Juice-shop: Configurable Product Tampering Challenge URL

Created on 21 Sep 2018  路  6Comments  路  Source: bkimminich/juice-shop

Make the redirect target URL for "Redirect" challenge configureable and replace current http://kimminich.de with OWASP sign-up URL for Slack.

challenge

Most helpful comment

@bkimminich, I read the code of the challenge - according to my interpretation and tests, it can be solved for any URL which contains the whitelisted URL and does not start with one of the whitelisted URLs. For instance, I was able to solve the challenge by entering the URL "http://localhost:3000/redirect?to=https://www.google.com?pwned=https://github.com/bkimminich/juice-shop".

Please correct me if I have interpreted the issue differently. :)

All 6 comments

@bkimminich Could you elaborate how exactly should it be configurable? Thanks

Currently the challenge asks to redirect to the fixed target URL http://kimminich.de. This should become a configuration value, e.g. redirectChallengeTargetUrl: "http://kimminich.de" in the default.yml and could then be overwritten in individual customized setups. The challenge check and all tests then of course also need to use this configured value instead of the static one.

@bkimminich, I read the code of the challenge - according to my interpretation and tests, it can be solved for any URL which contains the whitelisted URL and does not start with one of the whitelisted URLs. For instance, I was able to solve the challenge by entering the URL "http://localhost:3000/redirect?to=https://www.google.com?pwned=https://github.com/bkimminich/juice-shop".

Please correct me if I have interpreted the issue differently. :)

You are totally right, for _Redirect Tier 2_ the target page correctly triggers for all non-whitelisted targets! I mixed it up with the _Product Tampering_ challenge...

There currently only the _original_ URL is configurable (see urlForProductTamperingChallenge in products list of default.yml) but the URL _to overwrite_ that one with is static (http://kimminich.de) at the moment. It would be nice to have that configurable as well via e.g. challenges.overwriteUrlForProductTamperingChallenge. Also the current tests need a bit refactoring to use both configured values as well.

@bkimminich I have submitted a PR for this issue :+1:

This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

junathanadi picture junathanadi  路  3Comments

GraoMelo picture GraoMelo  路  7Comments

azqa picture azqa  路  7Comments

teodor440 picture teodor440  路  6Comments

bkimminich picture bkimminich  路  8Comments