Name: Change Bender’s Password
Description: Change Bender’s password into slurmCl4ssic without using SQL Injection or Forgot Password.
Difficulty: 5 star
Category: Broken Authentication
Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html
Burp Suite, FoxyProxy
With the expanded description being of very little obvious assistance, I opted to learn how the password changing mechanism worked using an account for which I already had the password.
I was a little surprised to see that the passwords were being passed in cleartext like this, but it being Juice Shop that wasn’t exactly shocking. Now that I knew roughly how the mechanism worked, I logged in as Bender using the SQL injection trick from the Login Bender challenge and started probing. I could have done this with the admin account, but on the off chance I got lucky on my first couple of attempts I didn’t want to waste that luck on the wrong account. After all, knowing that SQL injection was disallowed for this challenge, there were only a few possible weaknesses to test.
OK, so using the wrong current password yields a 401 response code. What about leaving the current password field empty?
Prevention and Mitigation Strategies:
Don’t transmit passwords in cleartext! Require authentication on the server side to ensure that the current password matches the user-supplied data before updating the password within the user database.
Lessons Learned and Things Worth Mentioning:
My strategy here was basically to poke the server with a stick until it let me do what I wanted to do. That appears to be a valid strategy!