Hacking OWASP’s Juice Shop Pt. 40: Vulnerable Library

Challenge:

Name: Vulnerable Library

Description: Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)

Difficulty: 4 star

Category: Vulnerable Components

Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html

Tools used:

None.

Resources used:

https://snyk.io/

Poison Null Byte && Developer Backup

Methodology:

In the expanded description of this challenge, we are instructed to use the “Contact Us” form to inform the shop about a vulnerable library it is using. It is also recommended that we look for “… possible dependencies related to security in the package.json.bak you probably harvested earlier during the Access a developer’s forgotten backup file challenge.”

That’s easy enough. Let’s see how many dependencies we’re dealing with.

"dependencies" :
"body-parser": " 1 18
"colors •
"config •
"-1.28",
"cookie-parser •
"dottie": " 2 ø
"js-yaml": "3 10
"cors •
"epilogue-)s • "
"errorhandler
"-1.4",
"-1.5",
"express •
"—4.16",
"express-jwt": "ø 1 3
"fs-extra
"glob •
"grunt • "
"grunt-angular-templates": " 1 1
"grunt-contrib-clean •
"-1.1",
"grunt-contrib-compress •
"grunt-contrib-concat •
"grunt-contrib-uglify •
"hashids": " 1 1
"helmet • "
-3.9",
"html-entities •
"jasmine •
"A2.8.0",
" jsonwebtoken
"jssha •
"libxmljs • "
-0.18",
"marsdb "
"morgan": "—1.9" ,
"mutter
"pdfkit": " 08
"replace
"request": "
"sanitize-html": "1 4 2
"sequelize •
"serve-favicon": "—2.4" ,
"serve-index": "—1.9" ,
"socket .io" :
"sqlite3 • "
-3.1.13
"Z85": -O.O"

While this next step might take more time than you want to spend, as always it’s best to gather as much information as you possibly can. That means iterating through this entire list and checking each library using snyk.io to find which libraries and/or versions have (gigantic) security issues.

Vulnerability DB fi npm marsdb
Arbitrary Code Injection
Affecting marsdb package, ALL versions
Report new vulnerabilities
Do your applications use this vulnerable package?
Overview
marsdbø is a MarsDB is a lightweight client-side database.
Test your applications
Affected versions of this package are vulnerable to Arbitrary Code Injection. In the DocumentMatcher class, selectors on
$where clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the
system when the function is executed.
Remediation
There is no fixed version for marsdb .
References
• NPM Security Advisory
CVSS SCORE
ATTACK VECTOR
Network
PRIVILEGES REQUIRED
None
SCOPE
Unchanged
INTEGRITY
High
HIGH SEVERITY
ATTACK COMPLEXITY
USER INTERACTION
None
CONFIDENTIALITY
High
AVAILABILITY
High

Taking note of the CVSS score for each package, look for something with a score of 8+ (like this marsdb library). CVSS scores are intended to give a quick and dirty (1-10) idea of the severity of the issue, and 9.8 definitely qualifies as severe.

Now we just have to fill out the customer feedback form and hit submit!

Customer Feedback
• Author —
anonymous
Comment
marsdb—O.6, grunt —1.0, expressiwt O. 1.3, js-yaml
3.10, sequelize —4, sanitize-html 1.4.2
O Max. 160 characters
89/160
Rating
CAPTCHA:
Result
160
What is
Submit

You successfully solved a challenge: Vulnerable Library (Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)) X

Prevention and Mitigation Strategies:

OWASP Vulnerability Disclosure Cheat Sheet

Lessons Learned and Things Worth Mentioning:

CVSS scores are a real time saver.
There is at least one other library in the package.json.bak file that will help out in a later challenge, so be sure to check them all to save yourself some time down the road.

Curiosity Kills Colby

Northwestern Misadventures

Hacking OWASP’s Juice Shop Pt. 40: Vulnerable Library

Leave a Reply Cancel reply

Share this:

Like this:

Related

Leave a Reply Cancel reply