F4l13n5n0w: WebGoat - JSON Injection

Solution one (Trick):

Submit information: "From: BOS To: SEA" and get page changed.

Check the web page source code, you will find the JSP function:

<form onsubmit="return check();" enctype="" action="attack?Screen=77&menu=400" name="form" method="POST" accept-charset="UNKNOWN">
...
<div id="priceID0" name="priceID0">$600</div>
...
<input id="price2Submit" type="HIDDEN" name="price2Submit" value="">

function check(){

if ( document.getElementById('radio0').checked )

{ document.getElementById('price2Submit').value = document.getElementById('priceID0').innerHTML; return true;}

else if ( document.getElementById('radio1').checked )

{ document.getElementById('price2Submit').value = document.getElementById('priceID1').innerHTML; return true;}

else

{ alert('Please choose one flight'); return false;}

}

Now what we need to do is to change the price (using firebug) from $600 to any price you want (such as $0).
Submit the request and well done.

Solution two:
Before we type any input, check the source code:

<input id="travelFrom" type="TEXT" name="travelFrom" value="" onkeyup="getFlights();">

function getFlights() {
...

var url = 'attack?Screen=77&menu=400&from=ajax&travelFrom=' + encodeURIComponent(fromField.value) +'&travelTo=' + encodeURIComponent(toField.value);

...

req.open('GET', url, true);

req.onreadystatechange = callback;

req.send(null);

}

function callback() {

...

var card = eval('(' + req.responseText + ')');

...

for(var i=0; i<card.flights.length; i++){

var node = card.flights[i];

strHTML = strHTML + '<tr><td><input name="radio'+i+'" type="radio" id="radio'+i+'"></td><td>';

strHTML = strHTML + card.flights[i].stops + '</td><td>';

strHTML = strHTML + card.flights[i].transit + '</td><td>';

strHTML = strHTML + '<div name="priceID'+i+'" id="priceID'+i+'">' + card.flights[i].price + '</div></td></tr>';

}

strHTML = '<table border="1">' + strHTML + '</table>';

flightsDiv.innerHTML = strHTML;

}}}

We got the working process:
1, client input BOS and SEA
2, AJAX will send request to the web server and listen to receive response
3, according to the response to change web page dynamically

Attacking process:
1, using Burp Proxy to intercept and tamper the response from web server

2, we can see the response is JSON format, we just need to change the price from $600 to $0
3, Submit the tampered value.

Reference:
[1] http://www.json.org/

F4l13n5n0w

Pages

Saturday, August 13, 2011

WebGoat - JSON Injection

No comments:

Post a Comment