Cracking the “Extra Language” Challenge
OWASP JUICE SHOP CHALLENGE
|Extra Language||⭐️⭐️⭐️⭐️⭐️||Retrieve the language file that never made it into production.||Broken Anti Automation||Brute Force|
The Juice Shop has a language switcher on the top right corner.
Possibly only 38 languages made it to production of the i18n module.
Requesting for the i18n file for a specific language is via this endpoint :
Discovering the Extra Language
I gather many sources of language codes including the following:
Made a script in Go to request for the files.
But every time I add a language, it just keeps responding with 200 OK and that the challenge banner does not appear (indicating we found the extra language).
So I thought to just wing it and see if a fictional language may work. I am a trekker 🖖 and noticed a lot of computer geeks are too. So why not add Klingon to the mix!
The language code for Klingon on the Minecraft is
tlh_aa which means that we may need to request it from Juice Shop as
And sure enough, we also get a 200 OK.
Let’s use BurpSuite to intercept the switching of language from the user perspective, modify the request to the specific language code tlh_AA, and send it to the server hoping it changes the language of the website to Klingon.
To be honest, I wouldn’t have found the flag if it wasn’t for the track Data & Picard by Pogo and remembered Star Trek. I’m not sure if I would have found it if at all not for this. Probably will take me more time from the list of language codes available.
I believe if the attack was to be brute force, the web app will benefit from rate limiting requests. But for this case, we emulate the user behavior effectively bypassing some of the known anti-automation security techniques.
- OWASP Juice Shop https://github.com/juice-shop/juice-shop
🐋 hello there! If you enjoy this, a
Or you can also ...Buy me a tea