Rating:
Shop V.2
========
Task description
----------------
> Fixed some things http://shop2.q.2019.volgactf.ru
Solution
--------
TL;DR: Mass assignment vulnerability through ModelAttribute in Spring Boot
(using an array and a different setter name).
This tasks involves nearly the same shop application as in the shop task. The
only difference is, that the `buy` method was disabled. We therefore only
describe the differences in the exploit here and recommend to read the write-up
for shop first.
In the robots.txt you will find `Disallow: /shop-1.0.1.war`, which gives your
nearly the same source code, except for the `buy` method, which no longer can
be used to buy products.
However, we are still left with the `profile` method:
@Controller
public class ShopController {
// [...]
@RequestMapping({"/profile"})
public String profile(@ModelAttribute("user") User user, Model templateModel, HttpServletRequest request) {
HttpSession session = request.getSession();
if (session.getAttribute("user_id") == null) {
return "redirect:index";
} else {
List<Product> cart = new ArrayList();
user.getCartItems().forEach((p) -> {
cart.add(this.productDao.geProduct(p.getId()));
});
templateModel.addAttribute("cart", cart);
return "profile";
}
}
We find the same ModelAttribute annotation on the user variable. However,
while we can change the `balance` attribute, is has only an effect on the
rendered template, since the changes on user are not written to the database.
Additionally, we cannot buy anything, so having many monetary units provides
not benefit. However, there is another interesting attribute: `cart`. We could
put the flag product in our cart and display it on the profile (without
actually posessing it). The methods reads all products in our cart from the
database again, so we will receive the flag once we have a product in our cart
with a `productId` of 4.
The `cart` attribute is of type `List[Product]`, so it is not only a scalar
value, but a more complex structure. After some search on how Spring Boot
handles such values in form data, we found the correct way of encoding lists
with objects: `cart[0].id`, `cart[0].title`, and so on. So we appended those
field names to the URL, setting `cart[0].id = 4`. This resulted in an “HTTP 400
Bad Request”. Turns out that the browser does not encode them properly when
you just append them to the URL in the URL bar. So we create a simple HTML form
to craft the request. While the request was processed correctly, we did not
find the flag in our cart. Taking a closer look, you will find that the user
models defines a setter `setCartItems` instead of `setCart`. So changing the
field names to `cartItems[0].id`, `cartItems[0].title` etc., results in the
flag `VolgaCTF{e86007271413cc1ac563c6eca0e12b62}` being shown on the profile.
