The challenges we’re going to solve are the following:
Log into the application as test@bodgeitstore.com
Log into the application as user1@bodgeitstore.com
Log into the application as admin@bodgeitstore.com
Let’s begin.
Going to the application let’s go to the login page – screenshot:
Reviewing the objectives we have the username (email), but we don’t have the password… Meaning we can’t log into the application… well let’s see.
We already know the application is buggy (our favorite!) so it will not be hard to deduce that the application is not sanitizing our input. Meaning we can append certain characters in the username box and bypass entering a password to log into the application.
What possibly are these characters?
We know that for a valid login there has to be an back-end database that is used to test the username and password. We have the username, but what if we trick the database with a true statement and allow us to log into the application without entering a password.
The topic that I am talking about is SQL Injection. Doing a Google search you will see there are plenty websites dedicated to this topic.
Let’s imagine that the back-end database is the following:
SELECT valid_login FROM customers WHERE username=uname AND password=passwd;
Note: valid_login will return a boolean (TRUE/FALSE)
The username is the email that we have plus the appended characters –> test@bodgeitstore.com’ OR ‘1’=’1
Password is going to be blank.
So the above line will be:
SELECT valid_login FROM customers WHERE username=’test@bodgeitstore.com’ OR ‘1’=’1 AND password=<blank>;
The password is going to be blank.
Let’s break down the above statement
We’re closing the test@bodgeitstore.com expression, and then we’re going to include a new expression using the OR statement. The next expression is 1=1 which will ALWAYS evaluate to true (1 does equal 1).
Try it in the application and see what happens.
First, let’s configure our browser to listen through our Burp proxy.
Going to the login page, let’s add the username of test@bodgeitstore.com’ OR ‘1’=’1′, with no password, and press the Login button.
See screenshots:
We’ve successfully logged in without a valid password!
Let’s see if we can do this with the second username: user1@bodgeitstore.com
We were able to log into the application as user1, without supplying a valid password!
Let’s try username: admin@thebodgeitstore.com
Going back to the login page, let’s enter the username as admin@thebodgeitstore.com without supplying a password.
We were able to log into the application as an admin without supplying a valid password.
Hmm… we see with the admin login we have a new link – Comments. We’ll come back to this in another post.
Going back to the scoreboard we see:
All of the login challenges are now complete (green)!
In today’s challenge we will make the store owe us money.
Before continuing on, you will need an interception proxy.
Two of the most popular interception proxies are ZAP and Burp.
I am going to use the free version of Burp (Community Edition) which can be downloaded HERE.
After downloading and installing Burp we need to set our proxy to have Burp intercept the traffic.
Note: I am using Chrome, but the steps are VERY similar between browsers (IE, Chrome, and Firefox)
When opening Burp, and clicking on the Proxy –> Options tab we see that the Proxy Listener is listening on 127.0.0.1, port 8080.
Going to your browser, go to Options.
In Chrome, click the three dots, and select Settings
You should see the following screen:
In the search settings type in “proxy” which will show the following:
Clicking on the last option – Open proxy setting we see:
Clicking on the Connections tab, we see:
Clicking the LAN settings button, make the settings look like the following screenshot and press “OK”.
To summarize: We’re setting the proxy in Chrome (or IE, Firefox, depending on the browser) to send traffic through our Burp proxy which is listening on 127.0.0.1:8080.
Going back to Burp, make sure that the intercept is on – see screenshot:
Refreshing the BodgeIt page, we see:
Yay! our traffic is being trapped properly through Burp.
Click Forward until the Raw tab is blank, and turn the intercept off. Click the intercept is on box once and it will turn off the interception.
OK… now let’s earn some $$$!!!
Navigating to the home page, click on any of the items on the left side. I am going to click on Doodah’s (first item), and I see the following:
I am going to click on the most expensive item which in this case is Doo dah day, and I see:
OK, let’s turn on the interception back on. Click the intercept is off button once to turn the interception back on.
After the interception is on, click on the basket button. I see:
Changing the quantity to -10 (which is a negative value, and should not be permitted as you can’t purchase a NEGATIVE item) we see:
Going back to BodgeIt…
We have successfully made the store owe us money!!!
As the title says, we’re going to solve the vulnerability of finding hidden content as a non-admin user.
Let’s begin.
Going back to the Scoring Page (About Us –> Scoring Page Link) we see the following. Pay attention to our username, right now we’re logged in as a guest user.
Going to the home page we see the following:
What would happen if we view the HTML source of the page? Let’s try it.
Right clicking the page, and select View Page Source we see:
Hmm… we see a commented code on line 41 (green line) that shows a link to an admin page. What will happen if we navigated to this page?
Navigating to this page we see the following:
We found a hidden page! This page lists the different user, and their role. Along with their BasketId, ProductId, and Quantity.
Let’s bookmark this page because I am sure we will need this page later for the other vulnerabilities.
Going back to the scoring page we see:
The hidden content as a non admin user is now complete (green)!
This post will be a first in a series to solve the BodgeIt Store.
I am running the BodgeIt store from an ISO (disk image) on a virtual machine (I am using VM Workstation Player 12 which is free). I have a previous post that describes how to install ISO’s in virtual machines (VMs). Link here.
Now on to the hacking!
After installing the ISO, and powering on the VM, you will be presented with the login page:
Navigating to the IP you will see OWASP BWA (Broken Web Application) homepage:
Clicking on the BodgeIt link we’re presented with this homepage:
Going to the “About Us” we see there’s a scoring page.
Clicking on the scoring page, we see:
By the end of the series, these challenges will be green (completed).
Let’s get started!
I’m going to start with “Level 1: Display a popup using: alert(“XSS”)”
Note: I am using Google Chrome which has XSS auditor pre-installed in the application.
If you’re using Chrome you will need to temporarily disable this for the XSS vulnerability. Make sure to close ALL instances of Chrome before entering the below command.
To disable xss auditor, open a command prompt (run –> cmd.exe), and enter (or copy) the following: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –disable-xss-auditor
Once you press Enter, a new instance of Chrome will open.
OK, now a new instance of Chrome has opened, and we’ve navigated to the BodgeIt store.
Going to the Search link we see the following:
Entering the following line in the search input: alert(“XSS”)
And pressing the “Search” button we see:
We have successfully simulated a XSS attack!
Navigating back to the scoring page (About Us –> Scoring Page) we see:
You must be logged in to post a comment.