Review “OWASP Juice Shop v.10.3.1” Walkthough solution on docker
refer: https://github.com/bkimminich/juice-shop
How to access score-board?
Solution: localhost:3000/#/score-board
How to check Error Handling on login ?
Solution: SQL injection: put singele quote in both email and password)
Name: Confidential document
I try to click and download all file to see data inside but some file when click,it redirect to error.So,I try to search about Local File Inclusion(LFI).I found LFI null byte can use both %00 and %2500 but in this case %00 not works.So,I try %2500 and then i can download file
i see ‘==’ and the end.I know suddenly it is format of base64
I try decode it via command line and try put result on browser but not work
So, I search multi decode on google because I not know this format and found this website: http://fbcs.bplaced.net/multi_encoder_decoder.html
the result on ROT 5+13 look like human readable.So, I try localhost:3000/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg on browser again and this time pass !!
Okays, I try technique LFI null byte same %%2500 again with coupons_2013.md.bak and package.json.bak for download all files
How to check weird crypto?
After I download file package.json.bak, I can see all library that developer use.So,i try sent library name in Customer Feedback and found it is z85
How to log in as support user?
I notice file in ftp path.It has incident-support.kdbx.I try check format file kbdx on google and found it use with Keepass
“KeePass can generate key files for you, however you can also use any other, already existing file (like JPG image, DOC document, etc.). In order to use an existing file as key file” — from Keepass page
From definition,it means it can use file type image as key for open file.So, i go to About us page on juice shop and try check files one by one
Open file incident-support.kbdx,it will pop-up ask for Key File
Now we can see support user in incident-support.kbdx
right clicp on support@juice-sh.op and click ‘edit entry’ and then show password
Try login as support user
Name: DOM XSS
(put <iframe src=”javascript:alert(`xss`)”> in search)
Name: Zero Stars
I inspect html at ‘Submit’ button.I noticed when not select star..button will disable.So, i delete word disable true out and then button turn to be enable and can put Submit without any star score
Name: Login Admin (login both username, password with ‘ or 1=1 — )
Name: Privacy Policy
(After login, click on Account > Privacy & Security > Privacy Policy)
Name: Provacy Policy Inspection
(Find all word that use <span class= “hot”> and then concat all word together to be http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility )
How to log in as admin with password?
I try to check ..Can I bruteforce password on localhost via bruteforce in intruder mode on Burpsuit?
This is how to setting proxy to allow on localhost for Burpsuit
Open about:config on browser and Click Accept risk
Search network.proxy.allow and double click on Value to change from false to be true
Try login page with username and password admin,admin
Be sure on Burpsuit is ‘Intercept on’ before hit ‘Log in’ button
Right click on area and select ‘sent to intruder’ and then go to tab ‘intruder’
highlight username and password value and click ‘add’ button
Clone https://github.com/swisskyrepo/PayloadsAllTheThings and put folder PayloadsAllThings in /usr/share/wordlist on kali and then load file in Payload option select Auth_Bypass2.txt
Highligh token value and right click choose ‘sent to decode’
Bring password value to check type hash in hash-dentifier and found it is md5
Save password hash into file admin.txt and then use hashcat crack password
hashcat -m 0 -a 0 admin.txt /usr/share/wordlists/rockyou.txt —
Try inspect on network tab and found
from Request URL that we inspect network on chrome browser, we get idea how to sqlmap find table name from owasp juice shop
sqlmap -u “http://localhost:3000/rest/products/search?q=” -D localhost — tables — level=5 — batch
I try to retrieve Users table from sqlmap but it not works
So, I try anotherway. I noticed on browser that i inspect url request.Pattern urls that I saw is localhost/rest/… or localhost/api/… so,i try similar path on postman to see users data.
- http://localhost:3000/rest/api/users
It response back : Error: Unexpected path: /rest/api/users - http://localhost:3000/rest/users
Error: Unexpected path: /rest/users - http://localhost:3000/api/users
UnauthorizedError: No Authorization header was found
It means this path works !! It need Authorization token in api.So, I try log in as admin again and check on ‘whoami’ and I saw it use Authorization Bearer Token and this token.We already have since first time try sql injection bruteforce for log in via Burpsuit
Put token admin in Postman API, we will see now we can list all users in juice shop but important data look like to be only email and role ..no password
I try to bruteforce password bender with most common password via burpsuit but not found valid password for login.So,I try sql injection on username use
bender@juice-sh.op’; — and password log in
I try to change password without know current password but it said illegal
How to see view Other basket?
Solution: I login as test@test.com on chrome browser and order Apple
and browser firefox,login as ploy@test.com and open same url.I saw order from test user in my basket
How to see Metrics data usage on server?
For example prometheus, path /metric is default path to see data
How to access log on server?
