Remove CISO login challenge

(resolves #1491)
juice-shop · Apr 28, 2021 · 2c3c498 · 2c3c498
1 parent 7a0b1d3
commit 2c3c498
Show file tree

Hide file tree

Showing 6 changed files with 1 addition and 76 deletions.
diff --git a/config.schema.yml b/config.schema.yml
@@ -381,11 +381,6 @@ ctf:
         type: string
       code:
         type: string
-    loginCisoChallenge:
-      name:
-        type: string
-      code:
-        type: string
     loginSupportChallenge:
       name:
         type: string

diff --git a/config/fbctf.yml b/config/fbctf.yml
@@ -132,9 +132,6 @@ ctf:
     oauthUserPasswordChallenge:
       name: South Sudan
       code: SS
-    loginCisoChallenge:
-      name: Angola
-      code: AO
     loginSupportChallenge:
       name: Croatia
       code: HR

diff --git a/data/static/challenges.yml b/data/static/challenges.yml
@@ -470,17 +470,6 @@
   hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-bjoerns-gmail-account'
   mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
   key: oauthUserPasswordChallenge
--
-  name: 'Login CISO'
-  category: 'Broken Authentication'
-  tags:
-    - Code Analysis
-  description: 'Exploit OAuth 2.0 to log in with the Chief Information Security Officer''s user account.'
-  difficulty: 5
-  hint: 'Don''t try to beat Google''s OAuth 2.0 service. Rather investigate implementation flaws on OWASP Juice Shop''s end.'
-  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#exploit-oauth-20-to-log-in-with-the-cisos-user-account'
-  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
-  key: loginCisoChallenge
 -
   name: 'Login Jim'
   category: 'Injection'

diff --git a/routes/login.ts b/routes/login.ts
@@ -30,14 +30,7 @@ module.exports = function login () {
     models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: models.User, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge loginBenderChallenge loginJimChallenge
       .then((authenticatedUser) => {
         let user = utils.queryResultToJson(authenticatedUser)
-        const rememberedEmail = security.userEmailFrom(req)
-        if (rememberedEmail && req.body.oauth) {
-          models.User.findOne({ where: { email: rememberedEmail } }).then(rememberedUser => {
-            user = utils.queryResultToJson(rememberedUser)
-            utils.solveIf(challenges.loginCisoChallenge, () => { return user.data.id === users.ciso.id }) // vuln-code-snippet hide-line
-            afterLogin(user, res, next)
-          })
-        } else if (user.data?.id && user.data.totpSecret !== '') {
+        if (user.data?.id && user.data.totpSecret !== '') {
           res.status(401).json({
             status: 'totp_token_required',
             data: {

diff --git a/test/api/loginApiSpec.ts b/test/api/loginApiSpec.ts
@@ -11,11 +11,6 @@ const config = require('config')
 const API_URL = 'http://localhost:3000/api'
 const REST_URL = 'http://localhost:3000/rest'
 
-const customHeader = {
-  'X-User-Email': 'ciso@' + config.get('application.domain'),
-  Authorization: 'Bearer ' + security.authorize(),
-  'content-type': 'application/json'
-}
 const jsonHeader = { 'content-type': 'application/json' }
 
 describe('/rest/user/login', () => {
@@ -240,20 +235,6 @@ describe('/rest/user/login', () => {
     })
       .expect('status', 401)
   })
-
-  it('POST OAuth login as admin@juice-sh.op with "Remember me" exploit to log in as ciso@' + config.get('application.domain'), () => {
-    return frisby.post(REST_URL + '/user/login', {
-      headers: customHeader,
-      body: {
-        email: 'admin@' + config.get('application.domain'),
-        password: 'admin123',
-        oauth: true
-      }
-    })
-      .expect('status', 200)
-      .expect('header', 'content-type', /application\/json/)
-      .expect('json', 'authentication', { umail: 'ciso@' + config.get('application.domain') })
-  })
 })
 
 describe('/rest/saveLoginIp', () => {

diff --git a/test/e2e/loginSpec.ts b/test/e2e/loginSpec.ts
@@ -139,36 +139,6 @@ describe('/#/login', () => {
     protractor.expect.challengeSolved({ challenge: 'Login Bjoern' })
   })
 
-  describe('challenge "loginCiso"', () => {
-    it('should be able to log in as ciso@juice-sh.op by using "Remember me" in combination with (fake) OAuth login with another user', () => {
-      email.sendKeys(`ciso@${config.get('application.domain')}`)
-      password.sendKeys('wrong')
-      browser.executeScript('document.getElementById("rememberMe-input").removeAttribute("class");')
-      rememberMeCheckbox.click()
-      loginButton.click()
-
-      browser.executeScript(baseUrl => {
-        const xhttp = new XMLHttpRequest()
-        xhttp.onreadystatechange = function () {
-          if (this.status === 200) {
-            console.log('Success')
-          }
-        }
-        xhttp.open('POST', `${baseUrl}/rest/user/login`, true)
-        xhttp.setRequestHeader('Content-type', 'application/json')
-        xhttp.setRequestHeader('Authorization', `Bearer ${localStorage.getItem('token')}`)
-        xhttp.setRequestHeader('X-User-Email', localStorage.getItem('email'))
-        xhttp.send(JSON.stringify({ email: 'admin@juice-sh.op', password: 'admin123', oauth: true }))
-      }, browser.baseUrl)
-
-      // Deselect to clear email field for subsequent tests
-      rememberMeCheckbox.click()
-      loginButton.click()
-    })
-
-    protractor.expect.challengeSolved({ challenge: 'Login CISO' })
-  })
-
   describe('challenge "ghostLogin"', () => {
     it('should be able to log in as chris.pike@juice-sh.op by using `\' or deletedAt IS NOT NULL --`', () => {
       email.sendKeys('\' or deletedAt IS NOT NULL--')