Hacking OWASP’s Juice Shop Pt 45: Expired Coupon

Challenge: 

Name: Expired Coupon

Description: Successfully redeem an expired campaign coupon code.

Difficulty: 4 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

The expanded description notes two important items: there are clues concerning a past campaign in the application itself, and also that time travel is not actually necessary. That’s kind of a curious thing to throw in, but like many other things on this application I chalked it up to this being a fun-loving project.

Anyhow, let’s start by finding the discount code in the main-es18.js file.

pr(t, 
function 
If (18t 
88 (i.Tb(o, " 
span" , 
t = i.ec(2); 
const 
i. " translateparams" , 
i. 
gr(t, e) { 
function 
If (1 8 t (i.Tb( " 
0, 
t = i.ec(); 
const 
i. "expanded", 
54) 
pc(l, 
, i.Hc( 
1, 
"OFFICIAL MERCHANDISE STORES CUSTOMIZED" 
Ir, t.applicationName)) 
coupon 
discount 
"C7sn" 
"C7SS" 
mat-expansion-panel " , 
t. paymentpanelExpanded) , 
33), i.Tb( 
1, "mat-expansion-panel-header" 
i. Bb(3), 
fr(t, e) { 
function 
18 t (i.Tb(o 
Sr(t, e) { 
function 
t (i.Tb(o 
1 
"span", 
"span", 
m. 
e, 
8) 
8) 
W, 
a, 
i.Hc( 
1, 
HC(I, 
i. 
" REVIEW_ALERT" ) , 
" REVIEW_WALLET" ) , 
u.b.add(m.d, m.r, m.w, d.g, 
class 
constructor(t , 
. location = t 
m.db, m.P, m.u, m.h, m.X, 
this.cookieservice = e 
i.Jc(" i.gc( 
4 10, 
i.Sb()) 
i.sb()) 
d. j), u.a.watch(); 
s.userserwice = a 
"OTHER PA 
this.deli 
WNSDY2019: { 
validOn : 
15519996e5 , 
discount: 75 
discount 
NNSDY202ø: 
Next 
Previous 
Highlight All 
Match Case

It looks like we have Women’s Day coupon codes listed out for us. Let’s give the 2020 one a shot.

My Payment Options 
O 
O 
Add new card 
Pay using wallet 
Add a coupon 
Co upon 
WMNSDY20201 
8108 
Administrator 
Administrator 
Add a credit or debit card 
Wallet Balance 
0.00 
Add a coupon code to receive discounts 
2/2081 
4/2086 
Need a coupon code? Follow us on Twitter or Facebook for monthly coupons and other spam! 
10/10 
Redee

No dice.

If the coupon code’s acceptance criteria is time-bound, then the only way for this challenge to be possible is for the time and date calculations to be completed on the client side. Were they authenticated by the server, then time travel might actually be necessary. In that case, it’s time to do some research on past Women’s Days.

women's day 2019 
Q All Images @ News @ Vide 
About results (0.70 seconds) 
Friday, March 8 
International Women's Day 2019

With March 8, 2019 as our target date, it’s time to update our operating system’s date using timedatectl’s set-time function.

timedatectl 
Local time 
: wed 2020-11-18 EST 
Universal time 
: wed 2020-11-18 UTC 
RTC time: wed 2020-11-18 
_ york (EST, -0500) 
Time zone: America/New 
System clock synchronized: 
no 
NTP service: 
n/a 
RTC in local Tz: 
no 
Colbyakali:-$ sudo timedatectl set-time '2019-03-08' 
timedatectl 
Local time: 
Fri 2019-03-08 EST 
Universal time: 
Fri 2019-03-08 05 UTC 
RTC time: Fri 2019-03-08 
. America/New_york (EST, -0500) 
Time zone• 
System clock synchronized: 
no 
NTP service: 
n/a 
RTC in local Tz: 
no

Now, just copy/paste the coupon code from Women’s Day 2019 into the coupon redemption field and click “Redeem”.

My Payment Options 
O 
O 
Add new card 
Pay using wallet 
Add a coupon 
8108 
Administrator 
Administrator 
Add a credit or debit card 
Wallet Balance 
0.00 
Add a coupon code to receive discounts 
2/2081 
4/2086 
Your discount of 75% will be applied during checkout. 
Coupon 
Need a coupon code? Follow us on Twitter or Facebook for monthly coupons and other spam! 
0/10 
Redeem
You successfully solved a challenge: Expired Coupon (Successfully redeem an expired campaign coupon code.) X

**Don’t forget to reset your operating system’s date once you’re done.**

Prevention and Mitigation Strategies:

Server-side authentication of coupon codes would have rendered this attack vector useless. Client-side authentication works for certain things, but over and over in this application it has proven to be insufficient to prevent abuse.

Lessons Learned and Things Worth Mentioning: 

I knew on some level that updating my system’s date was possible, as I remember doing it on my Macintosh Performa 550 back in 1999 to see if my computer would spontaneously combust because of Y2K (yes, I’m old), but it never occurred to me that the authentication for coupon codes would be done on the client side. Having seen the URL endpoint for coupon codes using Burp Suite, I incorrectly assumed that the server was authenticating the code. I should have paid closer attention to when the packet was sent versus when the redemption success/failure appeared on my browser.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s