Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP Juice Challenges

UNTCSC
October 03, 2019
0
23

OWASP Juice Challenges

UNTCSC

October 03, 2019
Tweet

More Decks by UNTCSC

See All by UNTCSC
Network Simulation
unt_csc
0
40
Password Hashing Fall 2020
unt_csc
0
27
Resume and Interview Workshop
unt_csc
0
29
Security: Why do we Care
unt_csc
0
34
Welcome back fall 2020
unt_csc
0
25
Secure Coding
unt_csc
0
49
UNTCSC Spring 2020 Welcome Back
unt_csc
0
41
Password Guessing
unt_csc
0
21
Network Security
unt_csc
0
19

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
94
13k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
19
2.3k
jQuery: Nuts, Bolts and Bling
dougneiner
62
7.6k
Designing for humans not robots
tammielis
250
25k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
490
BBQ
matthewcrist
85
9.4k
Documentation Writing (for coders)
carmenintech
67
4.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
366
19k
Testing 201, or: Great Expectations
jmmastey
41
7.2k
Navigating Team Friction
lara
183
15k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
950

Transcript

  1. OWASP Juice Shop Challenges

  2. WHERE TO START?  OPEN JUICE SHOP IN YOUR BROWSER

    OF CHOICE  untjuiceshop.herokuapp.com  LOOK AROUND THE SHOP AND SEE IF YOU CAN SPOT ANYTHING HANGING IN PLAIN SITE  TAKE A LOOK WITH YOUR BROWSERS DEVELOPER TOOLS  TYPICALLY START WITH THE SOURCES TAB

  3. MAIN-ES2015.JS  LIKELY THE JAVASCRIPT FILE RUNNING THE APPLICATION 

    LETS POKE AROUND  LOCATE THE AVAILABLE PATHS FOR THE APPLICATION  CAN SYSTEMATICALLY TRY THEM, OR JUST NAVIGATE TO “IMPORTANT” PATHS  ADMINISTRATION IS BLOCKED, FOR NOW  ACCOUNTING AS WELL  SCORE-BOARD IS AVAILABLE

  4. SCORE-BOARD  NOW WE CAN SEE WHAT THE CHALLENGES ARE

     UP TO YOU ON HOW YOU WOULD LIKE TO SOLVE THEM  FOR THE PURPOSES OF THIS PRESENTATION WE WILL SOLVE THE ONE STAR CHALLENGES FROM TOP TO BOTTOM

  5. CONFIDENTAIL DOCUMENT  WHILE POKING AROUND THE SITE YOU SHOULD

    HAVE NOTICED A CLICKABLE LINK ON THE ABOUT US PAGE.  THIS TAKES US TO (UNTJUICESHOP.HEROKUAPP.COM/FTP/LEGAL.MD)  WELL, WE KNOW THAT THIS APPLICATION IS RUNNING FTP, LETS SEE IF WE CAN LOOK AT THE FTP DIRECTORY  DELETE LEGAL.MD FROM THE URL  WE FOUND THE FTP DIRECTORY  CLICKING LINKS REVEALS ONLY .MD AND .PDF ARE ALLOWED.  NAVIGATE TO ACQUISITIONS.MD  DONE

  6. DOM XSS  THE DOM IS THE “DOCUMENT OBJECT MODEL”

    AND ALLOWS PROGRAMS AND SCRIPTS TO DYNAMICALLY ACCESS AND UPDATE THE CONTENT OF A DOCUMENT  DOM ACTIONS ARE THOSE THAT ARE PERFORMED ON “HTML ELEMENTS” AND CAN SET OR CHANGE THE VALUES OF THESE ELEMENTS  THERE ARE ONLY A FEW PLACES TO TRY THIS ONE  IF YOU STARTED WITH THE SEARCH BAR AT THE TOP, YOU ARE CORRECT  COPY AND PASTE THE GIVEN CODE IN THE APPLICATION SEARCH BAR TO COMPLETE

  7. ERROR HANDLING  IF YOU CLICKED OTHER FILES ON THE

    FTP SERVER THAN “ACQUISITIONS.MD” YOU WILL SEE A NON-GRACEFULLY HANDLED ERROR  THESE ERRORS CAN PROVIDE PATHS THAT ARE WORTH CHECKING OUT

  8. OUTDATED WHITELIST  WE ARE LOOKING FOR A CRYPTO CURRENCY

    ADDRESS THAT IS NO LONGER USED  THIS IS NOT HANGING OUT IN THE OPEN FOR US TO SEE, NEED TO PROBE MORE  WHEN TRYING TO “PURCHASE” SOMETHING FROM THE STORE THERE IS AN “OTHER PAYMENTS TAB”  HOVERING OVER THESE TO SEE THE URL SHOWS THAT THEY ARE USING THE /REDIRECT?TO ROUTE  LETS SEARCH FOR THIS LIKE WE DID THE PATHS AT THE BEGINNING  WE LOCATE THREE PATHS HERE, NAVIGATE TO ANY TO COMPLETE

  9. PRIVACY POLICY  AGAIN, WHILE POKING AROUND THE SITE INITIALLY,

    YOU SHOULD HAVE FOUND THE PRIVACY POLICY  IF NOT, NAVIGATE TO THE PRIVACY POLICY UNDER THE PRIVACY AND SECURITY DROP DOWN

  10. REFLECTED XSS  A REFLECTED XSS IS A SPECIFIC TYPE

    OF XSS WHOSE MALICIOUS SCRIPT BOUNCES OFF OF ANOTHER WEBSITE TO THE VICTIM BROWSER  TRACK ORDERS SEEMS LIKE A VIABLE OPTION HERE  IT IS LIKELY THE JUICE SHOP QUERIES A SHIPPING SERVICE FOR THE TRACKING INFORMATION  COPY AND PASTE THE GIVEN XSS ATTACK TO COMPLETE

  11. REPETITIVE REGISTRATION  DRY PRINCIPLE  DON’T REPEAT YOURSELF 

    THIS IS TRUE FOR COMPUTER SCIENCE IN THE WAYS THAT YOU DON’T WANT TO KEEP TYPING OUT A COMMONLY USED SET OF COMMANDS  MAYBE MAKE A FUNCTION FOR THIS SET OF COMMANDS AND ONLY TYPE IT ONCE?  THIS ONE IS A LITTLE TRICKY AS IT WASN’T IMMEDIATELY APPARENT TO ME TO MAKE THE TWO PASSWORDS DIFFERENT  FOR COMPLETION, WHILE REGISTERING A USER CHANGE THE “PASSWORD” FIELD AFTER MAKING BOTH PASSWORDS MATCH  IT SEEMS THE APPLICATION IS NOT CONSITENTLY CHECKING THE TWO FIELDS FOR CORRECTNESS AND ONLY REQUIRES THEM TO BE THE SAME ONE TIME

  12. ZERO STARS  THIS CHALLENGE WANTS US TO LEAVE A

    ZERO STAR REVIEW FOR THE APPLICATION  NAVIGATE TO THE ‘CUSTOMER FEEDBACK’ IN THE DROP DOWN MENU  COMPLAINT WONT WORK HERE AS IT HAS NO STAR RATING TO GIVE  FILL IN THE FEEDBACK FORM  ANSWER THE CAPTCHA QUESTION

  13. ZERO STARS CONTINUED  UPON SUBMITTING WE SEE THAT THE

    BUTTON IS NOT CLICKABLE  LETS INSPECT THIS WITH OUR DEVELOPER TOOLS  INSTEAD OF TRYING TO FIND IT YOURSELF, USE THE ELEMENT SELECTOR TOOL AT THE TOP LEFT TO QUICKLY FIND THE LOCATION IN THE CODE FILE  WE SEE THERE IS A DISABLED ATTRIBUTE SET  CHANGE IT TO FALSE?  REMOVE IT?  SUBMIT THE FORM ONCE IT IS SELECTABLE TO COMPLETE

  14. WE DID IT  ALL OF THE ONE STAR CHALLENGES

    FOR JUICE SHOP ARE NOW COMPLETE  DID YOU SPOT DIFFERENT WAYS TO COMPLETE SOME OF THE CHALLENGES?

  15. Q&A

  16. FOR NEXT TIME  OFFICER ELECTIONS WILL BE HELD NEXT

    WEEK DURING THE MEETING  PRESIDENT  VICE PRESIDENT  TREASURER  WEB MASTER  EVENT COORDINATOR  ORGANIZATION OUTREACH MANAGER  SOCIAL MEDIA MANAGER  STUDENT OUTREACH MANAGER  ANYTHING YOU WANT TO SEE?