WebGoat - Insecure Client Storage

Stage one:

Check source code first, you will find that:

<td>Enter your coupon code:</td>

<td>

<input type="TEXT" name="field1" onkeyup="isValidCoupon(field1.value)" value="">

</td>

Using firebug to find the JS file "clientSideValidation.js" including function "isValidCoupon()" and the coupon information:

var coupons = ["nvojubmq",

"emph",

"sfwmjt",

"faopsc",

"fopttfsq",

"pxuttfsq"];

However, the coupon code has been encrypted, we can't use it directly, so keep checking:

function isValidCoupon(coupon) {

coupon = coupon.toUpperCase();

for(var i=0; i<coupons.length; i++) {

decrypted = decrypt(coupons[i]);

if(coupon == decrypted){

ajaxFunction(coupon);

return true;

}

}

return false;

}

As we can see, there is decryption function called "decrypt()", the code of decrypt function.

function decrypt(code){

code = code.toUpperCase();

alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";

caesar = '';

for (i = code.length ;i >= 0;i--){

for (j = 0;j<alpha.length;j++){

if(code.charAt(i) == alpha.charAt(j)){

caesar = caesar + alpha.charAt((j+(alpha.length-1))%alpha.length);

}

}

}

return caesar;

}

This is old Caesar Cipher, we can easily find the decryption tool or write one by ourselves. But here, we use this decrypt function.

The working process:
1, client input coupon code
2, client side validation script will check this coupon code immediately (decrypt the stored coupon code and compare with client input)
3, If the the code is matched then client input will be accepted

Attacking process:
Because the coupon code has been stored in client side (in the JS file) and the decrypt process run in client side, we just need to find out the coupon code and decrypt it.

type the following code in Firefox's URL Bar or use firebug console:
alert(decrypt("nvojubmq"));        //for example, we use the first coupon code

Then we got the plain-text of coupon code:
PLATINUM

Stage two:
solution one:
use firebug to check the source code,
you will find that the final price box has the property "readonly=""", just delete this property, we will find that the final price can be changed~

solution two:
using WebSacrab or Burp Proxy to intercept and tamper the request you will find the final price change it to "0.00".

Reference:

[1] http://www.javascriptkata.com/2007/05/01/execute-javascript-code-directly-in-your-browser/