Challenge:
Name: Allowlist Bypass (formerly Whitelist Bypass)
Description: Enforce a redirect to a page you are not supposed to redirect to.
Difficulty: 4 star
Category: Unvalidated Redirects
Expanded Description: https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html
Tools used:
None.
Resources used:
Methodology:
The last of the 4 star challenges!
In the expanded description, it is explained that this challenge involves tinkering with the redirect mechanism, and that there are a number of allowed websites to which the user may be redirected. To start out with, then, I grepped the main JavaScript file to see what redirects were incorporated into the code already.
![cd Hack/Juice\ Shop/
Shop$ cat main .js I grep "redirect?to="
https ://blockchain. info/
address/1AbKfgvwgpsQ41NbLi8kufDQTezwG8DRzm" ,
url: "./
redirect?to:https : //expl orer. dash. or
g/address/xr556RzuwX6hg5EGpkybbv5RanJ0ZN17kW" ,
redirect?to=https ://etherscan. io/add
ress/øxøf933ab9fcaaa782dø27gc3øød7375øe1311eae6" ,
["href", "./
-http://shop.spreadshirt.com/
["href", "./
-http://shop.spreadshirt.de/j
["href", "./redirect?to:https ://wm.stickeryou.com/p
juiceshop"]
uiceshop"]'
roducts/owasp-juice-shop/794"] ,
redirect?to-
redirect?to-
/github.com/bkiminich/juice-shop",
page", 4, "nglf"],
/github.com/bkiminich/juice-shop",
page"] ,
Colbyakali Shop$
["href", "./redirect?to:http://leanpub.com/juice-sho
["mat-list-item", "
"aria-label", "
["mat-list-item", "
"aria-label", "
"href , /redirect?to:https : /
OWASP Juice Shop GitHub
Go to
"href , " /
https : /
redirect?to=
OWASP Juice Shop GitHub
Go to](https://curiositykillscolby.files.wordpress.com/2020/12/image-100.jpeg?w=642)
OK, so it looks like the format is “http://localhost:3000/redirect?to=“, then a website. First, I wanted to see what happened when I tried to redirect to nowhere.
![Kali Training
Kali Tools
@ 2; localhost:3000/redirect?to=
NetHunter
Exploit-DB
•a GHDB
OWASP Juice
'\4.17.1)
MSFU
Shop (Express
406 Error: Unrecognized target URL for redirect:
at
at Layer-handle [as handle_request]
at next
at Route_dispatch
at Layer_handle [as handle_request]
at 'juice-shop,'node
at Function-process_params
at next
at
at Layer-handle [as handle_request]
at trim_prefix
at 'juice-shop,'node
at Function-process_params
at next
at 'juice-shop,'routesrverity.js: 7413
at Layer-handle [as handle_request]
at trim_prefix
at 'juice-shop/node
at Function-process_params
at next
at logger ('juice-shop/node
at Layer-handle [as handle_request]
at trim_prefix
at 'juice-shop,'node
at Function-process_params
at next
at jsonParser ('juice-shop/server.js:25713)
at Layer-handle [as handle_request]](https://curiositykillscolby.files.wordpress.com/2020/12/image-101.jpeg?w=932)
Nothing special happened aside from the 406 error, so I tried redirecting to this blog.
Again, I received a 406 error.
Being fairly inexperienced in web development, I was a little stumped as to what the challenge wanted me to do. I didn’t realize that it wanted me to route my redirect to one of the allowed websites through a disallowed site, which makes quite a bit of sense in retrospect.
In short, the solution I used was to navigate to “http://localhost:3000/redirect?to=http://kimminich.de?pwned=https://github.com/bkimminich/juice-shop“.
Now it’s on to the 5 star challenges, where I, for some reason, have been having much more luck than with the 4 star challenges.
Prevention and Mitigation Strategies:
OWASP Unvalidated Redirects and Forwards Cheat Sheet
Lessons Learned and Things Worth Mentioning:
While I’m sure my lack of front-end experience has caused unnecessary consternation during the course of these challenges, this was the first time where I felt completely clueless from the very beginning. I’m going to need to spend more time studying and playing with front end code so that I can get more comfortable with how the mechanics of a web app truly work.
Curiosity Kills Colby 