Information Security

Hacking OWASP’s Juice Shop Pt. 60: Extra Language

Posted on by codeblue04

Challenge: 

Name:  Extra Language

Description: Retrieve the language file that never made it into production.

Difficulty: 5 star

Category: Broken Anti-Automation

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-anti-automation.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

Solution Guide

Methodology: 

In the expanded description for this challenge it is suggested that I figure out how the language changes take place, then either find the correct language code via either brute force (which is implied to take significant time), or to investigate what languages are available in this format.

Fair enough. I began by changing the language from English to Spanish (because I’d like to use the three quarters of Spanish I took at some point) and intercepted the packet to see how the server both received that update, and how it applied that update.

Dashboard Target Intruder Repea HIT P history WebSockets history Request to http://localhost:3000 [12700 ntercept Param s Headers Actions ISON web Tok pretty 'assets/i18n/es ES.json HIT P/ 1.1 Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86

Then, to be thorough, I changed the language several more times to see if a pattern emerged in the language codes.

'assets/i18n/de Däjson 'assets,'i18n/emJson 'assets/i18n/emJson 'assets/i18n/es ES json 'assets/i18n/et Eäjson

Sure enough, they were primarily in two formats: xx_XX.json or xx.json.

Response Headers Pretty Raw Render 200 0K Actions 12 14 16 : Access-Cont rol -Allow-Origin: X-Content -Type-options: nosniff X-Frame-options: SAMEORIGIN Feature-policy: payment 'self' Accept -Ranges: bytes Cache-Cont rot: public, max-age=O Last -Modified: Mon, 14 sep 2020 Gl•rr a-rag: 78de-1748baa3998 Content -Type: application/ j son; charset=UTF-8 Vary: Accept -Encoding Date: wed, 09 Dec 2020 GI•TT Connection: close Content -Length: 30942 " LANGUAGE" 'NAV SEARCH " Espafiol_ " "Buscar' , SEARCH PLACEHOLDER " "auscar. Queja , 'NAV COMPLAIN' ' : "Inicio de sesiön' , "TITLE LOGIN' "Por favor, indique una direcciön de correo 'MANDATORY EMAIL "MANDATORY PASS,NORD" "Por favor, indique una cont rasefia. " LABEL " LABEL " LONER " UPPER "Direcciön de correo" , EMAIL" Cont rasefia" , PASS,NORD' " "Most rar ayuda para cont raseria PASSAORD ADVICE CASE CRITERIA MSG CASE CRITERIA MSG 'contiene al menos un carécter 'contiene al menos un caråcter minüscula mayüscula

When the server responded to these requests, it sent a large JSON object back containing 30k+ bits of text.

Knowing that my task was to find an unlisted language, I sought out a list of i18n formatted language file names, eventually finding a very long list of file names in a GitHub repository.

From there, I used Burp Suite’s Intruder tool to execute a “Sniper” attack, spamming the server with requests for every language file listed within the repository.

Dashboard Target Target Repeater Sequencer Decoder Comparer Extender Payloads Options O Payload Positions Configure the positions where payloads will be inserted into the base request The attacktype determines Attack type Sniper HTTP/I.I Host: local host 3000 User-Agent: MoziIIa/S.O (X 11; Linux x86 64; application/ j son, text/ plain, 4 Accept S Accept -Language: en-lJS, Accept -Encoding: gzip, deflate rv.78.o) Gecko,'20100101 Firefox,'78.o
Attac k Save Columns Target Positions Filter: Showing all items Requ est Payload th el hi IN SA bg_8G de es de he IL Payloads Options Status Error o o o o o o o o o o o o o o Timeout o o o o o o o o o o o o o o Lengt 37155 36614 35078 34521 33423 32834 31465 31418 31366 31366 31257 30375 30268 30205 o Comment Contains a JWT Contains a JWT Contains a JWT Contains a JWT Contains a JWT Contains a JWT Contains a JWT Contains a JWT Contains a Jw-r Contains a JWT Contains a JWT Contains a JWT Contains a JWT Contains

Lots of languages returned properly, but judging by the fact that I wasn’t greeted with a green banner, I knew that the correct code hadn’t been requested. With over 300 language files tested (using Burp’s painfully throttled mechanism instead of my currently broken wfuzz application), and still no luck, I gave in and read the Solution Guide entry, learning that I should have read the Companion Guide’s Translation page, where I could have linked to another page listing all of the available languages, one of which was Klingon using the code “tlh_AA”. Boy am I glad I didn’t opt for brute force, because I still wouldn’t have found it.

Projects Arabic 22% 22% Chinese Simplified 100% 100% Dutch 80% German 100% 100% Hungarian About Crowdin Azerbaijani Chinese Traditional 100% Estonian German, Switzerland Indonesian Bulgarian Chinese Traditional, Hong Kong Finnish G reek Italian Burmese Czech French 43% Hebrew Japanese Catalan Danish Georgian Hindi Lkling6H
Sa lahendasid edukalt väljakutse: Extra Language (Retrieve the language file that never made it into production.) X

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s