Baby WAFfles Order: A Fun Dive into a Secure Ordering System API

Introduction:

In the realm of cybersecurity, new challenges surface every day, much like the 'specials' at an eatery. Recently, we had the opportunity to explore an online WAFfles house with a 'super secure ordering system API,' appropriately named "Baby WAFfles Order." The task was to find a way to navigate this 'delicious' challenge.

Machine name: baby WAFfles order

Difficulty: Easy

Category: Web

DESCRIPTION:

Our WAFfles and ice scream are out of this world, come to our online WAFfles house and check out our super secure ordering system API!

The Starting Line:

We fired up the Baby WAFfles Order machine and navigated to the given IP address on our Kali browser.

Stirring the Source:

Along with the IP, we were provided with the source code files, which included a deceptive flag file harboring a fake flag. The initial structure of the source code looked promising and was worth inspecting further.

Intercepting Orders:

We decided to take a look at the traffic between the browser and the server using Burp Suite. It revealed a post request being sent to /api/order with parameters specifying the table number and the food item (in our case, WAFfles).

Deciphering the Menu:

The next obvious step was to delve into the source code, specifically the orderController.php. The code was set to accept two types of inputs: 'application/json' and 'application/xml'. The latter caught our interest, and we decided to explore an XML injection attack.

Injecting the Right Ingredients:

Guided by the OWASP's documentation on XML External Entity (XXE) Processing vulnerabilities, we proceeded to craft an XML document that, when processed, would return the contents of the /etc/passwd file from the server. Here's what the code looked like:

```

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [

<!ELEMENT foo ANY >

<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<order>

<food>&xxe;</food>

</order>

```

This XML document defines an entity called 'xxe' that references the content of the /etc/passwd file. When the XML processor encounters the '&xxe;' entity reference in the 'food' element, it substitutes it with the contents of /etc/passwd.

Note: We had to change the Content-Type from 'application/json' to 'application/xml' in Burp Suite to accommodate our new XML document.

Tasting Success:

As expected, our XML injection was successful, and we were rewarded with the content of the /etc/passwd file.

The Main Course:

With the success of the initial XML injection, we aimed higher. We attempted to fetch the actual flag using the known location of the /flag from the source folder structure.

Savoring the Victory:

We altered our XML document to reference the /flag file, and just as we had anticipated, we were served with the flag!

Conclusion:

The "Baby WAFfles Order" challenge serves as an entertaining reminder of the critical importance of input validation in web applications. XML External Entity (XXE) attacks, such as the one we demonstrated, can lead to serious data breaches if not mitigated. As we relish our victory with virtual WAFfles, we can't help but admire the vast world of cybersecurity, replete with exciting challenges that continually push us to learn more.