Name: Leaked Access Logs
Description: Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)
Difficulty: 5 star
Category: Sensitive Data Exposure
Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html
Burp Suite, FoxyProxy
The expanded description for this challenge is borderline explicit in how to begin this challenge. It mentions “a very popular help platform for developers”. Soooo Stack Overflow. After (checking the first solution guide bullet point to get the correct tag and…) a brief search, a pair of questions popped out at me. From spending so much time with the Developer Backup, I knew that “morgan” was a part of Juice Shop.
The Pastebin link lined up perfectly with another part of the expanded description, which mentioned “a platform often used to share data quickly”.
Knowing that I was searching for a password, and also that the password reset link contains the word “current”, I searched the paste file and found both the current and new passwords for an unknown user.
Then it was a matter of setting up a Burp Suite Intruder Sniper attack to try a password spraying attack.
No luck. OK, back to the paste to see if something’s wrong there.
The “new” and “repeat” fields were filled in differently, meaning that the “current” password was almost certainly still the current password.
And yet it was not. The percent signs, however, indicate that the passwords I had scraped from the paste file were URL encoded, so I used Burp Suite’s Decoder to decode the password back into plain text.
Of course one of the encoded characters would be the delimiter for Burp’s Intruder. With Burp off the table, I began manually cycling through the user table’s email addresses, using the login form until I found the right email address.
Prevention and Mitigation Strategies:
OWASP Credential Stuffing Prevention Cheat Sheet
Lessons Learned and Things Worth Mentioning:
- Always check for URL encoding.
- Sometimes all it takes is a small hint above the expanded description to make the rest of the challenge come together.