Juice-shop: [猸怾 Edit another user's review

Created on 26 Oct 2020  路  5Comments  路  Source: bkimminich/juice-shop

:star: Challenge idea

Description

When editing our review, it generates a PATCH request with the review ID and its new content. IDs aren't easy to guess but we get them from the reviews list API response

Underlying vulnerability/ies

Broken access control / IDOR in comment ID

Similar to "forged feedback" and "forged review" but different.

Expected difficulty

| :heavy_check_mark: / :x: | Difficulty |
|:------------------------:|:-------------------------------------|
| :grey_question: | :star: |
| :grey_question: | :star::star: |
| :heavy_check_mark: | :star::star::star: |
| :grey_question: | :star::star::star::star: |
| :grey_question: | :star::star::star::star::star: |
| :grey_question: | :star::star::star::star::star::star: |

Possible attack flow

Attacker can use a different review ID and edit another user's review
The vulnerability already exists, but the challenge not.

challenge duplicate

All 5 comments

I was thinking of solving this, by checking the user ID for that review is same as the user ID of the requester. Please let me know if it can work

I think that would work yes 馃檪

This is already covered by the "NoSQL Manipulation" challenge, which is about editing multiple reviews at once using a NoSQLi payload on the mentioned PATCH request.

See https://pwning.owasp-juice.shop/appendix/solutions.html#update-multiple-product-reviews-at-the-same-time

Oh indeed! I was looking for simple broken access control that's why!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

GraoMelo picture GraoMelo  路  7Comments

sushi2k picture sushi2k  路  5Comments

bkimminich picture bkimminich  路  6Comments

bkimminich picture bkimminich  路  6Comments

bkimminich picture bkimminich  路  6Comments