HTTP Request Interception using Burp Suite

Project Overview

This project involved testing the security of the OWASP Juice Shop web application using Burp Suite, an HTTP request interception tool. The objective was to identify and analyze potential security vulnerabilities such as business logic flaws, SQL injection, cross-site scripting (XSS), and other threats that could compromise the integrity of the application.

Tools Used

• Burp Suite Community Edition: Used to intercept and manipulate HTTP requests.
• OWASP Juice Shop: A vulnerable web application designed for security testing.

Results and Observations

1. Business Logic: Wallet

The application allowed the addition of infinite money through the wallet balance endpoint, posing a financial risk. Attackers could manipulate requests to add negative quantities of items to the cart, reducing the total cost. Furthermore, users were able to view and manipulate other users' carts, indicating a major flaw in business logic.

2. Business Logic: Customer Feedback

The Customer Feedback form restricted ratings from 1 to 5, but attackers could bypass this by modifying the POST request. Parameters such as UserId, captchaId, and rating could be manipulated to submit arbitrary feedback. The captcha endpoint returned both the captcha and its answer, making it possible to bypass verification.

3. SQL Injection

The login functionality was vulnerable to SQL injection. A malicious payload like 'a OR 1=1 -- in the username field allowed attackers to log in as administrators. By injecting SQL code, sensitive information like the admin’s email and JWT tokens could be exposed, leading to potential account takeover.

Remediation:

• Use parameterized queries or prepared statements.
• Limit database user privileges to reduce the impact of successful attacks.

4. Information Disclosure

Accessing the FTP endpoint exposed files that should have been restricted. Exploiting a null byte injection (e.g., %2500.pdf) allowed attackers to bypass file type restrictions. Analysis revealed the use of outdated libraries such as express-jwt and sanitize-html, further exposing the application to risk.

Remediation:

• Update insecure libraries.
• Implement strict file type handling and error management.
• Restrict access to sensitive directories like /ftp.

5. Cross-Site Scripting (XSS)

The application was vulnerable to reflected XSS through its search functionality. By injecting a script like <img src=x onerror='alert("YOU HAVE BEEN HACKED")' />, an attacker could execute arbitrary JavaScript in the victim’s browser.

Remediation:

• Validate and sanitize user inputs.
• Use AngularJS's Sanitize module to prevent XSS.
• Regularly update dependencies.

6. Cookies Missing HTTP Only Flags

Cookies were not marked with the HttpOnly flag, making them vulnerable to theft via XSS attacks. Injecting a script like <img src=x onerror='alert(document.cookie)' /> allowed attackers to access the document's cookies, leading to session hijacking.

Remediation:

• Set the HttpOnly flag on cookies to prevent access via JavaScript.

7. Client-Side Validation Vulnerability

The "Repeat Password" field validation was flawed, allowing attackers to bypass the validation by changing the password after matching it.

Remediation:

• Follow the DRY (Don’t Repeat Yourself) principle in validation to ensure consistent behavior.

8. Frontend Route Management

Sensitive routes (like payment or authentication) were exposed in the front-end code, allowing attackers to discover and bypass certain security controls.

Remediation:

• Manage sensitive routes on the backend, as front-end code can be easily accessed and manipulated.

9. Persistent XSS via HTTP Header

The application was vulnerable to persistent XSS through improper sanitization of the True-Client-IP HTTP header, which could be manipulated to inject scripts.

Remediation:

• Properly sanitize and validate all HTTP headers.
• Implement strict input validation and output encoding.

Conclusion

The project highlights the critical importance of security testing with tools like Burp Suite. By intercepting and analyzing HTTP traffic, multiple vulnerabilities were identified in OWASP Juice Shop, including business logic flaws, SQL injection, and XSS. Remediation strategies such as input sanitization, proper backend management, and regular updates can help improve the security of web applications.

Steps to Install OWASP Juice Shop

1. From Source Code

1. Install Node.js: First, you need to install Node.js (compatible versions like v20.x).
2. Clone the repository: Run the following command to clone the Juice Shop GitHub repository:

   git clone https://github.com/juice-shop/juice-shop.git --depth 1

3. Navigate to the Juice Shop directory:

   cd juice-shop

4. Install dependencies: Install the necessary dependencies using npm:

   npm install

5. Start the application: Once installed, you can start Juice Shop with:

   npm start

6. Access the application: Open a browser and navigate to http://localhost:3000.

2. Using Packaged Distributions

1. Download a distribution: Visit the Juice Shop release page and download the packaged distribution for your OS (e.g., Windows, macOS, Linux).
2. Extract the package: Unzip the downloaded package and navigate to the folder.
3. Install Node.js: Ensure that Node.js is installed on your system.
4. Start Juice Shop: Run the following command in the extracted folder:

   npm start

5. Access the application: Open a browser and navigate to http://localhost:3000.

3. Running Juice Shop in Docker

1. Install Docker: You need Docker installed on your machine. Follow the instructions on Docker's official site.
2. Pull the Juice Shop Docker image:

   docker pull bkimminich/juice-shop

3. Run Juice Shop in Docker:

   docker run --rm -p 3000:3000 bkimminich/juice-shop

4. Access the application: Open http://localhost:3000 in your browser.

References

• OWASP Juice Shop
• Burp Suite Community Edition