Juice Shop: Forging a Coupon with 80% discount

This is a writeup of one of the more challenging exercises in Juice Shop: forging a coupon code with a discount of more than 80%.

Category: cryptographic issues

Vulnerability: create coupons that give a discount of 80% or more.

Below I will show the steps for completing this challenge.


Find the list of dependencies in /ftp

The first step is to visit the FTP folder on the app by going to /ftp. Here you will see a few different files. When you try to open one of the .bak, .yml or .pyc files you get an error that only .md and .pdf files are allowed.

Juice shop: error when trying to download file

By adding %2500.md to the url you can actually access the files. This is a way to trick the application to think that you are opening a .md file. This works because of the null byte %00 which is url encoded as %2500.

Juice shop: downloading a file from /ftp

Open the file package.json.bak by changing the URL from /ftp/package.json.bak to /ftp/package.json.bak%2500.md


Dependencies

In this file you can find a list with dependencies (software ‘packets’ that Juice Shop makes use of).

Juice shop: dependencies list

When you look for these dependencies on Google you find a few that could be related to generating codes. Those are ‘hashids’ and ‘z85’.


Decoding Juice Shop coupons

Juice Shop has a Twitter account. Every month it posts coupons that give you a certain discount.

Juice shop: one of the coupons on Twitter

You can find out if Juice Shop uses one of the programs we found (hashids or z85) by using those programs to decode those coupon codes and looking at the result. If the result seems to have a kind of structure to it, we may use that structure to create coupons ourselves.

If you look up Hashids you will find that you can only generate codes with it using a number. Also the name Hashids suggests that the code will be hashed. Hashes only go one way, they can’t be decoded.

But z85 can be decoded. When you try this on the Juice Shop coupons you will find out this is the program that was used to create the coupons. We will look at this in the next step.


Installing z85

In order to use z85 you first need to install NodeJS from nodejs.org. Then you can install z85 as follows:

  • open a command prompt as administrator and navigate to nodejs/node_modules/npm
  • execute the following command: npm install –g z85-cli
Juice shop: install z85

With z85 -d [code] you can decode a coupon.

When we decode the coupon from October shown in the Twitter post above, we get OCT20-10.

Juice shop: decode a coupon

This is a pattern! OCT is for October, 20 is for 2020 and 10 is for 10% discount.


Generating a coupon code with z85

To generate a coupon with a discount of 80% we can see what we get when we encode OCT20-80. You can try to generate a coupon for the current year and month.

Juice shop: generate a coupon code

Result: pEw8pfFbmr


Trying the Coupon

Placing an order.

Juice shop: place an order

Enter the generated coupon: pEw8pfFbmr.

Juice Shop: enter the forged coupon

Continue.

Juice shop: the forged coupon with 80% discount worked

As you can see the total price went from 33 to 7.77. The coupon works!


Possible solutions

  1. You could perhaps limit the damage that can be done by rejecting coupons with a discount above 50%. But this is not a complete solution.
  2. Make sure that it’s not possible to find out which algorithm is used to generate the codes. Maybe it’s possible to deny access to the /ftp section by adding an access rule to the .htaccess file of the website.
  3. An option would be to generate coupons in such a way that’s hard to replicate or reverse engineer. For example you could hash the coupons instead of encoding them or use a unique algorithm that is not publicly available.
  4. Using phrases that are less predictable than OCT20-10 for generating the coupons.

Sources

  • https://medium.com/@briskinfosec/null-byte-sql-injection-4cc34ae4e7d7
  • https://twitter.com/owasp_juiceshop?lang=nl
  • https://github.com/niieani/hashids.js
  • https://hashids.org/
  • https://www.npmjs.com/package/z85-cli
  • https://github.com/bkimminich/z85-cli
  • https://stackoverflow.com/questions/11728976/how-to-deny-access-to-a-file-in-htaccess
  • https://serverfault.com/questions/952712/htaccess-rule-to-protect-against-malicious-post-requests-to-wordpress-index-php
  • https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html

Leave a Comment

Your email address will not be published. Required fields are marked *