Faking Feedback and Reviews
Start course
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Hi, within this lecture, we're going to continue solving some other challenges from this list. So, as you can see, there're a couple of challenges that are very similar, like post some feedback in another users name, or post a product review as another user or edit any user's existing review. So, this is all like in the section of broken access control. So, we're going to see how it works. Now let's open the 'Customer Feedback' tab and see how it works. So, as you can see, we cannot change the author from here.

So, we're going to try and see if we can change it from the Burp Suite as you might guess. So, I'm going to give this captcha and before we submit this, of course, I'm going to intercept this on Burp Suite and try to change this author email and see if that works or not. So, I'm going to come over here and just 'Submit' this, and here you go. We see the request. So, request seems a little bit different like it seems kind of an encrypted or something like that.

As you can see, we cannot see the whole email over there. So, maybe we can just try to change this from here. Maybe we can just delete this. And just write whatever we want, like test2. So, we are logged in as, not logged in as test2. If I forward this and see what happens. Let me just turn the intercept off. And I believe we managed to submit that feedback or not because right now, we're not getting you solve that challenge thingy. If we come over here to scoreboard, let's see if we solved that thing. As you can see, it's not even solved. Maybe we actually submit the feedback button in our own user account, but maybe we didn't even submit the feedback. So, what we can do, we can try this one more time. I'm going to do this. I believe it's -77. And before we do that, of course, I'm going to intercept this one more time. So, let me come over here to intercept this request and this time, I'm going to send this to repeater because it's taking some time. I'm going to come over here and rather than if you just send this, first of all, we get the response as success. But if we change this over here, let's see if we get the success or not. If we send this, we get nothing. So, it didn't get submitted at all. So, we cannot change this. Yeah, it got submitted actually. So, it says that the comment is test2@testcom. But we don't see it over here, or we don't see solved notification as well. Most probably, it just sends it with the same user ID and we have to change the user ID.

So, we can change the user ID from Burp Suite, but I also found this thing, which is pretty commonly used in web development. It's kind of a misconfiguration or not safe to do so, but I'm going to show you because developers tend to do it most of the time. So, I'm going to come over here and write something. And as you can see, we cannot change the author, which is perfectly fine. But if we come over here to html codes, if you find this div, if you find this, hover over here until you find what you're looking for. I'm looking for that customer feedback form. So, I'm going to find it. So, a little bit down, a little bit down, and here you go. We have this thing. So, if we come over here, we see a div, which is good. So, under this div, we have the email, but we have also something that hasn't been enabled over here. So, as you can see, we have an input ID, user ID thingy. So, it contains the current user id, but it's hidden from us. So, as you can see, typist text and it says that hidden. So, maybe we can just say, false over here or maybe we can just delete this hidden attribute, and it will be visible for us. So, if we hit enter, as you can see, we see the ID over there. So, maybe we can change this from the Burp Suite and try like that. But I will just try it from here, which is much more easier for me to do because I made it visible. I just changed it to 16. I don't even know if there's a user 16, but I will try it. And as you can see, it says that you solved that challenge. Again, you can try to do it from the Burp Suite as well. It will work fine, I believe. And you can try to find this kind of a thing as well. I just wanted to show you explicitly because again, this is not a thing that the developer should do, but they do it every time. So, if they hide something that you shouldn't see, you can discover that by looking at the html codes and searching for the attribute hidden. So, so far so good for the feedback. Now let's try to focus on reviews as well. So, if I want to write a review, I can just come over here on any product, and I can just 'Submit' a review. It will submit it in my current user atil@test.com over here. But if I want to forge this as well, I can still test Burp Suite first of all. I'm going to say test2 over here, and I'm going to turn the intercept on. I'm going to just 'Submit' this. and here you go. I believe this is much more easier. So, rather than atil, I'm going to send this to repeater. And in the repeater, I have the message, I have the author. Let's try to see if we can change this directly from here. For example, rather than atil, I'm going to just write admin. So, it will look like it's coming from admin, and here we go. We have the status of success. Now I'm going to turn the intercept off, and here you go. We have the admin making this comment over here and apparently, we solved this challenge as well. So, this should be enough to solve these two problems. Now we managed to take down these challenges as well. Now we are proceeding in these three stars. We're going to stop here and continue solving couple of those in the next lecture as well.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.