juice-shop: Offer Expired Challenge: Based on Clock

The flow of the challenge is like this: Name: Clock Manipulation Challenge Description: Order products on offer that expired in 2017 Tasks to be done: It would need the user to manipulate the clock of their machine Flow: User goes to twitter and finds out a tweet about the offer which gives them the /#/offer/<festive> route, but when they try to access it they are shown the offer has expired but when they manipulate the clock it works out for them. They are able to order few products for free on this route. Bug: After the offer was expired, the route was never removed.

<bountysource-plugin>

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource. </bountysource-plugin>

About this issue

Original URL
State: closed
Created 5 years ago
Comments: 16 (15 by maintainers)

Most upvoted comments

Yeah, that’s totally okay. We have like 4+ file access challenges. The important thing is to give each one a slightly different twist so they don’t solve both a the same time. The campaign discount challege @agrawalarpit14 wrote with my review comments applied would make it possible to solve it via clock manipulation or code analysis/request tampering. The deal of the day could totally have one of both attack paths similar but should add a second one that is slightly different.

bkimminich on Mar 13, 2019

@agrawalarpit14, you can implement the same in a flash sale sort of thing too.

The user has very less amount of time while ordering in flash sales and the stocks are over after that.
The flash sales also start from at a certain announced time.
So the user would try to place the order of the product before the announced time by manipulating the clock and will also succeed since the stocks are still full. This way the coupon area is not reused. And flash sales are common in retail sites for their esteemed products. What do you say, @bkimminich?

supra08 on Mar 13, 2019