OWASP juice-shop project #1
Welcome to my first project. My write/workflow up for OWASP juice-shop. While I write some might be written in jest, and some was written without assuming an audience so some may be difficult to read. But this is for fun!
TdaShadow
6/17/20263 min read
Welcome to my first project. My write up for OWASP juice-shop.
Tutorial mentions Score Board? In all honesty this one was pretty simple. I remember it from URL guessing, but I wanted to find another way and this time document it. The Tip Message also mentioned you can find it in sources within the developers options.(F12)
1 >> Pressed F12.
Where can I find score board. I clicked on ‘Debugger’ and seen a handful of .js files. From here I spent some time reviewing the list of .js files for any clues. Then I saw the search function! Lets use that!
2 >> Clicked Debugger
3 >> “Search” score
Immediately, I saw ‘SCORE_BOARD_HACKING_INSTRUCTOR’. There has to be something here. Scrolled through and found ‘”routerLink”,”/score-board’. RouterLink? /score-board. Looks like a the end of a site url. Lets try it.
3 >> Entered https://localhost:3000/score-board
It didn’t work. Did they change it? Is my docker not working properly? Okay. Lets fire up Burp, lets see if something else works before revisiting the score-board challenge.
4 >> Opened Burp Suite Community
Now, I want to see everything in Burp Suite, so I am not going to set a scope, since I want to see everything coming from localhost.
5 >> Open Burp Browser
Lets do some simple recon. Lets start by just visiting sites within juice-shop. Add some Apple juice to the Basket. Visit the basket, remove Apple juice. Use the ‘Trash’.
6 >> Site-testing
Next lets see some of the output within Burp. Hmm.. ‘/api/Products/1?..’. Lets, try /api/Products/2. That works! But It only shows another Product. What if I remove the number entirely. Displays the entire list of products. No secrets in here. Believe me I checked. You think we can change Products to Users? Not Authorized! Lets Change it to a POST. Created status”...success
id: 25. Does any of that mean anything? Lets go back to the HTTP history output.
Anything here? GET /rest/user/whoami?fields=email HTTP/1.1 Not really? What about GET /rest/products/1/reviews HTTP/1.1. admin@juice-sh.op? I can work with that!
Lets go back home and see what we can do with this. “You successfully solved a challenge: Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)”
Thats right, I created an Internal Server Error when attempting to access /api/Users and /api/Admins
7 >> Visit localhost:3000/api/Users, Visit localhost:3000/api/Admin
Next, I visited the accounts sign in page and tried to log in with admin@juice-sh.op. Password? Password123 password password123. Lets see what happens when I enter ‘ at the end of an email.
Okay, we received an error. SQL injection maybe? Entered as email: admin@juice-sh.op' OR 1==1; and entered as password: Password123
8 >> Visit Account link
9 >> Username: admin@juice-sh.op' OR 1==1;
10 >> Password: Password123
Solved! Two Challenges.
Provoked Error
Login Admin