Hacking OWASP’s Juice Shop Pt. 52: Legacy Typosquatting

Challenge: 

Name:  Legacy Typosquatting

Description: Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)

Difficulty: 4 star

Category: Vulnerable Components

Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html

Tools used:

None.

Resources used:

Poison Null Byte / Developer Backup

Blog post

Methodology: 

While the expanded description points you to a blog post about malicious packages, and that blog post lists vulnerable libraries to search for this error, I actually “solved” this long ago.

Malicious packages in npm. Here's 
what to do 
Here's all the information Pve found. 
Ivan Akulov 
August 2, 2017 
n pm 
a_
I grep -E "babelclilcrossenvlcrosl 
Colbyökali Shop$ cat package.json 
s-env. js d3 .js fabric-js ffmepgl gruntclilhttp-proxy.js jquery.js Imariadb mongose 
Imssql.jslmssql-node mysqljslnodecaffelnodefabriclnode-fabriclnodeffmpeg nodemai 
ler-jslnodemailer.js nodemssqllnode-opencvlnode-opensl node-openssllnoderequestl 
nodesass nodesqlitel node-sqlitel node-tkinterl opencv.js openssl.js proxy. js shado 
wsockl smblsqlite.js sqliterlsqlserverl tkinter" 
Colbyakali :-/Hack/Juice Shop$
None of the libraries listed on the blog are used in Juice Shop.

The way I solved this challenge was by being thorough in the Vulnerable Library challenge, and taking a screen shot of the snyk.io description of the “epilogue-js” library found in the Developer Backup challenge.

status 
Epilogue 
THIS IS NOT THE MODULE YOU ARE LOOKING FOR! Please use https://github.com 
/dchester/epilogue! This repository exists only for security awareness and training 
purposes to demonstrate the issue of typosquatting! Please read https://github.com 
/bkimminich/juice-shop/issues/368 and https://iamakulov.com/notes/npm-malicious- 
packages/ for more information!
Handy, right?
Customer Feedback 
- Author — 
Comment 
epilogue-is 
O Max. 160 characters 
11/160 
Rating 
CAPTCHA: 
40 
What is 
5*6+10 ? 
Submit
You successfully solved a challenge: Legacy Typosquatting (Inform the shop about a typosquatting 
trick it has been a victim of at least in v6.2.O-SNAPSHOT. (Mention the exact name of the culprit)) X

Prevention and Mitigation Strategies:

OWASP Vulnerability Dependence Management Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

Proper Prior Planning Prevented Colby from having to tackle this challenge from scratch. Always gather every piece of information available to you in order to gain a potential advantage down the road.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s