Information Security

Hacking OWASP’s Juice Shop Pt. 52: Legacy Typosquatting

Posted on by codeblue04

Challenge: 

Name:  Legacy Typosquatting

Description: Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)

Difficulty: 4 star

Category: Vulnerable Components

Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html

Tools used:

None.

Resources used:

Poison Null Byte / Developer Backup

Blog post

Methodology: 

While the expanded description points you to a blog post about malicious packages, and that blog post lists vulnerable libraries to search for this error, I actually “solved” this long ago.

Malicious packages in npm. Here's what to do Here's all the information Pve found. Ivan Akulov August 2, 2017 n pm a_
I grep -E "babelclilcrossenvlcrosl Colbyökali Shop$ cat package.json s-env. js d3 .js fabric-js ffmepgl gruntclilhttp-proxy.js jquery.js Imariadb mongose Imssql.jslmssql-node mysqljslnodecaffelnodefabriclnode-fabriclnodeffmpeg nodemai ler-jslnodemailer.js nodemssqllnode-opencvlnode-opensl node-openssllnoderequestl nodesass nodesqlitel node-sqlitel node-tkinterl opencv.js openssl.js proxy. js shado wsockl smblsqlite.js sqliterlsqlserverl tkinter" Colbyakali :-/Hack/Juice Shop$
None of the libraries listed on the blog are used in Juice Shop.

The way I solved this challenge was by being thorough in the Vulnerable Library challenge, and taking a screen shot of the snyk.io description of the “epilogue-js” library found in the Developer Backup challenge.

status Epilogue THIS IS NOT THE MODULE YOU ARE LOOKING FOR! Please use https://github.com /dchester/epilogue! This repository exists only for security awareness and training purposes to demonstrate the issue of typosquatting! Please read https://github.com /bkimminich/juice-shop/issues/368 and https://iamakulov.com/notes/npm-malicious- packages/ for more information!
Handy, right?
Customer Feedback - Author — Comment epilogue-is O Max. 160 characters 11/160 Rating CAPTCHA: 40 What is 5*6+10 ? Submit
You successfully solved a challenge: Legacy Typosquatting (Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.O-SNAPSHOT. (Mention the exact name of the culprit)) X

Prevention and Mitigation Strategies:

OWASP Vulnerability Dependence Management Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

Proper Prior Planning Prevented Colby from having to tackle this challenge from scratch. Always gather every piece of information available to you in order to gain a potential advantage down the road.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s