Hacking OWASP’s Juice Shop Pt. 55: GDPR Data Theft

Challenge: 

Name: GDPR Data Theft

Description: Steal someone else’s personal data without using Injection.

Difficulty: 4 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

To start this challenge I first went to the expanded description, where I noticed a few curious notes:

  1. I need to steal the data of a user who has previously placed an order.
  2. HTTP request fiddling would be insufficient.
  3. The server responses will be key to solving the challenge.

The first thing I did was log into an account which I knew had placed orders and requested an export of personal data from the Account -> Privacy & Security menu and tracked the packets using Burp Suite. The export gave me a JSON object with a few data fields filled in concerning the user and past orders, but there was nothing worth mentioning in the packets or browser’s developer tool tabs.

Intercept HIT P history WebSockets history Options 
Filter: Hiding CSS. image and general binary content 
Host 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
http://IocaIhost:3000 
Method 
URL 
'rest/admin/application-configura 
'rest/admin/application-version 
'rest/admin/application-version 
'rest/user/whoami 
'rest/admin/application-configura 
/restnanguages 
'rest/user/whoami 
'rest,'admin/application-configura 
/restftrack-order/5267-51dfccf8c 
Params 
Edited 
Status 
Length 
17151 
17151 
254 
MIME type 
ISON 
ISON 
"SON 
"SON 
"SON 
"SON 
Extension 
Title 
Comment 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Contains 
Request 
Params 
Pretty 
Headers 
Actions v 
"SON web Tokens 
GET /rest/t rack-order,'S267-S1dfccf8ce6c927S 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, I/ * 
4 Accept 
-Language: en-US, en; q=O.S 
Accept -Encoding: gzip, deflate 
Authorization: Bearer 
HTTP/I.I 
rv.78.o) 
Gecko,'20100101 
Firefox/78 
Response 
Headers 
Render 
Pretty 
Rave 
Actions 
304 Not Modified 
Access-Cont rol -Allow-Origin: 
X-Content -Type-options: nosniff 
IX-Frame-options: SAMEORIGIN 
Feature-policy: payment 
self' 
a-rag: n,' '26a-wDgpcsdUog697+GRycgDY3Ze6EQ 
Date: Mon, SO Nov 2020 Gl•rr 
Connection: close 
ey ey oiJzdRNj ZXNz1iwi dXN1 cm shbnuio 
iliLCJ1 bh'FpbC161mFkbh'1 u QGp1ah'N1 LXNoLm9w1iwi oi MDUxNmYwNj 1 kzj E-4Yj U 
lwMC1s1nJvbGUi bHV4ZVRva2Vu1j oiliwibGFzdExvZ21 usxAioi lwLj AuMC4w1iwicHJvZm1 szul Y'Ad11 
j j oiYXNzZXRzL381YmxpYy9pbRFnZXMv zxQi oi d Gl 2ZS16dHJ 
1 Z9wiY3J1 YXRI ZEF01j oi Mj Ay McoxMsozMCAx0ToxNDo 0My 4xMz1gKz Awoj Awl iwi dxakYXR1 ZEF01j oi Mj Ay MCOxMSOzMCAxO 
ToxND00My 4xMz1gKzAwOj Awliwi ZGVsZXR1 ZEF01j pud',Nxsf9wi oxNj A2NzY00TISLCJ1 eHAi oj E2MDY30DISMj 19 DI 
EOSUXi 7hEUH3EISILKSe6H6i 7DZ,NGphPj 1 LPP8yN- oryLg2992- zj 1 -FP b9Gd9gnrJP- 73yed1 zxM6gG Fb2L1p84svh'Nhwu4 
gwsgXy0YseHfsK1 t10FcUkR4Kqo 
81Connection: close 
Referer: http://localhost : 3000/ 
10 Cookle: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
continueCode= 
Z8uqh1tk1esvi 71JyH0uohnt Klj TMCIFviNfns1 HNuktwsoi 7fbS8Ruooh1at r McZN106CQNiY4f r k sq KLIQxu37hbkt zLIE7s10 
U07HKZhLyca1s3eFQ2fobSZLU6XH1ztb7cDvTj xcn7sgyFRvfKES7vHbL; io=01srqsmuLoczWAOAAA8; 
token= 
ZXNz1iwi dXN1 cm shbnuio 
i lil_c-n u QGp1ah'N1 LXNoLm9w1iwi oi MDUxNmYwNj 1 kzj E-4Yj U 
I wMC1s1nJvbGUioiJhZG1pbi1s1mR1 bHV4ZVRva2Vu1j oiliwibGFzdExvZ21 usxAioi Iwi_j AuMC4w1iwicHJvZm1 szul 1 
j oiYXNzZXRzLsa1YmxpYy9p zxQi oi d Gl 2ZS16dHJ 
1 Z9wiY3J1 YXRI ZEF01j oi Mj Ay McoxMsozMCAx0ToxNDo 0My 4xMz1gKz Awoj Awl iwi dxakYXR1 ZEF01j oi Mj Ay MCOxMSOzMCAxO 
ToxND00My 4xMz1gKzAwOj Awliwi ZGVsZXR1 ZEF01j pud',Nxsf9wi oxNj A2NzY00TISLCJ1 eHAi oj E2MDY30DISMj 19 DI 
EOSUXi 7hEUH3EISILKSe6H6i 7DZAGphPj 1 LPP8yN- oryLg2992- zj 1 -FP b9Gd9gnrJP- 73yed1 zxM6gG Fb2L1p84svRNhwu4 
gwsgXy0YseHfsK1 t10FcUkR4Kqo 
If -None -Match: 
" 26a -wDgpcsdUog697+GRycgDY3Ze6EQ'

Then, I decided to try making an order and seeing what changed about a user’s account when an order was created. What I found was that that there was an order number created, allowing the system to track that order.

C) @ 2; localhost 
letHunter •is Exploit-DB 
GHDB MSFU 
uice Shop 
Search Results 
- 5267- la2b35d6407d8ed5

From here, I checked Firefox’s Developer Tools Network tab to see what data was being sent to me.

Headers Cookies 
Filter properties 
JSON 
status: "success" 
data: 
Request 
Response 
Cache 
Timings 
Stack Trace 
• O: Object {promotionaLAmount: O, paymentld: "wallet", addressld: . 
promotionalAmount: O 
paymentld: "wallet" 
addressld: "5" 
orderld: "ad9b-495340b719b4308d" 
delivered: false 
email: 
totalprice: 11.97 
products: 
O: Object { quantity: 2, id: 4, name: •Raspberry Juice (1000mI)", 
quantity: 2 
idl 4 
name: "Raspberry Juice (1000m]" 
price: 4.99 
total: 988 
bonus: O

Taking special note of the format of the “email” field (and the Solution Guide), I opted to make a new user with an email with all consonants and vowels in the same positions, but with vowels replaced with different characters. If those asterisks acted as wildcard characters, then creating a nearly-identical user might trick the server into sending me the wrong user’s data.

User Registration 
Email 
jam@juice-sh.op 
Password 
O Password must be 5-20 characters long. 
Repeat Password 
Show password advice 
Security Question 
Your eldest siblings middle name? 
O This cannot be changed later:' 
Answer 
Gabrielle 
+• Register 
Already a customer? 
8/20 
8/20

Then, I went back to the “Request Data Export” form.

e Account Your Basket 
e 
6 
+2 
Q 
Privacy Policy 
Request Dat8Export 
Request Data Erasure 
Change Password 
2FA Configuration 
Last Login IP 
e 
jam@juice-sh.op 
Orders & Payment 
Privacy & Security 
Logout
C) @ localhost 
:3000 
{ "username": "email": "jam@juice-sh.op", "orders": [ { 
"orderld": "ad9b-495340b719b4308d", "totalPrice": 11.97, 
"products": [ { "quantity": 2, 'lid": 4, "name": "Raspberry 
Juice (1000ml)", "price": 4.99, "total": 9.98, "bonus": 0 { 
"quantity": 1, "id": 6, "name": "BananaJuice (1000ml)", 
"price": 1.99, "total": 1.99, "bonus": O } ], "bonus": 0, "eta": 
"5" } ], "reviews": [l, "memories": [ ] }

And from an entirely new user (jam@juice-sh.op), with no order history, I received the data from a long-time customer (jim@juice-sh.op).

You successfully solved a challenge: GDPR Data Theft (Steal someone else's personal data without using Injection.) 
x

Prevention and Mitigation Strategies:

OWASP Privacy Protection Cheat Sheet

Lessons Learned and Things Worth Mentioning:

Honestly I’m not sure what I was supposed to learn from this. That the email address was slightly obfuscated doesn’t necessarily imply that the asterisks are wildcard characters, nor that a second email account with those wildcard characters filled in differently would or should lead to the exploitation of a vulnerability. I try to look for every possible lesson in the challenges where I use the Solution Guide, but in this case I just don’t see what the intended lesson is.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s