealing with.

"dependencies" : 
"body-parser": " 1 18 
"colors • 
"config • 
"-1.28", 
"cookie-parser • 
"dottie": " 2 ø 
"js-yaml": "3 10 
"cors • 
"epilogue-)s • " 
"errorhandler 
"-1.4", 
"-1.5", 
"express • 
"—4.16", 
"express-jwt": "ø 1 3 
"fs-extra 
"glob • 
"grunt • " 
"grunt-angular-templates": " 1 1 
"grunt-contrib-clean • 
"-1.1", 
"grunt-contrib-compress • 
"grunt-contrib-concat • 
"grunt-contrib-uglify • 
"hashids": " 1 1 
"helmet • " 
-3.9", 
"html-entities • 
"jasmine • 
"A2.8.0", 
" jsonwebtoken 
"jssha • 
"libxmljs • " 
-0.18", 
"marsdb " 
"morgan": "—1.9" , 
"mutter 
"pdfkit": " 08 
"replace 
"request": " 
"sanitize-html": "1 4 2 
"sequelize • 
"serve-favicon": "—2.4" , 
"serve-index": "—1.9" , 
"socket .io" : 
"sqlite3 • " 
-3.1.13 
"Z85": -O.O"

While this next step might take more time than you want to spend, as always it’s best to gather as much information as you possibly can. That means iterating through this entire list and checking each library using snyk.io to find which libraries and/or versions have (gigantic) security issues.

Vulnerability DB fi npm marsdb 
Arbitrary Code Injection 
Affecting marsdb package, ALL versions 
Report new vulnerabilities 
Do your applications use this vulnerable package? 
Overview 
marsdbø is a MarsDB is a lightweight client-side database. 
Test your applications 
Affected versions of this package are vulnerable to Arbitrary Code Injection. In the DocumentMatcher class, selectors on 
$where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the 
system when the function is executed. 
Remediation 
There is no fixed version for marsdb . 
References 
• NPM Security Advisory 
CVSS SCORE 
ATTACK VECTOR 
Network 
PRIVILEGES REQUIRED 
None 
SCOPE 
Unchanged 
INTEGRITY 
High 
HIGH SEVERITY 
ATTACK COMPLEXITY 
USER INTERACTION 
None 
CONFIDENTIALITY 
High 
AVAILABILITY 
High

Taking note of the CVSS score for each package, look for something with a score of 8+ (like this marsdb library). CVSS scores are intended to give a quick and dirty (1-10) idea of the severity of the issue, and 9.8 definitely qualifies as severe.

Now we just have to fill out the customer feedback form and hit submit!

Customer Feedback 
• Author — 
anonymous 
Comment 
marsdb—O.6, grunt —1.0, expressiwt O. 1.3, js-yaml 
3.10, sequelize —4, sanitize-html 1.4.2 
O Max. 160 characters 
89/160 
Rating 
CAPTCHA: 
Result 
160 
What is 
Submit
You successfully solved a challenge: Vulnerable Library (Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)) X

Prevention and Mitigation Strategies:

OWASP Vulnerability Disclosure Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

  1. CVSS scores are a real time saver.
  2. There is at least one other library in the package.json.bak file that will help out in a later challenge, so be sure to check them all to save yourself some time down the road.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s