Hacking OWASP Juice Shop: Part4 — Exploiting Payment and Input Validation Loopholes
In the Name of Allah, the Most Beneficent, the Most Merciful.
All the praises and thanks be to Allah, the Lord of the ‘Alamin (mankind, jinns and all that exists).
I hope you enjoyed Part 1, Part 2 and Part 3. Here,I’m starting Part 4, which focuses on additional vulnerabilities discovered in OWASP Juice Shop. Here, I’ll delve into issues such as bypassing payment restrictions, exploiting inadequate input validation, and taking advantage of improper authorization controls. These vulnerabilities illustrate significant gaps in both application logic and security practices that can be exploited to achieve unauthorized access and perform unintended actions.
NOTE: I’ll add an important narrative at the end.
I tried to create an account with blank credentials but couldn’t do it via the UI. So, I created a dummy account, intercepted the request, and sent it to the repeater. I then removed the email and password fields and sent the request. It worked, and I was able to log in with empty credentials.
Sixteenth vulnerability: Account creation with blank credentials by modifying the request payload.
I exploited improper input validation to obtain a Deluxe Membership without paying for it. By intercepting the checkout request, which originally was:
{"paymentMode":"card","paymentId":7}
I changed it to:
{"paymentMode":"","paymentId":0}Then I sent the request and was subscribed to the Deluxe Membership without paying anything.
Seventeenth vulnerability: Obtaining a Deluxe Membership without payment by modifying the checkout request payload.
You can’t give a zero-star rating through the UI, so I intercepted the request and changed my rating from 1 to 0, and successfully submitted it.
Eighteenth vulnerability: Bypassing frontend rating restrictions by modifying the request payload to allow zero-star ratings.
Bully Chatbot: Receiving a coupon code from the support chatbot
I tried various prompts, but the chatbot didn’t initially provide a coupon code. I noticed that when I repeatedly said “need coupon code,” the responses varied. By persistently trying, I eventually received a coupon code.
Nineteenth vulnerability: Manipulating the support chatbot to receive a coupon code through repeated prompts.
I found an XSS vulnerability in the search bar. By inputting the following payload:
><iframe src="javascript:alert(`hubb`)">the alert box with the message “hubb” is triggered.
Twentieth vulnerability: Cross-site scripting (XSS) in the search bar through the injection of an iframe.
You can’t submit a blank review via the UI, but I was able to do it by intercepting the request using Burp Suite Repeater.
Twenty-first vulnerability: Bypassing frontend restrictions to submit a blank review by modifying the request payload.
That’s all for now. Thanks for reading! Don’t forget to drop a like. You can subscribe to get the next write-up delivered straight to your inbox.
Look-up Part 1, 2 & 3:
For any suggestions or Correction, Kindly reach out to me:
Twitter — callgh0st
(Bukhari) “He who deceives us shall not belong with us.” (Muslim) “The signs of a hypocrite are three: Whenever he speaks, he tells a lie; and whenever he promises, he breaks his promise; and whenever he is entrusted, he betrays that trust.” (Bukhari & Muslim)
