forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 2
Lab 08 Insecure Deserialization
Tomas Rosenqvist edited this page Jan 31, 2019
·
10 revisions
The Juice Shop allows customers to give feedback in the form of comments and a 1-5 star "rating" of their experience. But would it be possible to deface the store by giving it less than one star?
- Go to the "Contact us" section.
- Open the Developer tools (F12) in your browser.
- Enter a comment and solve the CAPTCHA equation, but do not select any stars for your rating.
- Notice how the submit button is disabled? Go to the Elements tab of the Developer tools and select the corresponding
<button>tag. - Use Devtools to enable the button.
- Submit the review.
- Go to the Network tab of the developer tools and inspect the request.
- Do you think the rating was accepted by the system?
- Click the stars to give a three-star rating.
- Solve the CAPTCHA and submit as normal
- Inspect the corresponding request.
- Notice any difference? Do you think this rating was accepted by the system?
- Keep the request open in devtools for the next step!
- Copy the request payload JSON from your previously created three-star rating.
- Open Postman and create a new request (save it to your previous collection if you want).
- Change the request type to
POST. - Set the Body content type to Raw and change the mime type from Text to
JSON(application/json). - Paste the request payload as the body, but change the rating to 0.
- Copy the request URL from the developer tools into Postman.
- Send the request from Postman.
- How could the application be protected against this type of attacks?
- What do you think of the CAPTCHA implementation in this application?
The Juice Shop also allows customers to send more formal complaints, requests for refunding etc. through a form. To supplement their claim, customers are permitted to send PDF documents containing receipts etc. For security purposes, the files are limited to 100Kb in size, and must be PDF documents. Let's see if there's a way around the format restriction.
- Log in as any user.
- Go to the complaints section.
- Open the Developer tools (F12) and go to the Network tab.
- Submit a valid complaint (i.e. use a PDF file smaller than 100Kb).
- Inspect the corresponding request(s) in the network tab.
- Keep the request open in devtools for the next part!
- Create a new request in Postman.
- Set the type to POST
- Copy the request URL from the request in devtools
- Set the Body type to
form-data - Add a new row with the key
file. - Set the row type to "File" and set it to a non-pdf file.
- Send the request.
- What is the risk posed to the application here?
- How could the risk be mitigated?
- If you have the time, try experimenting with the developer tools and the UI to see if you can upload a non-pdf file without using Postman.