Skip to content
Permalink
Browse files

Add new "Missing Encoding" challenge

  • Loading branch information...
bkimminich committed Nov 1, 2019
1 parent 38946db commit 11836cd1a283a278b9b20a542bba7c2721e374f3
Showing with 33 additions and 0 deletions.
  1. +8 −0 data/static/challenges.yml
  2. +2 −0 routes/verify.js
  3. +1 −0 server.js
  4. +5 −0 test/api/fileServingSpec.js
  5. +8 −0 test/e2e/directAccessSpec.js
  6. +9 −0 test/server/verifySpec.js
@@ -726,4 +726,12 @@
hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.'
hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#give-a-devastating-zero-star-feedback-to-the-store'
key: zeroStarsChallenge
-
name: 'Missing Encoding'
category: 'Improper Input Validation'
description: 'Retrieve the photo of Bjoern''s cat in "melee combat-mode".'
difficulty: 1
hint: 'Check the Photo Wall for an image that could not be loaded correctly.'
hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#retrieve-the-photo-of-bjoerns-cat-in-melee-combat-mode'
key: missingEncodingChallenge

@@ -67,6 +67,8 @@ exports.accessControlChallenges = () => ({ url }, res, next) => {
utils.solve(challenges.retrieveBlueprintChallenge)
} else if (utils.notSolved(challenges.securityPolicyChallenge) && utils.endsWith(url, '/security.txt')) {
utils.solve(challenges.securityPolicyChallenge)
} else if (utils.notSolved(challenges.missingEncodingChallenge) && utils.endsWith(url, '/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg')) {
utils.solve(challenges.missingEncodingChallenge)
} else if (utils.notSolved(challenges.accessLogDisclosureChallenge) && url.match(/access\.log(0-9-)*/)) {
utils.solve(challenges.accessLogDisclosureChallenge)
}
@@ -160,6 +160,7 @@ app.use(robots({ UserAgent: '*', Disallow: '/ftp' }))
/* Checks for challenges solved by retrieving a file implicitly or explicitly */
app.use('/assets/public/images/padding', verify.accessControlChallenges())
app.use('/assets/public/images/products', verify.accessControlChallenges())
app.use('/assets/public/images/uploads', verify.accessControlChallenges())
app.use('/assets/i18n', verify.accessControlChallenges())

/* Checks for challenges solved by abusing SSTi and SSRF bugs */
@@ -136,6 +136,11 @@ describe('Hidden URL', () => {
.expect('status', 200)
})

it('GET crazy cat photo for "Missing Encoding" challenge', () => {
return frisby.get(URL + '/assets/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg')
.expect('status', 200)
})

it('GET folder containing access log files for "Access Log" challenge', () => {
return frisby.get(URL + '/support/logs/access.log.' + utils.toISO8601(new Date()))
.expect('status', 200)
@@ -50,6 +50,14 @@ describe('/', () => {
protractor.expect.challengeSolved({ challenge: 'Retrieve Blueprint' })
})

describe('challenge "missingEncoding"', () => {
it('should be able to access the crazy cat photo', () => {
browser.driver.get(browser.baseUrl + '/assets/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg')
})

protractor.expect.challengeSolved({ challenge: 'Missing Encoding' })
})

describe('challenge "securityPolicy"', () => {
it('should be able to access the security.txt file', () => {
browser.driver.get(browser.baseUrl + '/.well-known/security.txt')
@@ -115,6 +115,15 @@ describe('verify', () => {
expect(challenges.retrieveBlueprintChallenge.solved).to.equal(true)
})

it('"missingEncodingChallenge" is solved when the crazy cat photo is requested', () => {
challenges.missingEncodingChallenge = { solved: false, save: this.save }
this.req.url = 'http://juice-sh.op/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg'

verify.accessControlChallenges()(this.req, this.res, this.next)

expect(challenges.missingEncodingChallenge.solved).to.equal(true)
})

it('"accessLogDisclosureChallenge" is solved when any server access log file is requested', () => {
challenges.accessLogDisclosureChallenge = { solved: false, save: this.save }
this.req.url = 'http://juice-sh.op/support/logs/access.log.2019-01-15'

0 comments on commit 11836cd

Please sign in to comment.
You can’t perform that action at this time.