(WARNING: ongoing and many outright spoilers!)
As you well know, The Open Web Application Security Project® (OWASP) is the place to go for web-based security info. They are also keeper of the very important (and a must know) OWASP Top Ten.
Even better, they make some tools and a collection of resources to help us learn the trade. Once of those is Juice Shop.
You can find an excellent reference and exploitation guide here to get you started. This resource, like many I keep, is really just a working document/reminder set of notes for my own use.
In these notes, I go section by section in an order I prefer. Again, these are solutions, which I do not encourage you to use as is. Find out for yourself with some of the links I’ve provided here. You will learn that way, not by reading my notes
In these notes, kessel is my Juice Shop server (in my case, a Docker instance under CentOS).
To find the score board
This is really the place to start. So far as I know, the Score Board is the jumping off point for every other challenge in this resource.
http://kessel:3000/#/score-boardDOM XSS. Enter into search toolbar at the top
<iframe src="javascript:alert(`xss`)">Bonus Payload. Just as above, enter into the search bar
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>Privacy Policy
Find this in the area of you Account.
Login Admin. At the login page, login as:
Username:
' OR TRUE--…this is based on the SQLite error that can be seen via the “developers” console in the browser. Specifically in Firefox Developer’s Edition:
F12 -> Console…and look for errors, then on the tab:
Response…the password can be anything. (BTW: admin email by default is admin@juice-sh.op
Login MC SafeSearch
Logged in with the admin email:
admin@juice-sh.op…and the (eventually guessed at, with help from the tutorial) password:
admin123View Basket
Logged in to my account and navigated to Basket. Then using, the Developer’s Tools in my preferred version of Firefox (Developer’s Edition), change the key “bid” (found under Storage -> Session Storage) from what it was (14) to another number (13, in this case). This constitutes the basket of another user.
Confidential Document
You can find the location to look at by navigating to the About Us page and, in the middle of all the boilerplate Lorum Ipsum, find a link that reads ”
Check out our boring terms of use if you are interested in such lame stuff “
Copy the link http://kessel:3000/ftp/ into your browser and browse away.
Error Handling
…no idea, but I “solved” this at some point.
Exposed Metrics
For this one, first check out the link referred to in the listing “popular monitoring system“. It will take you to a GitHub project page.
If you drill down through the documentation on this project page, you will eventually find reference to where the tool is expecting to find its data for scraping. Specifically, you can find it here.
In the end, I found the end point on my instance:
http://kessel:3000/metricsMissing Encoding
This one, at least for me, requires some tools available on the web.
First, look on the Photo Wall. There, you will see two images and one entry where and image should be, but is not. The problem here is that the encoding is wrong, at least for browser interpretation.
If you examine the content (again using your F12 Developer’s Tools), you will see the following URL that your browser can’t use:
assets/public/images/uploads/????-#zatschi-#whoneedsfourlegs-1572600969477.jpgThe problem here is the actual emoji. It could be that your browser is fine with it, but how it is being served just does not work.
Using tools online, we take this string and re-encode it in a more browser-friendly way:
assets/public/images/uploads/%f0%9f%98%bc-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg
…and, viola! We have our new image.
Note that, even though I “solved” the problem and revealed the image, this challenge in the Score Board still shows as unsolved ????.
Outdated Whitelist
This one was tricky for me. I had to resort to the solve, but I was on the right track, looking at associated JavaScript files. I did think that the entry point would be found in a different section (Other payment options) and not in Add new card.
In the end, this reworked URL did the trick:
kessel:3000/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm…what did help was the ability in Firefox Developer’s Edition to “prettify” the code.