Information Security

Hacking OWASP’s Juice Shop Pt 45: Expired Coupon

Posted on by codeblue04

Challenge: 

Name: Expired Coupon

Description: Successfully redeem an expired campaign coupon code.

Difficulty: 4 star

Category: Improper Input Validation

Expanded Description: https://pwning.owasp-juice.shop/part2/improper-input-validation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

The expanded description notes two important items: there are clues concerning a past campaign in the application itself, and also that time travel is not actually necessary. That’s kind of a curious thing to throw in, but like many other things on this application I chalked it up to this being a fun-loving project.

Anyhow, let’s start by finding the discount code in the main-es18.js file.

pr(t, function If (18t 88 (i.Tb(o, " span" , t = i.ec(2); const i. " translateparams" , i. gr(t, e) { function If (1 8 t (i.Tb( " 0, t = i.ec(); const i. "expanded", 54) pc(l, , i.Hc( 1, "OFFICIAL MERCHANDISE STORES CUSTOMIZED" Ir, t.applicationName)) coupon discount "C7sn" "C7SS" mat-expansion-panel " , t. paymentpanelExpanded) , 33), i.Tb( 1, "mat-expansion-panel-header" i. Bb(3), fr(t, e) { function 18 t (i.Tb(o Sr(t, e) { function t (i.Tb(o 1 "span", "span", m. e, 8) 8) W, a, i.Hc( 1, HC(I, i. " REVIEW_ALERT" ) , " REVIEW_WALLET" ) , u.b.add(m.d, m.r, m.w, d.g, class constructor(t , . location = t m.db, m.P, m.u, m.h, m.X, this.cookieservice = e i.Jc(" i.gc( 4 10, i.Sb()) i.sb()) d. j), u.a.watch(); s.userserwice = a "OTHER PA this.deli WNSDY2019: { validOn : 15519996e5 , discount: 75 discount NNSDY202ø: Next Previous Highlight All Match Case

It looks like we have Women’s Day coupon codes listed out for us. Let’s give the 2020 one a shot.

My Payment Options O O Add new card Pay using wallet Add a coupon Co upon WMNSDY20201 8108 Administrator Administrator Add a credit or debit card Wallet Balance 0.00 Add a coupon code to receive discounts 2/2081 4/2086 Need a coupon code? Follow us on Twitter or Facebook for monthly coupons and other spam! 10/10 Redee

No dice.

If the coupon code’s acceptance criteria is time-bound, then the only way for this challenge to be possible is for the time and date calculations to be completed on the client side. Were they authenticated by the server, then time travel might actually be necessary. In that case, it’s time to do some research on past Women’s Days.

women's day 2019 Q All Images @ News @ Vide About results (0.70 seconds) Friday, March 8 International Women's Day 2019

With March 8, 2019 as our target date, it’s time to update our operating system’s date using timedatectl’s set-time function.

timedatectl Local time : wed 2020-11-18 EST Universal time : wed 2020-11-18 UTC RTC time: wed 2020-11-18 _ york (EST, -0500) Time zone: America/New System clock synchronized: no NTP service: n/a RTC in local Tz: no Colbyakali:-$ sudo timedatectl set-time '2019-03-08' timedatectl Local time: Fri 2019-03-08 EST Universal time: Fri 2019-03-08 05 UTC RTC time: Fri 2019-03-08 . America/New_york (EST, -0500) Time zone• System clock synchronized: no NTP service: n/a RTC in local Tz: no

Now, just copy/paste the coupon code from Women’s Day 2019 into the coupon redemption field and click “Redeem”.

My Payment Options O O Add new card Pay using wallet Add a coupon 8108 Administrator Administrator Add a credit or debit card Wallet Balance 0.00 Add a coupon code to receive discounts 2/2081 4/2086 Your discount of 75% will be applied during checkout. Coupon Need a coupon code? Follow us on Twitter or Facebook for monthly coupons and other spam! 0/10 Redeem
You successfully solved a challenge: Expired Coupon (Successfully redeem an expired campaign coupon code.) X

**Don’t forget to reset your operating system’s date once you’re done.**

Prevention and Mitigation Strategies:

Server-side authentication of coupon codes would have rendered this attack vector useless. Client-side authentication works for certain things, but over and over in this application it has proven to be insufficient to prevent abuse.

Lessons Learned and Things Worth Mentioning: 

I knew on some level that updating my system’s date was possible, as I remember doing it on my Macintosh Performa 550 back in 1999 to see if my computer would spontaneously combust because of Y2K (yes, I’m old), but it never occurred to me that the authentication for coupon codes would be done on the client side. Having seen the URL endpoint for coupon codes using Burp Suite, I incorrectly assumed that the server was authenticating the code. I should have paid closer attention to when the packet was sent versus when the redemption success/failure appeared on my browser.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s