Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.
And, if youβre still stuck at the end, weβre happy to hop on a call to see how we can help out.
[β] Infinite free wallet funds (already existing vulnerability in juice-shop)
See original GitHub issueβ Challenge idea
Description
The route rest/wallet/balance with the HTTP method PUT is used to add new funds to the digital wallet. If done through the GUI, the user needs to have a saved credit card and, also, the amount of money added into the wallet is restricted between 10 and 1000.
If you send the PUT request with the header Authorization and the body {"balance": 2000000} you can add funds to the wallet without a credit card saved and bypassing the limit.
I have checked that then you can buy products in the shop using the wallet, and it is possible.
I guess in real life this bug would not be possible, as the transaction from a real bank account and the digital wallet needs to be performed to get the money. However, it is strange to be able to do this in the Juice Shop without it being a challenge. Plus, for beginners (like me) it is quite an accessible and interesting challenge.
Underlying vulnerability/ies
The vulnerability would be both Improper Input Validation and something else (regarding the free funds) but I do not know how to name it.
Expected difficulty
| βοΈ / β | Difficulty |
|---|---|
| βοΈ | β |
| βοΈ | ββ |
| β | βββ |
| β | ββββ |
| β | βββββ |
| β | ββββββ |
Possible attack flow
-
Log in as a user.
-
Add either less than 10 dollars (not allowed by the GUI) or add money from no apparent credit card origin.
-
Spend this money on Juices. π
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Closed as this will rather be βfixedβ than converted into a challenges to avoid duplications.
Hm, personally Iβd rather see the wallet funds increase flow to be actually secured in some way. Can be broken still, but it shouldnβt be this trivial to get unlimited π° in the wallet. We kind of have a similar challenge with the negative quantities being put in the shopping basket anyway.
So the challenge idea is great, it just should be made more difficult imo.