Name: Login Bjoern
Description: Log in with Bjoern’s Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.
Difficulty: 4 star
Category: Broken Authentication
Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html
Ok, there are enough references there to warrant a deeper look, so I dug into the code until I came across the login function.
While other code obfuscation in this file consists of one or two letters, “btoa” didn’t quite fit that mold, so I googled it.
If btoa() is just a base64 encoding function, and it is just encoding a reversed string consisting of the user’s email address, then let’s go ahead and do just that.
But it didn’t work. After all that sleuthing, the password didn’t work. I double and triple checked every character in the email address, made sure the reversing method was functioning properly, and finally tried to encode the string using Burp Suite’s Decoder.
What’s this? A different character at the end of the encoded string? Let’s give it a shot!
Prevention and Mitigation Strategies: