Juice-shop: HPP Challenge?

Created on 22 Feb 2017  路  4Comments  路  Source: bkimminich/juice-shop

Thought I'd suggest that you add an HTTP Parameter Pollution challenge.

Interestingly while I was poking around the heroku instance I found the following:
1) Search is somewhat impacted, if you specify two q params and values the search result page doesn't render properly. i.e.: http://juice-shop.herokuapp.com/#/search?q=hoodie&q=lemon
2) Contact form does seem vulnerable, though tampering POST/JSON may not be everyone's cup of tea... It's also a kind of weak example and doesn't really get the "attacker" anything useful in the end.

Example:
Request:

POST /api/Feedbacks/ HTTP/1.1
Host: juice-shop.herokuapp.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://juice-shop.herokuapp.com/
Content-Type: application/json;charset=utf-8
Content-Length: 63
Cookie: io=63cDkUKnjTNXRqYLAAAj
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{"comment":"james was here","rating":2,"comment":"so was fred"}

Response:

HTTP/1.1 200 OK
Server: Cowboy
Connection: keep-alive
X-Powered-By: Express
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Length: 150
Etag: W/"96-XqpXSFISEgqoVwW7hYfcjw"
Date: Wed, 22 Feb 2017 13:18:50 GMT
Via: 1.1 vegur

{"status":"success","data":{"comment":"so was fred","rating":2,"id":12,"updatedAt":"2017-02-22T13:18:50.000Z","createdAt":"2017-02-22T13:18:50.000Z"}}

I ran out of time to play and see what might be possible. I was hoping to come across a GET request where I could tamper something from view or add to delete or remove, but in the 20mins I had to poke around couldn't fine one.....

There might be other more simple or slick ways to implement. Anyawy, there's some food for thought.

Refs:
https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_%28OTG-INPVAL-004%29
http://blog.mindedsecurity.com/2009/05/client-side-http-parameter-pollution.html
https://www.youtube.com/watch?v=Tosp-JyWVS4


Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

challenge

Most helpful comment

So i found a Bug which allows adding products to somebody else's basket and is not listed in challenges. The following challenge can be designed around it.

hpp

All 4 comments

So i found a Bug which allows adding products to somebody else's basket and is not listed in challenges. The following challenge can be designed around it.

hpp

Yes, sir! 鈽戯笍

This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

bkimminich picture bkimminich  路  6Comments

junathanadi picture junathanadi  路  3Comments

bkimminich picture bkimminich  路  6Comments

bkimminich picture bkimminich  路  8Comments

RezaRahmati picture RezaRahmati  路  4Comments