Information Security

Hacking OWASP’s Juice Shop Pt. 50: Leaked Unsafe Product

Posted on by codeblue04

Challenge: 

Name: Leaked Unsafe Product

Description: Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.

Difficulty: 4 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

None.

Resources used:

Database Schema

Methodology: 

Obviously the first step in this challenge is to determine what the unsafe product is/was. The extracted contents of the site database’s Product table (specifically the deletedAt column) ensured that this step required only a trivial amount of time to complete.

id 1 2020-11-02 21 : 00 2 2020-11-02 3 2020-11-02 21 4 2020-11-02 21 5 2020-11-02 21 6 2020-11-02 21 7 2020-11-02 21 8 2020-11-02 21 9 2020-11-02 21 : 00 10 2020-11-02 21 11 2020-11-02 21 +00: 00 12 2020-11-02 21 13 2020-11-02 21 14 2020-11-02 15 2020-11-02 : 00 255 | 255 255 255 255 255 255 255 255 255 255 255 255 255 255 255 name Apple Juice (løøøml) Orange Juice (løøøml) Eggfruit Juice (5øøml) Raspberry Juice (løøøml) Lemon Juice (5øøml) Banana Juice (løøøml) OWASP Juice Shop T-Shirt OWASP Juice Shop CIF Girlie-shirt OWASP SSL Advanced Forensic Tool (o-saft) Christmas Super-surprise-Box (2014 Edition) Rippertuer Special Juice OWASP Juice Shop sticker (2015/2016 design) OWASP Juice Shop Iron-ons (16pcs) OWASP Juice Shop Magnets (16pcs) OWASP Juice Shop Sticker Page image apple_juice. jpg orange_juice. jpg eggfruit_juice. jpg raspberry_juice. jpg lemon_juice. jpg banana_juice. jpg fan _ shirt . jpg fan _ girlie. jpg orange_juice. jpg undefined. jpg undefined. jpg sticker.png iron-on. jpg magnets . jpg sticker_page.jpg price 1.99 2.99 8.99 4.99 2.99 1.99 22 .49 22.49 o. 01 29.99 16.99 999.99 14.99 15.99 9 .99 createdAt deletedAt NULL NULL NULL NULL NULL NULL NULL NULL NULL 2014-12-27 2019-02-01 2017-04-28 NULL NULL NULL

The product description for the Rippertuer Special Juice reads “Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos… and others, at an unbelievable price! <br />This item has been made unavailable because of lack of safety standards. (This product is unsafe! We plan to remove it from the stock!) “. By googling the listed fruit names, I was sent to a Pastebin page which contained descriptions of each ingredient, including the hazards posed by two of the fruits.

PASTEBIN Rippertuer Special Juice Ingredients @ AGUEST JAN 30TH, 2019 @ 1692 NEVER Not a member of Pastebin yet? Sign_Up, it unlocks many cool features! text 7 -IS KB "type": "Sugar Apple Annona squamosa", raw download clone embed prin t f SHARE TWEET report "description": "Sugar Apples or Sweetsop, is native to the tropical Americas, but is also widely grown in Pakistan, India and the Philippines. The fruit looks a bit like a pine cone, and are about 10 cm in diameter. Under the hard, lumpy skin is the fragrant, whitish flesh of the fruit, which covers several seeds inside, and has a slight taste of custard." "type" : "Cherynoya An nona cherimola% "description": "Cherymoya, or custard apple, is a deciduous plant found in the high lying nountainous areas of South America. The fruit is vaguely round and is found with 3 types of skin — Impressa (indented), Tuberculate (covered in nodules) or intermediate (a combination of the first two). The flesh inside the skin is very fragrant, White, iuicy and has a custard like consistency. It is said that the fruit tastes like a combination of banana, passion fruit, papaya and pineapple. Mark Twain said in 1866 " the most delicious fruit known to men, cherimoya"" "type" : "Cocona Solanum sessiliflorum% "description": "Cocona fruit is another tropical fruit found in the mountainous regions of South America. It grows on a small shrub, and can miraculously grow from seed to fruit in less than 9 months, after Nhich the fruit will take another 2 months to ripen. The fruit is a berry and cones in red, orange or yellow. It has a similar appearance to tomatoes, and is said to taste like a mixture between tomatoes and emons . "

OSINT research completed, then it was simply a matter of informing the store of the hazard posed by their admittedly unsafe and recalled product.

Customer Feedback • Author — Comment Rippertuer Special Juice contains Hueteroneel and Eurogium Edule O Max. 160 characters 64/160 Rating CAPTCHA: 21 What is 5-6+3 ? Submit
You successfully solved a challenge: Leaked Unsafe Product (Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.) x

Lessons Learned and Things Worth Mentioning: 

Extracting the contents of the database using sqlmap was, by a wide margin, the most useful thing I could have done during the Database Schema challenge. It has been useful in a huge number of challenges, and tackling this challenge without completing and expanding on that one would have been a nightmare.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s