-
Install Docker on your computer.
-
On the command line run
sudo docker pull bkimminich/juice-shop
to download the latest image described above. -
Run
sudo docker run -d -p 127.0.0.1:3000:3000 bkimminich/juice-shop
to launch the container with that image. -
Browse to http://localhost:3000 in Burpsuite browser.
So we need to find the scorebaord?
Inspect:
Under Sources, numerous js files can be seen. Check out the main.js file. ctrl+f
: to search keyword 'Score Board'. Read through.
Keep going!
Here you can see the resolved and that is the add-on to the url that you need to give.
http://localhost:3000/#/score-board
Success!!!
hints: This challenge is about nagging the support chatbot to hand out a coupon code that can subsequently be used to get a discount during the checkout process. The bot is reluctant to give you a coupon as it’s coming up with various excuses for not giving you one Asking over and over again like a little kid might actually help you succeed in this case
While I was exploring. I had created an account with a non-existent email and password. Logging in is needed to access the chatbot. And while adding stuff to the basket and doing the process of checkout. There was a section to enter the coupon during checkout. (Obsolete)
From the side menu on the left, click on the support chat. Basically spam with coupon requests. Here we go.
k#*Agg+yBo
Another success!!!
Somewhere in the application you can find a file that contains sensitive information about some - potentially hostile - takeovers the Juice Shop top management has planned. Analyze and tamper with links in the application that deliver a file directly. The file you are looking for is not protected in any way. Once you found it you can also access it.
--> Trying to solve this using burpsuite. Is there a way to list file using brupsuite? Send request to intruder can help?
--> Searching for tools to crawl and list the documents in a websites. [dirb, dirbuster, gobuster]
Lets use dirb.
lol! Lets come back to this later.
Lets check these files out. Inside ftp, there was an acquisitions file. It seemed to match the description. On going back to the shop we have the success notification.
Success!!!
--> Go to account, select privacy policy and the challenge is solved.
From the official juice shop documentation, we can discern that shift
+ clsoing one notification, closes all of them.
- Seached
website+security policy+standard path
. The result popped up with:https://securitytxt.org/
. - So we can try the path
security.txt
. - and the challenge is solved:
Authentication and access controls not properly implemented. Unauthorized user can access sensitive data. Eg: A customer can view documents meant for the admin.
- Add products into the basket.
- Inspect the page. Under application you can see session storage.
Session key: an encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers
-
Change the value of bid and refresh.
-
YOu have successfully peaked into the basket of another user from your account.
- Open customer feedback page. Send a normal feedback and analyze that with burpsuite to understand the fields.
this user_id field can be seen as one of the fields. 3. Try manipulating that and send the request. The feedback was accepted when I changed it to 2. 4.
Challenge Solved.
-
Logout and login with the admin creds.
-
Found the admin email from the product review of the first juice. Gave that and started guessing just for fun:
admin123
was the first guess and it worked. sigh
Since it was a unsatisfying solve,lets try another appraoch.
- Intercept the login with Burpsuite.
- rigth click and send to intruder.
- Set
payload options
with any bruteforcing password txt, eg: rockyou.txt - Start attack.
admin123
returned with 200 http status code and 1162 response length.
- when solving the admin section challenge, there was a feedback section with delete options.
- on deleting the five star feedback after navigating to administration, the challenge is solved.
Stars: 3/6
- Created another account called test and went to the profile section from account.
- There we have a username section and what we need to do is basically send a
post
request from another site to the profile section to change the username. - CSRF payload , this github page had the payload to change the username: `
No change in the username. In the official writeup, they suggest using an older firefox or chrome version. Revisit
- Web3-Sandbox
- Inspect main.js
- Search for web3 and you get a path like this:
- Search
http://localhost:3000/#/web3-sandbox
and the challenge is solved:
Searched for weak cryptographic algorithms. Got MD5,DES as some answers. Gave MD5 in the comment section and the challenge was solved.
Submit and Success!!!
Popular monitoring system mentioned is prometheus
You can also verify that Prometheus is serving metrics about itself by navigating to its own metrics endpoint: http://localhost:9090/metrics. http://localhost:3000/metrics in our case.
Challenge Solved!
-
Searched the code with keywords:
nft
and saw a path related to nft. -
Traversed to the page by appending the path to the url.
http://localhost:3000/#/juicy-nft
. -
Got stuck for sometime. Accidently found an nft related feedback in the administration page from admin section.
-
purpose betray marriage blame crunch monitor spin slide donate sport lift clutch
. Google search revealed that it might be a seedphrase for the nft account.
Seed phrases contain all the information required to retrieve an account.
- Searched to convert seedphrase to private key and got a mneumonic code converter tool.
- On scrolling down, you can find a lot of private key:
- But when entered it showed the error:
- So changed the
coin
toETH
and gave the first private key. - Challenge Solved!!
Make sure that the
Derivation Path
isBIP44
. As Ethereum (ETH): Standard BIP44: m/44'/60'/0'/0/0
Category: Sensitive Data Exposure
- Search online for
MC SafeSearch
. - Gives the music video "Protect Ya' Passwordz" to your attention.
- Watch this video to learn that MC used the name of his dog "Mr. Noodles" as a password but changed "some vowels into zeroes".
- Visit http://localhost:3000/#/login and log in with Email [email protected] and Password Mr. N00dles to solve this challenge.
- Challenge solved!!
- From
metadata of images
andhiking in the park
. We can head to the photowall. - There we see this:
- DOwnload the photo and use exiftool
- The metadata that we got. Pay attention to the Latitude and Longitude that we got.
- Change those to the DD format:
36.958717N , 84.348217W
. - Search on google and we get
Daniel Boone National Forest
. - Logout and give forgot password. Enter John's email:
[email protected]
and the place in the secuirty question field. - The challenge is solved!!
- Go to the photo wall and search for the photo that has been posted by the user E=ma².
- Open the image so that you can zoom in on it.
- On the far left window on the middle floor, you can see a logo of a company. It can be seen that logo shows the name ITsec.
- Go to the login page and click on Forgot your password?.
- Fill in
[email protected]
as the email and ITsec as the answer of the security question. - Challenge Solved!!!
Inject malicious code through an application to another system. Attacks:
- SQL injection: inject malicious SQL queries to manipulate the db.
- Command injection: inject arbitary commands into system shell or os command interpreter to make system execute unintendedly.
- NoSQL injection: Similar to SQLi but targets NoSQL dbs like MongoDB.
- Lightweight Directory Access Protocol(LDAP): inject malicious LDAP queries to manipulate directory service operations.
- XML injection: inject malicious XML content into an application that processes XML data for info disclosure, denial of service or data manipulation. (Some others include: XPath injection, Code Injection, CRLF(Carriage return and Line Feed), Host header injection, Email Header Injection).
Any time an application uses an interpreter of any kind then there is a risk of introducing an injection vulnerability.
When a web application passes information from an HTTP request through as part of an external request, it must be carefully scrubbed.
Login with administrator's user account.
To solve we would have to manipulate the login page as we need to login as admin.
-
The first account in a database is often an administrative user, we can exploit this behavior to log in as the first user in the database.
-
Here we use
' or 1=1 --
to manipulate the name field and access the first account and login.
This causes the application to perform the query: SELECT * FROM users WHERE username = '' OR 1=1-- ' AND password = 'foo'
Because the comment sequence (- -) causes the remainder of the query to be ignored, this is equivalent to: SELECT * FROM users WHERE username = ' ' OR 1=1
Mitigation recom: If the access of the application is restricted or if a filter is introduced to check the db queries.
-
<script>alert(xss)</script>
we can see that the script tag is embedded in the js console but nothing much happens. But we now know that the site is vuln to xss.
This was a DOM XSS attack, because your payload was handled and improperly embedded into the page by the application frontend code without even sending it to the server.
- Copy and paste the payload given in the desciption to the same search field in the dom xss challenge.
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
Category: Improper Input Validation. OWASP input validation cheatsheet
The customer feedback rating is from 1 star to 5 stars. Need to give a 0 star rating.
-
Open the feedback form and inspect.
-
Open the elements tab and search for Submit. You can see the code for the Submit button:
-
Remove the disabled = 'True' attribute under edit as html and submit the form. Since there is no rating provided, it will be accessed as null.
Challenge Solved!!
Mitigation:
- Enhance client-side scripts to prevent easy tampering from the developer console.
- Ensure that the datatype for rating doesnt accept
null
or any other datatypes as default.
Category: Improper input Validation
--> User registration has a repeat password section. DRY (DO NOT REPEAT YOURSELF) principle makes sure that: every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
-
Logout and register as customer. Fill all the sections and give the repeat password wrong on purpose.
-
Inpsect the tab. I was searching along the repeat password tab but since the Register button is the one disabled, you need to manually change there.
-
disabled="true" manually change this through edit as html and click register button. 4.
Challenge Solved!!
Mitigation:
- Ensure that all input validations performed on the client side are also enforced on the server side. This includes matching password fields, input length restrictions, format requirements, and more.
- Forms should be designed to reject submissions where critical fields have been tampered with or do not meet the application’s requirements.
Category: improper input validation
- Access photo Wall and notice that the first image seems to be broken.
- On searching thru the source with the kayword
zatschi
for the tag, you notice the src has the image url. There seems to be an encoding problem with this url so use an online url encoder to encode the url properly. - The url that I got is:
assets%2Fpublic%2Fimages%2Fuploads%2F%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg
- Manually edit as html and add that to the encoded url to the src.
The photo shows up now but the challenge is not marked as solved.
Try 2
- Switch to firefox and open the localhost:3000.
- Inspect element and open the networks tab (refresh page for all files to show up).
You can see the cat emoji as filename. 4.
Click on edit and resend and the page on the left shows up. We can try to replace the get request with the encoded url http://localhost:3000/assets/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg
(It seems that the hashes are the problem and those are the ones that needed encoding).
Instead of using an online encoder, just replacing the # with
%23
solved the challenge.
Challenge solved!
category: Improper Input Validation Stars: 2
- Logout and login with a random user account.
- Intercept that using burpsuite. Change the email and password fields to empty string
""
. Forward and turn off the interceptor - The challenge is solved.
category: Improper Input Validation
- logout and try to setup a normal account.
- Use Burpsuite to intercept. . This is the blocked request.
- Check the http history and in the response you can see a
role
:customer
. - We can add a parameter
"role": "admin"
to the requesto to elevate the privialges. - Forward and turn off the interceptor and the challenge is solved.
- Challenge solved!~
- From various tries, we can try guessing the email as
[email protected]
and craft the payload as[email protected]'--
. - Enter any password and the challenge is solved.
- Same procedure as above. Give username as
[email protected]'--
and any password. - The challenge is solved;
Alternatively giving the username as
' or 1=1 and email like('%bender%');--
will also work.
Mitigate: User input should always be subject to a sanitizing or validation process on the server side before being processed. Because this case deals with an SQL injection, input data should be adjusted server side by interpretable SQL symbols and instructions.
Category: Unvalidated redirects
-
Searched the bitcoin and eth keywords in the console. No reuslt! While checking out the main.js, bitcoin keyword gave search results.
There seems have been a qrcode to accept the bitcoin and from the results, we can see the redirect url.
-
Need to redirect to another link in the outdated allowlist.
-
/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm
copy this section and add it to the originallocalhost:3000
url. And you are successfully redirected.
Challenge Solved
These are the issues that I found in the js console that might have triggered the success message for this challenge. (check up abt this)
To trigger: Keep intercept on and click on any product in the home page. The request will be captured by burpsuite and you can modify this request to trigger and error.
After enabling this, forward the request. Success!! Challenge solved.
The error message is shown here (improper error handling) and by following this path the attackers can find out file locations. Again edit the request and the files can be seen by causing internal server error.
You can see some file locations here.
The error 500 internal server error in js console.
Mitigate recom: Error messages or debugging info should not reveal sensitive information.
Stars: 2
hint B2B: Business-to-Business interface. Juiceshop web UI is B2C(Business-to-Customer).
-
Scoured the page for any fitting functionalities, esp those with file upload or similar feature.
-
Complaint field has the feature. Tried uploading a file, the error msg that only PDF or ZIP allowed came.
-
XML seems to be allowed. Create an empty file with xml extension and upload that file.
Mitigation:
- Maintain and cleanup the outdated code.
- Secure File Uploads: Implement server-side validation for file uploads too. Ensure that MIME type checks are performed on the server side and not just client-side, and scan uploaded files for malware.