The OWASP Juiceshop easy challenges 1 through 6
If you haven’t heard of the Juiceshop web app, head over to https://owasp.org/www-project-juice-shop/ to download it, or play along on the demo server
This series will be a write up of the Juiceshop challenges in difficulty order. Each post will cover a few challenges, the number depending on how complex each is to write up.
Let’s get started
The Scoreboard #
On the learning page we can see that the scoreboard is a good first target, and once you have it, we will see why. A further hit is provided when we launch the Juiceshop for the first time
It would appear there’s an unlinked URL which we need to discover. We could use a directory discovery tool like ffuf but what you will find is that all routes return an equally sized 200 response, so that’s a no go. We could also peer into the Github repo that is linked in the left hand menu to see if we can discover the route there. However the app is meant to be treated as a black box and thus the source is out of bounds. But lets just take a guess. Seeing as it’s a level one, it won’t be anything too complex. Let’s try the following
- scoreboard
- score_board
- score-board
- ScoreBoard
- Scoreboard
As it happens, https://demo.owasp-juice.shop/#/score-board is the right answer. I won’t be covering the coding challenges, but I recommend that you give them a go.
DOM XSS #
Now we can see the challenges, so let’s filter them to only show difficulty 1. We see out next task is a DOM XSS with a given payload. The first task is to find a place that accepts user input that is reflected back onto the page. Scanning the page layout there’s a search button on that top. Let’s enter something there and see what happens.
test is reflected on the page
Let’s try to just paste the suggested payload into the search field to see what happens
Bonus payload #
This is pretty much the same as the DOM XSS except with a different payload. Simply paste the new payload into the search field to see what happens.
Privacy policy #
Before we continue, let’s create an account so we can see what a logged in user looks like, learn something about the authentication and sign up flow, and see what a logged in user can see and do. Head over to the account page (login) and create an account with any old details. Once done, log in with those details and see how the page looks now. Let’s check the Account section of the site and lo and behold what do we see there?
Bully Chatbot #
We have to get a coupon from the chat bot. Head over to the customer support chat to access the bot. The key here is to be persistent until the bot just gives up and gives us a code.
Access a confidential document #
This isn’t difficult, but it is somewhat time consuming. The shortcut to this is to find a link to somewhere that might contain more files if we visit the bare URL. If you spend some time navigating the site you will eventually find a link to a document that has the following path https://demo.owasp-juice.shop/ftp/legal.md. I wonder what else might live in this folder. Remove the filename and navigate to https://demo.owasp-juice.shop/ftp to see what we can find. Use your keen senses to identify and read the “confidential” document.
Summary #
That’s the challenges for this post. I suggest doing the coding challenges that go along with some of the exercises as they explain how and why these things happen, and how to mitigate them.
Thanks for stopping by.