OWASP Jucie Shop. Broken Access Control • secjedi.io Explore Broken Access Control Mechanisms.  <meta name="google-site-verification" content="dlmaryRAagFswA-YxipBiuF9yWB1N45VF-FCf2bft9k"> <meta name="title" content="OWASP Jucie Shop. Broken Access Control • secjedi.io"> <meta name="description" content="Explore Broken Access Control Mechanisms."> <meta name="author" content="Evidence Monday">  <meta property="og:type" content="article"> <meta property="og:url" content="https://secjedi.github.io/post/3_broken_access/"> <meta property="og:title" content="OWASP Jucie Shop. Broken Access Control"> <meta property="og:description" content="Explore Broken Access Control Mechanisms."> <meta property="og:image" content="https://secjedi.github.io/_astro/door.vd9vVeQV.png"> <meta property="article:author" content="Evidence Monday"> <meta property="article:published_time" content="2025-03-16T23:00:00.000Z">  <meta property="linkedin:card" content="summary_large_image"> <meta property="linkedin:url" content="https://secjedi.github.io/post/3_broken_access/"> <meta property="linkedin:title" content="OWASP Jucie Shop. Broken Access Control"> <meta property="linkedin:description" content="Explore Broken Access Control Mechanisms."> <meta property="linkedin:image" content="https://secjedi.github.io/_astro/door.vd9vVeQV.png">  <meta property="medium:card" content="summary_large_image"> <meta property="medium:url" content="https://secjedi.github.io/post/3_broken_access/"> <meta property="medium:title" content="OWASP Jucie Shop. Broken Access Control"> <meta property="medium:description" content="Explore Broken Access Control Mechanisms."> <meta property="medium:image" content="https://secjedi.github.io/_astro/door.vd9vVeQV.png">  <link rel="alternate" type="application/rss+xml" title="secjedi.io" href="/rss.xml">

This blog explains a breakdown of the Broken Access Control in the OWASP juice shop website.

Manipulate Basket

Put another product in another user’s shopping Basket

Go to Account > Login > register new user
Now login with new user
Go to basket. See that it’s empty
Go to Home page and add Banana Juice to basket
Go to burp and check request
See the productId, BascketId and quantity
Send request again, we see a product id validation error
Change productid and try again Noe we get a success reponse
Let’s check our basket for the added product
We see a T-Shirt
Now, that we understand the functionality, let’s see if we can add something to another basket that we shouldn’t have access to
Change basketid to 6, we et 401 unauthorized error. Now, what can we do to circumvent this control
There are fairly various mechanisms to bypass access control

We could try to send the request with the parameter twice

So, what we’re trying to do here is parameter pollution.
After lots of maniputlation, we get a successful addition
We see that using the actual basketid first before the target basket leads us to add items to a basket we originally should not have contorl over.