Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
[β] Free deluxe membership (already existing vulnerability in juice-shop)
See original GitHub issueβ Challenge idea
Description
The rest/deluxe-membership route is vulnerable. Users can upgrade themselves to deluxe members by simply making a POST request to this path with the following parameters
UserId: your uid(which you can get by decoding your jwt)payUsingWallet: false
Though this can be easily fixed with minor refactoring, I propose that we make this into a challenge instead
Underlying vulnerability/ies
I guess this would fall under Security Misconfiguration or Miscellaneous
Expected difficulty
| βοΈ / β | Difficulty |
|---|---|
| βοΈ | ββ |
Possible attack flow
You can replicate the attack right now by making a POST request to localhost:3000/rest/deluxe-membership with the following params
UserId: your uid(which you can get by decoding your jwt)payUsingWallet: false- After that, logout and login again to refresh your JWT. You are now a deluxe-member and no amount has been deducted from your wallet
This vulnerability can be discovered by examining the requests made when one tries to pay for deluxe membership and then fu
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yeah well, it unfortunately doesnβt work as simple as currently implemented. Just try this:
demo/demoSimple βfixβ would be giving the
payUsingWallet=true|falseneeds an βupgradeβ into something likepayment=wallet|cardand when that parameter is empty youβd still get your membership. Then itβd be believable business logic flaw and sufficiently different from the password change challenge where the old-password parameter is supposed to be missing entirely to change anyones password.This thread has been automatically locked because it has not had recent activity after it was closed. π Please open a new issue for regressions or related bugs.