Name: Kill Chatbot
Description: Permanently disable the support chatbot so that it can no longer answer customer queries.
Difficulty: 5 star
Category: Vulnerable Components
Expanded Description: https://pwning.owasp-juice.shop/part2/vulnerable-components.html
Solution Guide https://pwning.owasp-juice.shop/appendix/solutions.html
The expanded description for this challenge heavily suggests that the vulnerability to exploit has something to do with the code which runs the bot. First thing’s first, I found the package which runs the bot in the application-configuration file, “juicy-chat-bot”.
Here I found that there’s a GitHub repository for the package, so I went there and downloaded the package.
Next, I checked out what the dependencies were, thinking there may be a library here which has a known vulnerability to exploit.
So I went to the Solution Guide and found this string: admin”); process=null; users.addUser(“1337”, “test
This string inserts JS code into the “username” field which kills the bot, something I’m still trying to wrap my head around.
Prevention and Mitigation Strategies:
OWASP Vulnerable Dependency Management Cheat Sheet
Lessons Learned and Things Worth Mentioning: