Learn Ethical Hacking and Penetration Testing Online

Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field.

Menu

OWASP Juice Shop

What is the Juice Shop?

Finding public sites to practice hacking on can be difficult. Bug bounty programs are good place to your skills, but beginners will often be overwhelmed when being faced with an enterprise-level application. That’s where applications like Juice Shop come into play. Juice Shop is an intentionally vulnerable, open source web application designed to help teach beginners how to exploit various vulnerabilities and conduct a comprehensive web application penetration test while keeping it totally safe and legal!

Downloading & Setting Up Your Juice Shop

The Juice Shop GitHub page has installation instructions included, but from personal experience, installing from sources has been the easiest to set up and get going. Start by downloading the repo using the git clone command:

git clone https://github.com/juice-shop/juice-shop.git

Next we need to install NPM so we can run install and run Juice Shop. Luckily many Linux package managers make this nice and easy. In my Kali linux distro, we can do so by executing the following command sets:

sudo apt-get update
sudo apt-get install npm

Another option if you don’t want to execute things in a VM and you are running a version of MacOS, you can install homebrew and use their package manager to install NPM:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
brew install npm

Once you’ve got everything setup, navigate to the path where you’ve install Juice Shop and execute the following commands:

cd /Path/to/JuiceShop
npm install
npm start

Note: You will only need to run the npm install command once. After the initial install, you just need to navigate to the Juice Shop folder and run the npm start command.

After the npm start command is executed, the web application will start running and you can navigate to it in a browser of your choice at http://localhost:3000

Level 1 – Nice & Easy

SCOREBOARD

Let’s knock out all the easy things first. But wait…where is all the easy stuff. Juice Shop has a scoreboard but we need to find it first! This should be fairly simple. We can use the built-in inspect element controls within most modern browsers to find a hidden endpoint. Let’s search “score” in the main.js file under the sources tab in the developer tools.

Navigate to the /score-board endpoint and boom! We’ve cracked our first challenge.

Note: You’ll see a challenge banner that appears up top. Don’t close it quite yet, we’ll need a couple for another challenge.

The score board contains a list of challenges, organized by difficulty, which we can complete to test our skills. Now that we’ve found the score-board we can sort to find all the 1-star challenges, which we’ll complete in this section.

Let’s Bully a Chatbot

Now we’re starting to take a look at the web app. First let’s pretend we’re an average customer and make an account. Nothing fancy, we can register with a fake email and name:

Logging into an account opens up some new side panel options. We can now speak with support chat.

When entering the support chat, we are met with a friendly little juice bot.

Let’s try to swindle ourselves a free discount code. The key to getting the code, is persistence. If we just keep asking, ol’ Juicy will crack.

Finding the Crypto

Similar to finding the scoreboard, we can solve the next challenge by the same method used to find the scoreboard. Navigate to the main.js file in the Sources tab in the bowser’s dev tools, search for ‘sandbox’ and cycle through the discovered options until you find the /web3-sandbox endpoint.

Hidden Blockchain

Just like these challenges that have us searching through the main.js file in the sources tab, we can search for a hidden crypto address which was not removed from the code. We don’t know what exactly to look for, so we should try a couple of keywords:

crypto, address, bitcoin, blockchain

Now all we have to do is search for these words in the main.js file and we’ve found a hidden crypto address!

We can navigate directly to this address, but the challenge states we must get the Juice Shop site to redirect us to the site. We can do so by visiting the following address:

http://localhost:3000/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm

And we’ve found the hidden blockchain address and solved the Outdated Allowlist challenge

Now We’re Scripting

Let’s do one more challenge before knocking out the ‘Mass Dispel’ challenge. We’re going to perform a Cross Site Scripting (XSS) attack on Juice Shop. Cross site scripting is an attack which exploit a flaw in web applications that allows a user to inject html code. The goal is the use the following payload to proc an XSS vulnerability:

<iframe src="javascript:alert(`xss`)">

But now we need to traverse Juice Shop to determine what allows user input to be reflected on the site, and more importantly where it’s persisted. Looking around on the site, there is a search function that allows users to search for products on the site. We can provide a basic query to see what the query looks like in the HTML code. We’re going to send the query with the <b> tags to test if we can inject HTML:

<b>TEST</b>

It looks like the application allows for HTML to be injected into the search field, which means we can drop our XSS payload here.

Bonus!

Let’s use the same search function to drop the following bonus payload:

<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>

Strictly Confidential

Let’s see if we can find some confidential information. We need to traverse the site to see if we can find other endpoints that may allow us to view other sensitive information. Let’s check the about us page.

There seems to be a link that takes us to a legal.md file.

This legal document seems to be located at a /ftp/ directory on the web server. Let’s try accessing that parent directory by going to:

http://localhost:3000/ftp/

We see some files here, one listed acquisitions.md. Let’s see what’s in there. Oops! Looks like we found some confidential information:

❗️ Error ❗️

While we’re in this /ftp/ directory, let’s click some different file names. Let’s look at eastere.gg, huh that’s weird. We get a 403 error. And with that, we successfully get the web server to provoke an error!

Reading is Easy

One of the challenges is just to read the company’s privacy policy. To do this, you just need to be logged in as a user. Under the account drop down there’s a Privacy & Security option. Under this submenu we can view the shop’s privacy policy.

Where is the Cat?

Seems like our next challenge has to do with a missing cat. Let’s navigate to the photo wall of the application and figure out which image isn’t loading correctly.

We can take a look at code on the page by using inspect element.

We can see the src parameter path contains hashtags (#) or pound symbols for you fellow oldies out there. These characters need to be URL encoded. in order to properly render in a URL. We can use a basic url encoder to find what the value should be. You can also view W3School’s table to find single characters such as our hashtags here. Based on our quick search, it looks like the value of the hashtag needs to be replaced with %23. We can modify this value right in inspect element.

Closing the inspect element panel and we can fully see the properly loaded ferocious cat image.

Worse than 1 ⭐️

Now let’s see how we can leave a review of 0 stars. In the side panel we can select the customer feedback option, which takes us to the following page.

We can leave a nasty comment, leave the rating at 1 star, and input the correct captcha.

However, now we need to employ the use of a proxy tool. For this walkthrough, we’ll be using the community edition of burp suite, which is free. We need to use a proxy too to capture the web request sent to the server so we can modify things at the request level that we otherwise can’t modify at the user interface (UI) level.

Burp Suite has a built in web browser that we can use for this project, but you can also set up a proxy within your browser of choice which will allow Burp to capture the traffic. Drop a comment below if you want to see how to do that a few browsers, and we’ll make sure to include it in the next update on this article!

Below is the web request we capture using Burp Suite:

We see that there is a rating parameter which specifies how many stars. We can change this value to:

"rating":0

Note: Make sure to remove the parenthesis around 0.

We can forward the modified request and we’ve now left a devastating 0-star review!

Exposed Metrics

Our next challenge tasks us with looking for an exposed metrics endpoint. Within the challenge description we have a link which leads us to the GitHub page for the Prometheus tool

We don’t see much here other than a possible endpoint where the tool could be located:

/prom/prometheus

We can again, trial and error potential endpoints where the metrics endpoint could be located. Let’s try the following:

/sitemonitor /sitemon /prom/prometheus /prometheus /metrics

Sure enough, we’re able to find the metrics page here:

http://localhost:3000/metrics

Follow the DRY Principle!

Now we need to register a user following the DRY principle. The DRY principle stands for “Don’t Repeat Yourself.” In programming this extends to only prompting for information once, and using abstraction when possible. Let’s walk through the user registration process and see where we might find some repetitive areas.

We can see there’s 2 separate places where we can input a password. We can set the Repeat Password field to a different password than our initial one set in the Password field. This will successfully crack the DRY principle challenge.

Mass Dispel – Satisfaction!

By now you’ve probably racked up quite a bit of challenge notifications.

It would be tedious to close each one individually. Reading through the OWASP Juice Shop companion guide we can find a note which states we can close multiple notification by holding the Shift button when clicking the x out. Doing so the first time will solve the Mass Dispel challenge and conclude all the 1-star challenges!

More to come, happy hacking!

Did you enjoy this post?

Would you like to join our Insider's List and be notified when we post something or get FREE exclusive content?

Join Our Insider's List

Leave a Reply

Contact Us
Privacy Policy

Disclaimer
500 Westover Dr #8208 Sanford NC 27330