OWASP-juice-shop-??

The OWASP Juice Shop is an amazingly vulnerable web application by design used for testing and educational purposes. Please check out the resources below for further information:

OWASP Juice Shop GitHub repository

https://github.com/bkimminich/juice-shop

OWASP Vulnerable Web Applications Directory

https://owasp.org/www-project-vulnerable-web-applications-directory/

A5 - Broken Access Control ?? Admin Section

Our first two star challenge is to access the administration section of the store. To start, let's use the Inspect Element tool in our Firefox browser to see if we can find a reference to the admin section.

Now, if we search 'admin' in the Debugger section we find a path listed as 'administration'.

Also take note other interesting paths listed, 'accounting' looks like another particularly interesting path that might be of use down the road.

So now, let's visit the administration section by appending it to the end of the Juice Shop URL.

Unfortunately we are met with a 403 Forbidden HTTP error status and are not able to access the admin section without a privileged account. Luckily, a few weeks ago, we discovered that this web application is vulnerable to SQL injection and authentication bypass.

So our next step is to login to the admin account utilizing SQL injection to gain authorization then traverse to the 'administration' section of the store.

As we can see, once we are logged in with the admin account we are then able to access the administration section of the store, which has a listening of all the registered users for the store and a customer feedback portal with admin privileges. Both of which will be useful in the challenges to come.

A5 - Broken Access Control ?? Five-Star Feedback

Immediately we find the next challenge of getting rid of all 5-star customer feedback because we are playing the role of a nefarious actor and want to eliminate any positive customer feedback for the store (??). Hit trash can delete button next to the five star review and viola!

A3 - Sensitive Data Exposure ?? Login MC SafeSearch

Now, our next challenge is to log in with MC SafeSearch's original user credentials WITHOUT applying SQL Injection or any other bypass. So we can't use the same SQL injection authentication bypass technique to solve this challenge. Looking at the registered users list we do have a '[email protected]' email to use so let's start there.

Having only an email address to go off of, we Google 'MC SafeSearch' to gather further information before a password attacker. We are then directed to the YouTube video below.

The lyrics in the music video provide us with his password credentials. We then are able t successfully login in as MC SafeSearch with valid credentials.

A5 - Broken Access Control ?? View Basket

Next challenge is to view another user's shopping basket. Let's take a look at our basket to see where we manipulate the parameters

Looking at the parameters in Burp Suite Repeater, it looks like the basket identification parameters are represented in the GET URL as a numeric value (here, basket 11). So let's test the parameter settings by changing the basket number to see what the response will be from the web server.

Now we are able to view the contents in basket 2, as opposed to our original basket 11. This is useful information that we can use down the road.

As we start gathering further customer/employee/admin identification parameters from the web application we can began mapping out the user hierarchy within the database and really start to understand the logic behind the web application.

Knowing how to manipulate the web application in order to get the desired information from the database allows us to maneuver elegantly and continuously Pwn the Juice Shop.

Cheers,