Exploitation

Welcome back to Broken Authentication session. In this second part, we will exploit several authentication flaws in our intentionally vulnerable application to get access as admin. We will jump straight to the hands-on exploitation. At the end, we will wrap up exploited issues, which we will discuss in more detail in the third and last part of this session. Let’s hack. Let’s start creating a regular user account.

Before submitting the request, let’s pop up Developer Tool so that we can monitor the network traffic.

This would be the sign-up requests, let’s have a look into the request details.

The request body includes our account details where we can see our weak passwords.

We can now log in.

Next, we will try to recover our one password.

Again, let’s first pop up Developer Tools.

While we were typing, several requests were made to the security security-question endpoint. Let’s inspect the last one, which has our complete email address.

Our email address was sent in the requests, and the server returned our security question.

How does the server response look for an email address which does not belong to a Juice Shop account?

This time, the response is empty. Based on these binary responses, we can check whether there’s an admin account.

Comparing this response with the one we’ve got with our own email address, we know that such account exists and we can try to log in.

We don’t know the password. But at least we can try to guess it.

Of course, it’s wrong, but we can do better. Let’s search for common web admin passwords.

Let’s try the first ones with at least five characters since we saw that this is the minimum required in the sign-up.

Doing this one-by one will take long, but this is exactly the type of task computers are great at doing.

The simple bash script does concurrent requests to the login endpoint based on a given email address and the list of passwords. It will stop on a successful log in attempt or at the end of the passwords list.

Let’s move the passwords list into a text file and do some cleanup.

It’s time to run our script with Juice Shop admin’s email address and our password list file.

Two seconds was the time needed to find a password on a simple workstation. Let’s now see whether it really works.

In fact, it does, and we are now logged in as admin.

We said it before, and now you have seen it in practice. Although there’s a password strength calculator in the sign-up form, strong password policies are not enforced, allowing five single-class-characters-long passwords. The recover password mechanism can be used as in Oracle to enumerate valid user accounts based on its response. And finally, the login does not implement a lockout feature based on failed login attempts, meaning that we can test as many passwords as we want for a single email address until we get the right one. In our next video, we will discuss what makes the application vulnerable and how to prevent it.