Hacking OWASP’s Juice Shop Pt. 56: Allowlist Bypass

Challenge: 

Name: Allowlist Bypass (formerly Whitelist Bypass)

Description: Enforce a redirect to a page you are not supposed to redirect to.

Difficulty: 4 star

Category: Unvalidated Redirects

Expanded Description: https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html

Tools used:

None.

Resources used:

Solution Guide

Methodology: 

The last of the 4 star challenges!

In the expanded description, it is explained that this challenge involves tinkering with the redirect mechanism, and that there are a number of allowed websites to which the user may be redirected. To start out with, then, I grepped the main JavaScript file to see what redirects were incorporated into the code already.

cd Hack/Juice\ Shop/ 
Shop$ cat main .js I grep "redirect?to=" 
https ://blockchain. info/ 
address/1AbKfgvwgpsQ41NbLi8kufDQTezwG8DRzm" , 
url: "./ 
redirect?to:https : //expl orer. dash. or 
g/address/xr556RzuwX6hg5EGpkybbv5RanJ0ZN17kW" , 
redirect?to=https ://etherscan. io/add 
ress/øxøf933ab9fcaaa782dø27gc3øød7375øe1311eae6" , 
["href", "./ 
-http://shop.spreadshirt.com/ 
["href", "./ 
-http://shop.spreadshirt.de/j 
["href", "./redirect?to:https ://wm.stickeryou.com/p 
juiceshop"] 
uiceshop"]' 
roducts/owasp-juice-shop/794"] , 
redirect?to- 
redirect?to- 
/github.com/bkiminich/juice-shop", 
page", 4, "nglf"], 
/github.com/bkiminich/juice-shop", 
page"] , 
Colbyakali Shop$ 
["href", "./redirect?to:http://leanpub.com/juice-sho 
["mat-list-item", " 
"aria-label", " 
["mat-list-item", " 
"aria-label", " 
"href , /redirect?to:https : / 
OWASP Juice Shop GitHub 
Go to 
"href , " / 
https : / 
redirect?to= 
OWASP Juice Shop GitHub 
Go to

OK, so it looks like the format is “http://localhost:3000/redirect?to=“, then a website. First, I wanted to see what happened when I tried to redirect to nowhere.

Kali Training 
Kali Tools 
@ 2; localhost:3000/redirect?to= 
NetHunter 
Exploit-DB 
•a GHDB 
OWASP Juice 
'\4.17.1) 
MSFU 
Shop (Express 
406 Error: Unrecognized target URL for redirect: 
at 
at Layer-handle [as handle_request] 
at next 
at Route_dispatch 
at Layer_handle [as handle_request] 
at 'juice-shop,'node 
at Function-process_params 
at next 
at 
at Layer-handle [as handle_request] 
at trim_prefix 
at 'juice-shop,'node 
at Function-process_params 
at next 
at 'juice-shop,'routesrverity.js: 7413 
at Layer-handle [as handle_request] 
at trim_prefix 
at 'juice-shop/node 
at Function-process_params 
at next 
at logger ('juice-shop/node 
at Layer-handle [as handle_request] 
at trim_prefix 
at 'juice-shop,'node 
at Function-process_params 
at next 
at jsonParser ('juice-shop/server.js:25713) 
at Layer-handle [as handle_request]

Nothing special happened aside from the 406 error, so I tried redirecting to this blog.

Again, I received a 406 error. 

Being fairly inexperienced in web development, I was a little stumped as to what the challenge wanted me to do. I didn’t realize that it wanted me to route my redirect to one of the allowed websites through a disallowed site, which makes quite a bit of sense in retrospect.

In short, the solution I used was to navigate to “http://localhost:3000/redirect?to=http://kimminich.de?pwned=https://github.com/bkimminich/juice-shop“.

You successfully solved a challenge: Whitelist Bypass (Enforce a 
redirect to a page you are not supposed to redirect to.) 
x

Now it’s on to the 5 star challenges, where I, for some reason, have been having much more luck than with the 4 star challenges.

Prevention and Mitigation Strategies:

OWASP Unvalidated Redirects and Forwards Cheat Sheet

Lessons Learned and Things Worth Mentioning: 

While I’m sure my lack of front-end experience has caused unnecessary consternation during the course of these challenges, this was the first time where I felt completely clueless from the very beginning. I’m going to need to spend more time studying and playing with front end code so that I can get more comfortable with how the mechanics of a web app truly work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s