Hello!
Welcome to the continuation of my web sec journey through Juice Shop!
Today I’m going to discuss two-star challenges (⭐⭐).
There are 10 tasks to go with categories: BrokenAccess Control, Security Misconfiguration, Injection, Sensitive Data Exposure, Broken Authentication, XSS, Cryptographic Issues, and others!
If you are looking for details about one-star challenges, please check my previous post.
Our goal is to cover this scoreboard with green statuses:
Let’s get the party started!
⭐⭐Login Admin (Injection)
There is always some magnetic in the ‘Injection’ categories. Looks like in the movie – a few tricks, we are logged as a different user. So I will follow this ‘gravity’ and start with this one. There is also an interactive tutorial, so why not?
To start this challenge, we need to be logged off (obviously,) and the magic begins within the login page!
As you can see, Shopp provides step by step tutorial:
It’s worth mentioning that we also discovered this error in the previous post.
Then, we are advised to put as login:
' OR true
But still, it’s not working…
We need to slightly change the statement: (Note: to end the query)
And success:
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.
SQL INJECTION – OWASP
Admin Section (Broken Access Control)
For the second task today, we have to access the administration section of the store. The hint says it’s just slightly more complex than the scoreboard link. So again, we can check the JS files:
And after simple CTRL+F, we can find:
Xs = [{
path: "administration",
component: Xi,
canActivate: [_]
},
So the URL looks like this:
http://xxx:3000/#/administration
I have to tell you that I was still logged in as Admin, so I saw the right page:
After checking to unauthorized user access is forbidden:
⭐⭐Five-Star Feedback (Broken Access Control)
We are asked to get rid of all 5-star customer feedback in this task. As we’ve seen on the administration page, there is a column with feedback:
After clicking the trash can button 🗑️ the task is finished.
⭐⭐View Basket (Broken Access Control)
The last task-related toBroken Access Control category wants us to View another user’s shopping basket. There are 2 ways to do that: look and manipulate HTTP traffic or find client-side association of users and their baskets. Again, we have an interactive hacking tutorial, so let’s hop in:
Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator. (…)
Usually, people refer to vertical escalation when it is possible to access resources granted to more privileged accounts (e.g., acquiring administrative privileges for the application), and to horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).
Testing for Privilege Escalation – OWASP WSTG
And again, we are being guided step by step to Session Storage:
And session keys are in my case: bid (basked ID, I presume) and item-total:
After changing bid, go to the main page, and again to basket we can view different baskets:
⭐⭐Security Policy (Miscellaneous)
We have to behave like any “white-hat” should before getting into the action and reading the security policy before conducting any research on the application.
The security policy leads to the project: security.txt – a proposed standard that allows websites to define security policies. The process is divided into two steps:
- Create a text file called
security.txtunder the.well-knowndirectory of your project. - You are ready to go!
So after visiting:
http://xxx:3000/.well-known/security.txt
The task is completed 🙂
⭐⭐Deprecated Interface (Security Misconfiguration)
In this task, we have to use a deprecated B2B interface that was not properly shut down.
It means that they were an interface, and now ‘the developers who disabled the interface think they could go invisible by just closing their eyes.
That one is interesting. I don’t know where to start, so I wanted to use more hints.
The Juice Shop represents a classic Business-to-Consumer (B2C) application. Still, it also has some enterprise customers for which it would be inconvenient to order large quantities of juice through the webshop UI. For those customers, there is a dedicated B2B interface.
That’s interesting. I looked through js files for “B2B”, and I’ve found a line:
Input area for uploading a single invoice PDF or XML B2B order file or a ZIP archive containing multiple invoices or orders.
It leads me to the complaint page with a customer, message, and invoice fields. When we check allowedMimeType, there is:
this.uploader = new ra.c({
url: "./file-upload",
authToken: `Bearer ${localStorage.getItem("token")}`,
allowedMimeType: ["application/pdf",
"application/xml", "text/xml", "application/zip",
"application/x-zip-compressed", "multipart/x-zip"],
maxFileSize: 1e5
}),
So I decided to check it with. JPG file, and I’ve got an error:
After creating an empty some.xml file, the result was different:
⭐⭐Reflected XSS (XSS)
No, we have to perform a reflected XSS attack with
<iframe src="javascript:alert(`xss`)">
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other website. When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server. Reflected XSS is also sometimes referred to as Non-Persistent or Type-II XSS.
Cross Site Scripting (XSS) – OWASP
We also got a hint to look for URL parameters where its value appears in the page it’s leading to.
The main page is not vulnerable to this attack (as we saw in a one-star article, it’s vulnerable to DOM XSS), so we must go deeper.
After finishing the “view basket” challenge, I’ve decided to finish the order. Now I wanted to check the status of my order.
So in my order history, it’s possible to track the fake order:
The tracking link looks like this:
http://xxx:3000/#/track-result?id=357a-fdd2fce18975a144
And the page:
So after changing the link into:
http://xxx:3000/#/track-result?
id=%3Ciframe%20src=%22javascript:alert(%60xss%60)%22%3E
We managed to solve the challenge:
⭐⭐Login MC SafeSearch (Sensitive Data Exposure)
In this one, we have to Log in with MC SafeSearch’s original user credentials without applying SQL Injection or any other bypass. And MC SafeSearch it’s a great unknown for me. But the hint leads me to ‘MC’s hit song “Protect Ya Passwordz.”
So MC SafeSearch is a rapper, and he explains the importance of passwords&sensitive data protection!
Nice! Here you can find the song:
From the ‘being and admin’ (Login Admin) task, we can easily find his email, which is (hard to guess): mc.safesearch@juice-sh.op
The song is about passwords and internet safety. In the beginning, the rapper is singing about creating passwords from his pets name – but being tricky, and remember to change ‘some vowels into zeroes’
After checking:
We have another success 😉
⭐⭐Weird Crypto (Cryptographic Issues)
As you may know from Hello, World page Cryptography is my thing. So I was looking forward to Informing the Shopp about an algorithm or library it should definitely not use the way it does. “inform the shop’ was pointing directly into the contact form. They asked us to report one of four possible answers via the “Customer Feedback Form.”
To be honest with you, I’m a bit ahead with solving challenges, so for sure, JuiceShop is using the MD5 algorithm (which is deprecated) and Base64 (which is just encoding, the not proper form of ‘encryption’). So after checking:
The task is completed 😊
⭐⭐Password Strength (Broken Authentication)
The last task requires logging in with the administrator’s user credentials without changing them or applying SQL Injection. We have 3 options here:
- Brute force
- Crack the password hash
- Simply guess
Usually, I would be willing to 2. Crack the password hash, but dumping users database with stored credentials is ⭐⭐⭐⭐ challenge, so I don’t want to overtake.
On the other hand, simply guessing is just… too simple. So let’s try to brute force the password with Burp.
As a dictionary, I will use PasswordDictionary from PeterStaev GitHub – this is the list of almost 7000 popular (and insecure) passwords.
Fortunately, login is well known:
admin@juice-sh.op
So I’ll start with the first guess:
POST /rest/user/login request has body:
{"email":"admin@juice-sh.op","password":"x"}
So we need to send it to the Intruder and change it into:
{"email":"admin@juice-sh.op",
"password":"§x§"
}
and start Sniper Attack with a loaded list of passwords. After a while, we can observe that one of the requests returns a different length:
So the credentials are:
email: admin@juice-sh.op
password: admin123
The challenge is over 😉
Conclusion
After this another part of the challenges, my scoreboard looks better now:
But still, we are not even close to the middle of the road:
⭐⭐ challenges were fun, I’m really excited to tackle ⭐⭐⭐challenges.
Note: There are 20+ ⭐⭐⭐challenges, so I will probably split the walkthrough into 2 or 3 parts.
So that’s it for today 😊 I hope you enjoyed this article, and if you have any questions, do not hesitate to contact me!
Reference list:
- Cross Site Scripting (XSS) – OWASP
- SQL INJECTION – OWASP
- Testing for Privilege Escalation – OWASP WSTG
- security.txt
- MC SafeSearch – Protect Ya Passwordz
- PeterStaev GitHub
Check related posts:
Head Full of Ciphers 
Leave a Reply