Ajax Security: Insecure Client Storage Attacks

Goal: 

To discover a coupon code to receive an unintended discount. Then we will exploit the use of client side validation to submit an order with a cost of zero. 

Note that Input validation should always be done on server side. 

Method: 

Use Firebug or Build-in firefox Inspect Element tool. Here we will use new Firefox Dev Edition. 

Part one Coupon Discount 

Method One - Step by step Guide

1. Right click the input field for "Enter your coupon code" inspect element with Firebug or Firefox DevTool

2. Below code shown in window. 

<script src="//WebGoat/plugin_extracted/plugin/ClientSideValidation/js/clientSideValidation.js" language="JavaScript"></script>

…….,….

 

<input value="1" on-keyup="isValidCoupon(field1.value)" name="field1" type="TEXT">

3. Study the js code by opening in browser of: http://webgoatIP:8080/WebGoat/plugin_extracted/plugin/ClientSideValidation/js/clientSideValidation.js

From below js script, we could use the  decrypt function to decrypt the coupon code. 

var coupons = ["nvojubmq",

"emph",

"sfwmjt",

"faopsc",

"fopttfsq",

"pxuttfsq"];

 

function isValidCoupon(coupon) {

coupon = coupon.toUpperCase();

for(var i=0; i<coupons.length; i++) {

decrypted = decrypt(coupons[i]);

if(coupon == decrypted){

ajaxFunction(coupon);

return true;

}

}

return false;        

}

 

function decrypt(code){

code = code.toUpperCase();

alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";

caesar = '';

for (i = code.length ;i >= 0;i--){        

for (j = 0;j<alpha.length;j++){        

if(code.charAt(i) == alpha.charAt(j)){

caesar = caesar + alpha.charAt((j+(alpha.length-1))%alpha.length);

}                

}

}        

return caesar;

}

4. Decrypt the coupon 

a). first enter bogus code and submit

b). Under the command prompt run 

javascript:decrypt ("nvojubmq")

Note that "nvojubmq" is copy from the js file in the encrypted coupon variables defined. 

 

Nvojubmq

PLATINUM

Emph

GOLD

sfwmjt

SILVER

5. Now enter the decrypted coupon add to site. 

Method Two - Step by step Guide -

Same procedure from 1-3 Steps

4. Decrypt the coupon 

a). first enter bogus code and submit

b). Under the command prompt run 

console.log(coupons + "=" + decrypted);

Nvojubmq

PLATINUM

Part Two - Purchase for Free

The part two is pretty straight forward, Just need to use Firefox DevTool to right click on the price and directly edit the HTML code of all price to $0.

2. This concludes this lab. 

Please publish modules in offcanvas position.