Hacking OWASP’s Juice Shop Pt. 60: Extra Language

Challenge: 

Name:  Extra Language

Description: Retrieve the language file that never made it into production.

Difficulty: 5 star

Category: Broken Anti-Automation

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-anti-automation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

In the expanded description for this challenge it is suggested that I figure out how the language changes take place, then either find the correct language code via either brute force (which is implied to take significant time), or to investigate what languages are available in this format.

Fair enough. I began by changing the language from English to Spanish (because I’d like to use the three quarters of Spanish I took at some point) and intercepted the packet to see how the server both received that update, and how it applied that update.

Dashboard Target 
Intruder Repea 
HIT P history WebSockets history 
Request to http://localhost:3000 
[12700 
ntercept 
Param s Headers 
Actions 
ISON web Tok 
pretty 
'assets/i18n/es ES.json HIT P/ 1.1 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86

Then, to be thorough, I changed the language several more times to see if a pattern emerged in the language codes.

'assets/i18n/de 
Däjson 
'assets,'i18n/emJson 
'assets/i18n/emJson 
'assets/i18n/es 
ES json 
'assets/i18n/et 
Eäjson

Sure enough, they were primarily in two formats: xx_XX.json or xx.json.

Response 
Headers 
Pretty 
Raw 
Render 
200 0K 
Actions 
12 
14 
16 : 
Access-Cont rol -Allow-Origin: 
X-Content -Type-options: nosniff 
X-Frame-options: SAMEORIGIN 
Feature-policy: payment 'self' 
Accept -Ranges: bytes 
Cache-Cont rot: public, max-age=O 
Last -Modified: Mon, 14 sep 2020 Gl•rr 
a-rag: 78de-1748baa3998 
Content -Type: application/ j son; charset=UTF-8 
Vary: Accept -Encoding 
Date: wed, 09 Dec 2020 GI•TT 
Connection: close 
Content -Length: 
30942 
" LANGUAGE" 
'NAV SEARCH 
" Espafiol_ 
" "Buscar' , 
SEARCH PLACEHOLDER 
" "auscar. 
Queja , 
'NAV COMPLAIN' 
' : "Inicio de sesiön' , 
"TITLE LOGIN' 
"Por favor, indique una direcciön de correo 
'MANDATORY EMAIL 
"MANDATORY PASS,NORD" "Por favor, indique una cont rasefia. 
" LABEL 
" LABEL 
" LONER 
" UPPER 
"Direcciön de correo" , 
EMAIL" 
Cont rasefia" , 
PASS,NORD' 
" "Most rar ayuda para cont raseria 
PASSAORD ADVICE 
CASE CRITERIA MSG 
CASE CRITERIA MSG 
'contiene al menos un carécter 
'contiene al menos un caråcter 
minüscula 
mayüscula

When the server responded to these requests, it sent a large JSON object back containing 30k+ bits of text.

Knowing that my task was to find an unlisted language, I sought out a list of i18n formatted language file names, eventually finding a very long list of file names in a GitHub repository.

<img src="https://curiositykillscolby.files.wordpress.com/2020/12/image-119.jpeg?w=354&quot; alt="Search or jump to… ladjs/ i18n-locales

From there, I used Burp Suite’s Intruder tool to execute a “Sniper” attack, spamming the server with requests for every language file listed within the repository.

Dashboard 
Target 
Target 
Repeater 
Sequencer 
Decoder 
Comparer 
Extender 
Payloads 
Options 
O Payload Positions 
Configure the positions where payloads will be inserted into the base request The attacktype determines 
Attack type Sniper 
HTTP/I.I 
Host: local host 3000 
User-Agent: MoziIIa/S.O (X 
11; Linux x86 64; 
application/ j son, text/ plain, 
4 Accept 
S Accept -Language: en-lJS, 
Accept -Encoding: gzip, deflate 
rv.78.o) 
Gecko,'20100101 Firefox,'78.o
Attac k 
Save Columns 
Target 
Positions 
Filter: Showing all items 
Requ est Payload 
th 
el 
hi IN 
SA 
bg_8G 
de 
es 
de 
he IL 
Payloads 
Options 
Status 
Error 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Timeout 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
Lengt 
37155 
36614 
35078 
34521 
33423 
32834 
31465 
31418 
31366 
31366 
31257 
30375 
30268 
30205 
o 
Comment 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains 
a Jw-r 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains a JWT 
Contains

Lots of languages returned properly, but judging by the fact that I wasn’t greeted with a green banner, I knew that the correct code hadn’t been requested. With over 300 language files tested (using Burp’s painfully throttled mechanism instead of my currently broken wfuzz application), and still no luck, I gave in and read the Solution Guide entry, learning that I should have read the Companion Guide’s Translation page, where I could have linked to another page listing all of the available languages, one of which was Klingon using the code “tlh_AA”. Boy am I glad I didn’t opt for brute force, because I still wouldn’t have found it.

Projects 
Arabic 
22% 22% 
Chinese Simplified 
100% 100% 
Dutch 
80% 
German 
100% 100% 
Hungarian 
About Crowdin 
Azerbaijani 
Chinese Traditional 
100% 
Estonian 
German, Switzerland 
Indonesian 
Bulgarian 
Chinese Traditional, 
Hong Kong 
Finnish 
G reek 
Italian 
Burmese 
Czech 
French 
43% 
Hebrew 
Japanese 
Catalan 
Danish 
Georgian 
Hindi 
Lkling6H
Sa lahendasid edukalt väljakutse: Extra Language (Retrieve the language file that never made it into production.) X

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s