Name: Ephemeral Accountant
Description: Log in with the (non-existing) accountant firstname.lastname@example.org without ever registering that user.
Difficulty: 4 star
Expanded Description: https://pwning.owasp-juice.shop/part2/injection.html
Burp Suite, FoxyProxy
For the first time in this project, I found a challenge where the expanded description provided me with no ideas about a path forward. With a prohibition on adding the “email@example.com” account to the user database table, I was completely stumped. I tried the few injection tricks I knew to no avail. At that point, I allowed myself to read the first bullet point in the challenge solution, which was ” Go to http://localhost:3000/#/login and try logging in with Email ‘ and any Password while observing the Browser DevTools network tab”
While I could have used the browser tools. I opted instead to use Burp Suite and FoxyProxy.
An md5 hashed space character wasn’t going to provide me with a means of ingress, so remembering that I’m here to learn new things, I grudgingly read the rest of the solution. In that solution, it was revealed that a nested UNION SELECT attack would be required to complete the challenge. Essentially the attack required the creation of an entirely new database table entry, but in a temporary capacity using “UNION SELECT * FROM (<entire fabricated User table entry>)–” as the syntax. So, if I’m correct, the UNION SELECT attack I crafted would create a temporary (some might say ephemeral) table entry without ever interacting with the User table, allowing me to log in a whoever I wanted to be.
Prevention and Mitigation Strategies:
Lessons Learned and Things Worth Mentioning:
I’m glad that my first post in this project included the disclaimer that I was going to wind up using the Solution Guide. My inexperience and desire to learn all of this stuff is admittedly tied to my ego, and I don’t like having to admit defeat. It is imperative, however, that I do just that. Failing to suppress that desire would impose significant limitations on my ability to both learn this material and complete this series of walkthroughs. I think this post will be the last time I’ll mention that I’m trying to learn new concepts as opposed to demonstrating mastery. As I clear up the last few four star challenges over the next week and move into the five star category, any further mentioning of my desire to complete challenges without assistance will be detrimental to the quality of the posts, as nearly all of them will require reference to the Solution Guide..
In order to maintain consistency, I’ll still list the Solution Guide in the list of resources used, lest my walkthroughs be mistaken for entirely organic content.