Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP Juice Challenges

UNTCSC
October 03, 2019
0
18

OWASP Juice Challenges

UNTCSC

October 03, 2019
Tweet

More Decks by UNTCSC

See All by UNTCSC
Network Simulation
unt_csc
0
38
Password Hashing Fall 2020
unt_csc
0
24
Resume and Interview Workshop
unt_csc
0
22
Security: Why do we Care
unt_csc
0
26
Welcome back fall 2020
unt_csc
0
16
Secure Coding
unt_csc
0
30
UNTCSC Spring 2020 Welcome Back
unt_csc
0
25
Password Guessing
unt_csc
0
19
Network Security
unt_csc
0
15

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
238
11k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
We Have a Design System, Now What?
morganepeng
43
6.8k
What the flash - Photography Introduction
edds
64
11k
Infographics Made Easy
chrislema
238
18k
Practical Orchestrator
shlominoach
183
9.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Designing with Data
zakiwarfel
96
4.8k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
26
2.3k
Code Reviewing Like a Champion
maltzj
515
39k

Transcript

  1. OWASP Juice Shop Challenges

  2. WHERE TO START?  OPEN JUICE SHOP IN YOUR BROWSER

    OF CHOICE  untjuiceshop.herokuapp.com  LOOK AROUND THE SHOP AND SEE IF YOU CAN SPOT ANYTHING HANGING IN PLAIN SITE  TAKE A LOOK WITH YOUR BROWSERS DEVELOPER TOOLS  TYPICALLY START WITH THE SOURCES TAB

  3. MAIN-ES2015.JS  LIKELY THE JAVASCRIPT FILE RUNNING THE APPLICATION 

    LETS POKE AROUND  LOCATE THE AVAILABLE PATHS FOR THE APPLICATION  CAN SYSTEMATICALLY TRY THEM, OR JUST NAVIGATE TO “IMPORTANT” PATHS  ADMINISTRATION IS BLOCKED, FOR NOW  ACCOUNTING AS WELL  SCORE-BOARD IS AVAILABLE

  4. SCORE-BOARD  NOW WE CAN SEE WHAT THE CHALLENGES ARE

     UP TO YOU ON HOW YOU WOULD LIKE TO SOLVE THEM  FOR THE PURPOSES OF THIS PRESENTATION WE WILL SOLVE THE ONE STAR CHALLENGES FROM TOP TO BOTTOM

  5. CONFIDENTAIL DOCUMENT  WHILE POKING AROUND THE SITE YOU SHOULD

    HAVE NOTICED A CLICKABLE LINK ON THE ABOUT US PAGE.  THIS TAKES US TO (UNTJUICESHOP.HEROKUAPP.COM/FTP/LEGAL.MD)  WELL, WE KNOW THAT THIS APPLICATION IS RUNNING FTP, LETS SEE IF WE CAN LOOK AT THE FTP DIRECTORY  DELETE LEGAL.MD FROM THE URL  WE FOUND THE FTP DIRECTORY  CLICKING LINKS REVEALS ONLY .MD AND .PDF ARE ALLOWED.  NAVIGATE TO ACQUISITIONS.MD  DONE

  6. DOM XSS  THE DOM IS THE “DOCUMENT OBJECT MODEL”

    AND ALLOWS PROGRAMS AND SCRIPTS TO DYNAMICALLY ACCESS AND UPDATE THE CONTENT OF A DOCUMENT  DOM ACTIONS ARE THOSE THAT ARE PERFORMED ON “HTML ELEMENTS” AND CAN SET OR CHANGE THE VALUES OF THESE ELEMENTS  THERE ARE ONLY A FEW PLACES TO TRY THIS ONE  IF YOU STARTED WITH THE SEARCH BAR AT THE TOP, YOU ARE CORRECT  COPY AND PASTE THE GIVEN CODE IN THE APPLICATION SEARCH BAR TO COMPLETE

  7. ERROR HANDLING  IF YOU CLICKED OTHER FILES ON THE

    FTP SERVER THAN “ACQUISITIONS.MD” YOU WILL SEE A NON-GRACEFULLY HANDLED ERROR  THESE ERRORS CAN PROVIDE PATHS THAT ARE WORTH CHECKING OUT

  8. OUTDATED WHITELIST  WE ARE LOOKING FOR A CRYPTO CURRENCY

    ADDRESS THAT IS NO LONGER USED  THIS IS NOT HANGING OUT IN THE OPEN FOR US TO SEE, NEED TO PROBE MORE  WHEN TRYING TO “PURCHASE” SOMETHING FROM THE STORE THERE IS AN “OTHER PAYMENTS TAB”  HOVERING OVER THESE TO SEE THE URL SHOWS THAT THEY ARE USING THE /REDIRECT?TO ROUTE  LETS SEARCH FOR THIS LIKE WE DID THE PATHS AT THE BEGINNING  WE LOCATE THREE PATHS HERE, NAVIGATE TO ANY TO COMPLETE

  9. PRIVACY POLICY  AGAIN, WHILE POKING AROUND THE SITE INITIALLY,

    YOU SHOULD HAVE FOUND THE PRIVACY POLICY  IF NOT, NAVIGATE TO THE PRIVACY POLICY UNDER THE PRIVACY AND SECURITY DROP DOWN

  10. REFLECTED XSS  A REFLECTED XSS IS A SPECIFIC TYPE

    OF XSS WHOSE MALICIOUS SCRIPT BOUNCES OFF OF ANOTHER WEBSITE TO THE VICTIM BROWSER  TRACK ORDERS SEEMS LIKE A VIABLE OPTION HERE  IT IS LIKELY THE JUICE SHOP QUERIES A SHIPPING SERVICE FOR THE TRACKING INFORMATION  COPY AND PASTE THE GIVEN XSS ATTACK TO COMPLETE

  11. REPETITIVE REGISTRATION  DRY PRINCIPLE  DON’T REPEAT YOURSELF 

    THIS IS TRUE FOR COMPUTER SCIENCE IN THE WAYS THAT YOU DON’T WANT TO KEEP TYPING OUT A COMMONLY USED SET OF COMMANDS  MAYBE MAKE A FUNCTION FOR THIS SET OF COMMANDS AND ONLY TYPE IT ONCE?  THIS ONE IS A LITTLE TRICKY AS IT WASN’T IMMEDIATELY APPARENT TO ME TO MAKE THE TWO PASSWORDS DIFFERENT  FOR COMPLETION, WHILE REGISTERING A USER CHANGE THE “PASSWORD” FIELD AFTER MAKING BOTH PASSWORDS MATCH  IT SEEMS THE APPLICATION IS NOT CONSITENTLY CHECKING THE TWO FIELDS FOR CORRECTNESS AND ONLY REQUIRES THEM TO BE THE SAME ONE TIME

  12. ZERO STARS  THIS CHALLENGE WANTS US TO LEAVE A

    ZERO STAR REVIEW FOR THE APPLICATION  NAVIGATE TO THE ‘CUSTOMER FEEDBACK’ IN THE DROP DOWN MENU  COMPLAINT WONT WORK HERE AS IT HAS NO STAR RATING TO GIVE  FILL IN THE FEEDBACK FORM  ANSWER THE CAPTCHA QUESTION

  13. ZERO STARS CONTINUED  UPON SUBMITTING WE SEE THAT THE

    BUTTON IS NOT CLICKABLE  LETS INSPECT THIS WITH OUR DEVELOPER TOOLS  INSTEAD OF TRYING TO FIND IT YOURSELF, USE THE ELEMENT SELECTOR TOOL AT THE TOP LEFT TO QUICKLY FIND THE LOCATION IN THE CODE FILE  WE SEE THERE IS A DISABLED ATTRIBUTE SET  CHANGE IT TO FALSE?  REMOVE IT?  SUBMIT THE FORM ONCE IT IS SELECTABLE TO COMPLETE

  14. WE DID IT  ALL OF THE ONE STAR CHALLENGES

    FOR JUICE SHOP ARE NOW COMPLETE  DID YOU SPOT DIFFERENT WAYS TO COMPLETE SOME OF THE CHALLENGES?

  15. Q&A

  16. FOR NEXT TIME  OFFICER ELECTIONS WILL BE HELD NEXT

    WEEK DURING THE MEETING  PRESIDENT  VICE PRESIDENT  TREASURER  WEB MASTER  EVENT COORDINATOR  ORGANIZATION OUTREACH MANAGER  SOCIAL MEDIA MANAGER  STUDENT OUTREACH MANAGER  ANYTHING YOU WANT TO SEE?