Hacking OWASP Juice Shop: Part 2 — Exposing Critical Vulnerabilities in the Payment Flow

I hope you enjoyed Part 1. Here, I’m starting Part 2, which focuses on the logic vulnerabilities in the payment flow of OWASP Juice Shop.

NOTE: I’ll add an important narrative at the end.

I found two vulnerabilities in the payment flow.

First, if I place an order and proceed to check out at POST /rest/basket/6/checkout, the body contains:

However, if I remove the paymentId, I can still check out without paying:

Ninth vulnerability: Ability to checkout without payment due to improper validation of payment ID.

I’m rich :)

Twelfth vulnerability: Bypassing wallet deposit limit by modifying the request payload.

That’s all for now. Thanks for reading! Don’t forget to drop a like. You can sign up to get the next write-up delivered straight to your inbox.

Look-up Part 1:

For any suggestions or Correction, Kindly reach out to me:

Twitter — callgh0st

أَخْبَرَنَا عَمْرُو بْنُ عَلِيٍّ، عَنْ يَحْيَى، قَالَ حَدَّثَنَا شُعْبَةُ، قَالَ حَدَّثَنِي قَتَادَةُ، عَنْ أَبِي الْخَلِيلِ، عَنْ عَبْدِ اللَّهِ بْنِ الْحَارِثِ، عَنْ حَكِيمِ بْنِ حِزَامٍ، قَالَ قَالَ رَسُولُ اللَّهِ صلى الله عليه وسلم ‏ “‏ الْبَيِّعَانِ بِالْخِيَارِ مَا لَمْ يَفْتَرِقَا فَإِنْ صَدَقَا وَبَيَّنَا بُورِكَ فِي بَيْعِهِمَا وَإِنْ كَذَبَا وَكَتَمَا مُحِقَ بَرَكَةُ بَيْعِهِمَا ‏”‏ ‏.‏

It was narrated that Hakim bin Hizam said: “The Messenger of Allah said: ‘The two parties to a transaction have the choice so long as they have not separated. If they are honest and open, their transaction will be blessed, but if they tell lies and conceal anything, the blessing of their transaction will be lost.”

Sunan an-Nasa’i 4457
https://sunnah.com/nasai:4457