Cracking the “Extra Language” Challenge

OWASP JUICE SHOP CHALLENGE

Name	Difficulty	Description	Category	Tags
Extra Language	⭐️⭐️⭐️⭐️⭐️	Retrieve the language file that never made it into production.	Broken Anti Automation	Brute Force

Reconnaisance

The Juice Shop has a language switcher on the top right corner.

Possibly only 38 languages made it to production of the i18n module.

alt Devtools getting the available languages in prod

Requesting for the i18n file for a specific language is via this endpoint : http://localhost/assets/i18n/<language(_locale)>.json

Discovering the Extra Language

I gather many sources of language codes including the following:

Made a script in Go to request for the files.

But every time I add a language, it just keeps responding with 200 OK and that the challenge banner does not appear (indicating we found the extra language).

So I thought to just wing it and see if a fictional language may work. I am a trekker 🖖 and noticed a lot of computer geeks are too. So why not add Klingon to the mix!

The language code for Klingon on the Minecraft is tlh_aa which means that we may need to request it from Juice Shop as tlh_AA.

And sure enough, we also get a 200 OK.

Let’s use BurpSuite to intercept the switching of language from the user perspective, modify the request to the specific language code tlh_AA, and send it to the server hoping it changes the language of the website to Klingon.

Conclusion

To be honest, I wouldn’t have found the flag if it wasn’t for the track Data & Picard by Pogo and remembered Star Trek. I’m not sure if I would have found it if at all not for this. Probably will take me more time from the list of language codes available.

I believe if the attack was to be brute force, the web app will benefit from rate limiting requests. But for this case, we emulate the user behavior effectively bypassing some of the known anti-automation security techniques.