Skip to content

Latest commit

 

History

History
530 lines (338 loc) · 27.6 KB

OWASP juiceshop.md

File metadata and controls

530 lines (338 loc) · 27.6 KB

OWASP JUICE SHOP

Setting up

  1. Install Docker on your computer.

  2. On the command line run sudo docker pull bkimminich/juice-shop to download the latest image described above.

  3. Run sudo docker run -d -p 127.0.0.1:3000:3000 bkimminich/juice-shop to launch the container with that image.

  4. Browse to http://localhost:3000 in Burpsuite browser.

Solutions

MISC

1. Scoreboard

image

So we need to find the scorebaord?

Inspect: Under Sources, numerous js files can be seen. Check out the main.js file. ctrl+f : to search keyword 'Score Board'. Read through.

image

Keep going!

image

Here you can see the resolved and that is the add-on to the url that you need to give.

http://localhost:3000/#/score-board

image

Success!!!

2. Bully Chatbot

hints: This challenge is about nagging the support chatbot to hand out a coupon code that can subsequently be used to get a discount during the checkout process. The bot is reluctant to give you a coupon as it’s coming up with various excuses for not giving you one Asking over and over again like a little kid might actually help you succeed in this case

While I was exploring. I had created an account with a non-existent email and password. Logging in is needed to access the chatbot. And while adding stuff to the basket and doing the process of checkout. There was a section to enter the coupon during checkout. (Obsolete)

From the side menu on the left, click on the support chat. Basically spam with coupon requests. Here we go.

image

k#*Agg+yBo

image

Another success!!!

3. Access a confidential document

Somewhere in the application you can find a file that contains sensitive information about some - potentially hostile - takeovers the Juice Shop top management has planned. Analyze and tamper with links in the application that deliver a file directly. The file you are looking for is not protected in any way. Once you found it you can also access it.

--> Trying to solve this using burpsuite. Is there a way to list file using brupsuite? Send request to intruder can help?

--> Searching for tools to crawl and list the documents in a websites. [dirb, dirbuster, gobuster]

Lets use dirb.

While I was using dirb I accidently got a solve: image

lol! Lets come back to this later.

image

Lets check these files out. Inside ftp, there was an acquisitions file. It seemed to match the description. On going back to the shop we have the success notification.

image

Success!!!

4. Privacy Policy

--> Go to account, select privacy policy and the challenge is solved.

5. Mass Dispel

From the official juice shop documentation, we can discern that shift + clsoing one notification, closes all of them.

6. Security Policy

hint

  1. Seached website+security policy+standard path. The result popped up with: https://securitytxt.org/.
  2. So we can try the path security.txt.
  3. image and the challenge is solved: image

OWASP top 10

A1. Broken Access Control

Authentication and access controls not properly implemented. Unauthorized user can access sensitive data. Eg: A customer can view documents meant for the admin.

1. View Basket (Horizontal privilage escalation)

hint

image

  1. Add products into the basket.
  2. Inspect the page. Under application you can see session storage.

Session key: an encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers

  1. image

  2. Change the value of bid and refresh.

  3. YOu have successfully peaked into the basket of another user from your account. image

2. Forged Feedback

  1. Open customer feedback page. Send a normal feedback and analyze that with burpsuite to understand the fields.
  2. image

this user_id field can be seen as one of the fields. 3. Try manipulating that and send the request. The feedback was accepted when I changed it to 2. 4. image

Challenge Solved.

3. Password Strength

hint

  1. Logout and login with the admin creds.

  2. Found the admin email from the product review of the first juice. Gave that and started guessing just for fun: admin123 was the first guess and it worked. sigh

  3. image

Since it was a unsatisfying solve,lets try another appraoch.

  1. Intercept the login with Burpsuite.
  2. rigth click and send to intruder.
  3. Set payload options with any bruteforcing password txt, eg: rockyou.txt
  4. Start attack. admin123 returned with 200 http status code and 1162 response length.

4. Five-star Feedback

hint

  1. when solving the admin section challenge, there was a feedback section with delete options.
  2. on deleting the five star feedback after navigating to administration, the challenge is solved. image

5. CSRF

Stars: 3/6

hint

html editor

  1. Created another account called test and went to the profile section from account.
  2. There we have a username section and what we need to do is basically send a post request from another site to the profile section to change the username.
  3. CSRF payload , this github page had the payload to change the username: `
<script> document.getElementById("autosubmit").submit(); </script>`

No change in the username. In the official writeup, they suggest using an older firefox or chrome version. Revisit

  1. Web3-Sandbox

hint

  1. Inspect main.js
  2. Search for web3 and you get a path like this: image
  3. Search http://localhost:3000/#/web3-sandbox and the challenge is solved: image

A2. Crytographic Failure

1. Weird Crypto

hint

Searched for weak cryptographic algorithms. Got MD5,DES as some answers. Gave MD5 in the comment section and the challenge was solved.

image

Submit and Success!!!

2. Exposed Metrics

Popular monitoring system mentioned is prometheus

hint

Prometheus man

You can also verify that Prometheus is serving metrics about itself by navigating to its own metrics endpoint: http://localhost:9090/metrics. http://localhost:3000/metrics in our case.

image

Challenge Solved!

3. NFT Takeover

hint

  1. Searched the code with keywords: nft and saw a path related to nft. image

  2. Traversed to the page by appending the path to the url. http://localhost:3000/#/juicy-nft.

  3. Got stuck for sometime. Accidently found an nft related feedback in the administration page from admin section. image

  4. purpose betray marriage blame crunch monitor spin slide donate sport lift clutch. Google search revealed that it might be a seedphrase for the nft account.

Seed phrases contain all the information required to retrieve an account.

  1. Searched to convert seedphrase to private key and got a mneumonic code converter tool.
  2. image On scrolling down, you can find a lot of private key: image
  3. But when entered it showed the error: image
  4. So changed the coin to ETH and gave the first private key.
  5. image Challenge Solved!!

Make sure that the Derivation Path is BIP44. As Ethereum (ETH): Standard BIP44: m/44'/60'/0'/0/0

4. Login MC SafeSearch

Category: Sensitive Data Exposure

  1. Search online for MC SafeSearch.
  2. Gives the music video "Protect Ya' Passwordz" to your attention.
  3. Watch this video to learn that MC used the name of his dog "Mr. Noodles" as a password but changed "some vowels into zeroes".
  4. Visit http://localhost:3000/#/login and log in with Email [email protected] and Password Mr. N00dles to solve this challenge.
  5. image Challenge solved!!

5. Meta Geo Stalking

hint

  1. From metadata of images and hiking in the park. We can head to the photowall.
  2. There we see this: image
  3. DOwnload the photo and use exiftool
  4. image The metadata that we got. Pay attention to the Latitude and Longitude that we got.
  5. Change those to the DD format: 36.958717N , 84.348217W.
  6. Search on google and we get Daniel Boone National Forest.
  7. Logout and give forgot password. Enter John's email: [email protected] and the place in the secuirty question field. image
  8. image The challenge is solved!!

6. Visual Geo Stalking

hint

  1. Go to the photo wall and search for the photo that has been posted by the user E=ma².
  2. Open the image so that you can zoom in on it.
  3. On the far left window on the middle floor, you can see a logo of a company. It can be seen that logo shows the name ITsec.
  4. Go to the login page and click on Forgot your password?.
  5. Fill in [email protected] as the email and ITsec as the answer of the security question.
  6. image Challenge Solved!!!

A3. Injection

Inject malicious code through an application to another system. Attacks:

  1. SQL injection: inject malicious SQL queries to manipulate the db.
  2. Command injection: inject arbitary commands into system shell or os command interpreter to make system execute unintendedly.
  3. NoSQL injection: Similar to SQLi but targets NoSQL dbs like MongoDB.
  4. Lightweight Directory Access Protocol(LDAP): inject malicious LDAP queries to manipulate directory service operations.
  5. XML injection: inject malicious XML content into an application that processes XML data for info disclosure, denial of service or data manipulation. (Some others include: XPath injection, Code Injection, CRLF(Carriage return and Line Feed), Host header injection, Email Header Injection).

Reference

Any time an application uses an interpreter of any kind then there is a risk of introducing an injection vulnerability.

When a web application passes information from an HTTP request through as part of an external request, it must be carefully scrubbed.

1. Login Admin (SQL injection)

Login with administrator's user account.

hint

To solve we would have to manipulate the login page as we need to login as admin.

  1. Try ' in the name field to see how it reacts. Error: image

  2. The first account in a database is often an administrative user, we can exploit this behavior to log in as the first user in the database.

  3. Here we use ' or 1=1 -- to manipulate the name field and access the first account and login.

This causes the application to perform the query: SELECT * FROM users WHERE username = '' OR 1=1-- ' AND password = 'foo'

Because the comment sequence (- -) causes the remainder of the query to be ignored, this is equivalent to: SELECT * FROM users WHERE username = ' ' OR 1=1

  1. Yep, its a success! image

Mitigation recom: If the access of the application is restricted or if a filter is introduced to check the db queries.

2. DOM XSS(Document Object Model-based Cross-site Scripting)

hint

  1. <script>alert(xss)</script> we can see that the script tag is embedded in the js console but nothing much happens. But we now know that the site is vuln to xss.

  2. Try another payload: <iframe src="javascript:alert(xss)"> image

  3. Success!!! image

This was a DOM XSS attack, because your payload was handled and improperly embedded into the page by the application frontend code without even sending it to the server.

3. Bonus Payload(SQL injection)

hint

  1. Copy and paste the payload given in the desciption to the same search field in the dom xss challenge.

<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>

  1. Submit and Success!!! image

4. Zero Stars

Category: Improper Input Validation. OWASP input validation cheatsheet

hint

The customer feedback rating is from 1 star to 5 stars. Need to give a 0 star rating.

  1. Open the feedback form and inspect.

  2. Open the elements tab and search for Submit. You can see the code for the Submit button: image

  3. Remove the disabled = 'True' attribute under edit as html and submit the form. Since there is no rating provided, it will be accessed as null.

  4. image

Challenge Solved!!

Mitigation:

  1. Enhance client-side scripts to prevent easy tampering from the developer console.
  2. Ensure that the datatype for rating doesnt accept null or any other datatypes as default.

5. Repetitive Registration

Category: Improper input Validation

hint

--> User registration has a repeat password section. DRY (DO NOT REPEAT YOURSELF) principle makes sure that: every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

  1. Logout and register as customer. Fill all the sections and give the repeat password wrong on purpose.

  2. Inpsect the tab. I was searching along the repeat password tab but since the Register button is the one disabled, you need to manually change there. image

  3. disabled="true" manually change this through edit as html and click register button. 4.image

Challenge Solved!!

Mitigation:

  1. Ensure that all input validations performed on the client side are also enforced on the server side. This includes matching password fields, input length restrictions, format requirements, and more.
  2. Forms should be designed to reject submissions where critical fields have been tampered with or do not meet the application’s requirements.

6. Missing Encoding

Category: improper input validation

hint

  1. Access photo Wall and notice that the first image seems to be broken.
  2. On searching thru the source with the kayword zatschi for the tag, you notice the src has the image url. There seems to be an encoding problem with this url so use an online url encoder to encode the url properly.
  3. The url that I got is: assets%2Fpublic%2Fimages%2Fuploads%2F%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg
  4. Manually edit as html and add that to the encoded url to the src.
  5. image

The photo shows up now but the challenge is not marked as solved.

Try 2

  1. Switch to firefox and open the localhost:3000.
  2. Inspect element and open the networks tab (refresh page for all files to show up).
  3. image

You can see the cat emoji as filename. 4. image

Click on edit and resend and the page on the left shows up. We can try to replace the get request with the encoded url http://localhost:3000/assets/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg (It seems that the hashes are the problem and those are the ones that needed encoding).

Instead of using an online encoder, just replacing the # with %23 solved the challenge.

  1. image

Challenge solved!

7. Empty User Registration

category: Improper Input Validation Stars: 2

hint

  1. Logout and login with a random user account.
  2. Intercept that using burpsuite. Change the email and password fields to empty string "". Forward and turn off the interceptor
  3. image The challenge is solved.

8. Admin Registrastion

category: Improper Input Validation

  1. logout and try to setup a normal account.
  2. Use Burpsuite to intercept. image. This is the blocked request.
  3. Check the http history and in the response you can see a role: customer. image
  4. We can add a parameter "role": "admin" to the requesto to elevate the privialges.
  5. image Forward and turn off the interceptor and the challenge is solved.
  6. image Challenge solved!~

9. Login Jim (SQL injection)

hint

  1. From various tries, we can try guessing the email as [email protected] and craft the payload as [email protected]'--.
  2. Enter any password and the challenge is solved.
  3. image

10. Login Bender

hint

  1. Same procedure as above. Give username as [email protected]'-- and any password.
  2. The challenge is solved; image

Alternatively giving the username as ' or 1=1 and email like('%bender%');-- will also work.

Mitigate: User input should always be subject to a sanitizing or validation process on the server side before being processed. Because this case deals with an SQL injection, input data should be adjusted server side by interpretable SQL symbols and instructions.

A4. Insecure design

A5. Security Misconfiguration

1. Outdated Allowlists

Category: Unvalidated redirects

hint

  1. Searched the bitcoin and eth keywords in the console. No reuslt! While checking out the main.js, bitcoin keyword gave search results.

  2. image

There seems have been a qrcode to accept the bitcoin and from the results, we can see the redirect url.

  1. Need to redirect to another link in the outdated allowlist.

  2. /redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm copy this section and add it to the original localhost:3000 url. And you are successfully redirected.

  3. image

Challenge Solved

2. Error handling

image

These are the issues that I found in the js console that might have triggered the success message for this challenge. (check up abt this)

To trigger: Keep intercept on and click on any product in the home page. The request will be captured by burpsuite and you can modify this request to trigger and error.

From: image

to:image

image

After enabling this, forward the request. Success!! Challenge solved. image

image

The error message is shown here (improper error handling) and by following this path the attackers can find out file locations. Again edit the request and the files can be seen by causing internal server error.

image

You can see some file locations here.

image

The error 500 internal server error in js console.

Mitigate recom: Error messages or debugging info should not reveal sensitive information.

3. Deprecated Interface

Stars: 2

hint B2B: Business-to-Business interface. Juiceshop web UI is B2C(Business-to-Customer).

  1. Scoured the page for any fitting functionalities, esp those with file upload or similar feature.

  2. Complaint field has the feature. Tried uploading a file, the error msg that only PDF or ZIP allowed came. image

  3. Inspect the code. Searched for keywords: PDF,ZIP, allowed. image

  4. XML seems to be allowed. Create an empty file with xml extension and upload that file.

image

image The challenge is solved!!

Mitigation:

  1. Maintain and cleanup the outdated code.
  2. Secure File Uploads: Implement server-side validation for file uploads too. Ensure that MIME type checks are performed on the server side and not just client-side, and scan uploaded files for malware.

A6. Vulnerable and Outdated Components

A7. Identification and authentication failures

A8. Software and Data integrity failures

A9. Security Logging and Monitoring Failures

A10. Server Side Request Forgery