OWASP Juice Shop Challenges 

WHERE TO START?  OPEN JUICE SHOP IN YOUR BROWSER OF CHOICE  untjuiceshop.herokuapp.com  LOOK AROUND THE SHOP AND SEE IF YOU CAN SPOT ANYTHING HANGING IN PLAIN SITE  TAKE A LOOK WITH YOUR BROWSERS DEVELOPER TOOLS  TYPICALLY START WITH THE SOURCES TAB 

MAIN-ES2015.JS  LIKELY THE JAVASCRIPT FILE RUNNING THE APPLICATION  LETS POKE AROUND  LOCATE THE AVAILABLE PATHS FOR THE APPLICATION  CAN SYSTEMATICALLY TRY THEM, OR JUST NAVIGATE TO “IMPORTANT” PATHS  ADMINISTRATION IS BLOCKED, FOR NOW  ACCOUNTING AS WELL  SCORE-BOARD IS AVAILABLE 

SCORE-BOARD  NOW WE CAN SEE WHAT THE CHALLENGES ARE  UP TO YOU ON HOW YOU WOULD LIKE TO SOLVE THEM  FOR THE PURPOSES OF THIS PRESENTATION WE WILL SOLVE THE ONE STAR CHALLENGES FROM TOP TO BOTTOM 

CONFIDENTAIL DOCUMENT  WHILE POKING AROUND THE SITE YOU SHOULD HAVE NOTICED A CLICKABLE LINK ON THE ABOUT US PAGE.  THIS TAKES US TO (UNTJUICESHOP.HEROKUAPP.COM/FTP/LEGAL.MD)  WELL, WE KNOW THAT THIS APPLICATION IS RUNNING FTP, LETS SEE IF WE CAN LOOK AT THE FTP DIRECTORY  DELETE LEGAL.MD FROM THE URL  WE FOUND THE FTP DIRECTORY  CLICKING LINKS REVEALS ONLY .MD AND .PDF ARE ALLOWED.  NAVIGATE TO ACQUISITIONS.MD  DONE 

DOM XSS  THE DOM IS THE “DOCUMENT OBJECT MODEL” AND ALLOWS PROGRAMS AND SCRIPTS TO DYNAMICALLY ACCESS AND UPDATE THE CONTENT OF A DOCUMENT  DOM ACTIONS ARE THOSE THAT ARE PERFORMED ON “HTML ELEMENTS” AND CAN SET OR CHANGE THE VALUES OF THESE ELEMENTS  THERE ARE ONLY A FEW PLACES TO TRY THIS ONE  IF YOU STARTED WITH THE SEARCH BAR AT THE TOP, YOU ARE CORRECT  COPY AND PASTE THE GIVEN CODE IN THE APPLICATION SEARCH BAR TO COMPLETE 

ERROR HANDLING  IF YOU CLICKED OTHER FILES ON THE FTP SERVER THAN “ACQUISITIONS.MD” YOU WILL SEE A NON-GRACEFULLY HANDLED ERROR  THESE ERRORS CAN PROVIDE PATHS THAT ARE WORTH CHECKING OUT 

OUTDATED WHITELIST  WE ARE LOOKING FOR A CRYPTO CURRENCY ADDRESS THAT IS NO LONGER USED  THIS IS NOT HANGING OUT IN THE OPEN FOR US TO SEE, NEED TO PROBE MORE  WHEN TRYING TO “PURCHASE” SOMETHING FROM THE STORE THERE IS AN “OTHER PAYMENTS TAB”  HOVERING OVER THESE TO SEE THE URL SHOWS THAT THEY ARE USING THE /REDIRECT?TO ROUTE  LETS SEARCH FOR THIS LIKE WE DID THE PATHS AT THE BEGINNING  WE LOCATE THREE PATHS HERE, NAVIGATE TO ANY TO COMPLETE 

PRIVACY POLICY  AGAIN, WHILE POKING AROUND THE SITE INITIALLY, YOU SHOULD HAVE FOUND THE PRIVACY POLICY  IF NOT, NAVIGATE TO THE PRIVACY POLICY UNDER THE PRIVACY AND SECURITY DROP DOWN 

REFLECTED XSS  A REFLECTED XSS IS A SPECIFIC TYPE OF XSS WHOSE MALICIOUS SCRIPT BOUNCES OFF OF ANOTHER WEBSITE TO THE VICTIM BROWSER  TRACK ORDERS SEEMS LIKE A VIABLE OPTION HERE  IT IS LIKELY THE JUICE SHOP QUERIES A SHIPPING SERVICE FOR THE TRACKING INFORMATION  COPY AND PASTE THE GIVEN XSS ATTACK TO COMPLETE 

REPETITIVE REGISTRATION  DRY PRINCIPLE  DON’T REPEAT YOURSELF  THIS IS TRUE FOR COMPUTER SCIENCE IN THE WAYS THAT YOU DON’T WANT TO KEEP TYPING OUT A COMMONLY USED SET OF COMMANDS  MAYBE MAKE A FUNCTION FOR THIS SET OF COMMANDS AND ONLY TYPE IT ONCE?  THIS ONE IS A LITTLE TRICKY AS IT WASN’T IMMEDIATELY APPARENT TO ME TO MAKE THE TWO PASSWORDS DIFFERENT  FOR COMPLETION, WHILE REGISTERING A USER CHANGE THE “PASSWORD” FIELD AFTER MAKING BOTH PASSWORDS MATCH  IT SEEMS THE APPLICATION IS NOT CONSITENTLY CHECKING THE TWO FIELDS FOR CORRECTNESS AND ONLY REQUIRES THEM TO BE THE SAME ONE TIME 

ZERO STARS  THIS CHALLENGE WANTS US TO LEAVE A ZERO STAR REVIEW FOR THE APPLICATION  NAVIGATE TO THE ‘CUSTOMER FEEDBACK’ IN THE DROP DOWN MENU  COMPLAINT WONT WORK HERE AS IT HAS NO STAR RATING TO GIVE  FILL IN THE FEEDBACK FORM  ANSWER THE CAPTCHA QUESTION 

ZERO STARS CONTINUED  UPON SUBMITTING WE SEE THAT THE BUTTON IS NOT CLICKABLE  LETS INSPECT THIS WITH OUR DEVELOPER TOOLS  INSTEAD OF TRYING TO FIND IT YOURSELF, USE THE ELEMENT SELECTOR TOOL AT THE TOP LEFT TO QUICKLY FIND THE LOCATION IN THE CODE FILE  WE SEE THERE IS A DISABLED ATTRIBUTE SET  CHANGE IT TO FALSE?  REMOVE IT?  SUBMIT THE FORM ONCE IT IS SELECTABLE TO COMPLETE 

WE DID IT  ALL OF THE ONE STAR CHALLENGES FOR JUICE SHOP ARE NOW COMPLETE  DID YOU SPOT DIFFERENT WAYS TO COMPLETE SOME OF THE CHALLENGES? 

Q&A 

FOR NEXT TIME  OFFICER ELECTIONS WILL BE HELD NEXT WEEK DURING THE MEETING  PRESIDENT  VICE PRESIDENT  TREASURER  WEB MASTER  EVENT COORDINATOR  ORGANIZATION OUTREACH MANAGER  SOCIAL MEDIA MANAGER  STUDENT OUTREACH MANAGER  ANYTHING YOU WANT TO SEE?