OWASP Juice Challenges

Transcript

1. OWASP Juice Shop Challenges

2. WHERE TO START?  OPEN JUICE SHOP IN YOUR BROWSER

   OF CHOICE  untjuiceshop.herokuapp.com  LOOK AROUND THE SHOP AND SEE IF YOU CAN SPOT ANYTHING HANGING IN PLAIN SITE  TAKE A LOOK WITH YOUR BROWSERS DEVELOPER TOOLS  TYPICALLY START WITH THE SOURCES TAB

3. MAIN-ES2015.JS  LIKELY THE JAVASCRIPT FILE RUNNING THE APPLICATION 

   LETS POKE AROUND  LOCATE THE AVAILABLE PATHS FOR THE APPLICATION  CAN SYSTEMATICALLY TRY THEM, OR JUST NAVIGATE TO “IMPORTANT” PATHS  ADMINISTRATION IS BLOCKED, FOR NOW  ACCOUNTING AS WELL  SCORE-BOARD IS AVAILABLE

4. SCORE-BOARD  NOW WE CAN SEE WHAT THE CHALLENGES ARE

    UP TO YOU ON HOW YOU WOULD LIKE TO SOLVE THEM  FOR THE PURPOSES OF THIS PRESENTATION WE WILL SOLVE THE ONE STAR CHALLENGES FROM TOP TO BOTTOM

5. CONFIDENTAIL DOCUMENT  WHILE POKING AROUND THE SITE YOU SHOULD

   HAVE NOTICED A CLICKABLE LINK ON THE ABOUT US PAGE.  THIS TAKES US TO (UNTJUICESHOP.HEROKUAPP.COM/FTP/LEGAL.MD)  WELL, WE KNOW THAT THIS APPLICATION IS RUNNING FTP, LETS SEE IF WE CAN LOOK AT THE FTP DIRECTORY  DELETE LEGAL.MD FROM THE URL  WE FOUND THE FTP DIRECTORY  CLICKING LINKS REVEALS ONLY .MD AND .PDF ARE ALLOWED.  NAVIGATE TO ACQUISITIONS.MD  DONE

6. DOM XSS  THE DOM IS THE “DOCUMENT OBJECT MODEL”

   AND ALLOWS PROGRAMS AND SCRIPTS TO DYNAMICALLY ACCESS AND UPDATE THE CONTENT OF A DOCUMENT  DOM ACTIONS ARE THOSE THAT ARE PERFORMED ON “HTML ELEMENTS” AND CAN SET OR CHANGE THE VALUES OF THESE ELEMENTS  THERE ARE ONLY A FEW PLACES TO TRY THIS ONE  IF YOU STARTED WITH THE SEARCH BAR AT THE TOP, YOU ARE CORRECT  COPY AND PASTE THE GIVEN CODE IN THE APPLICATION SEARCH BAR TO COMPLETE

7. ERROR HANDLING  IF YOU CLICKED OTHER FILES ON THE

   FTP SERVER THAN “ACQUISITIONS.MD” YOU WILL SEE A NON-GRACEFULLY HANDLED ERROR  THESE ERRORS CAN PROVIDE PATHS THAT ARE WORTH CHECKING OUT

8. OUTDATED WHITELIST  WE ARE LOOKING FOR A CRYPTO CURRENCY

   ADDRESS THAT IS NO LONGER USED  THIS IS NOT HANGING OUT IN THE OPEN FOR US TO SEE, NEED TO PROBE MORE  WHEN TRYING TO “PURCHASE” SOMETHING FROM THE STORE THERE IS AN “OTHER PAYMENTS TAB”  HOVERING OVER THESE TO SEE THE URL SHOWS THAT THEY ARE USING THE /REDIRECT?TO ROUTE  LETS SEARCH FOR THIS LIKE WE DID THE PATHS AT THE BEGINNING  WE LOCATE THREE PATHS HERE, NAVIGATE TO ANY TO COMPLETE

9. PRIVACY POLICY  AGAIN, WHILE POKING AROUND THE SITE INITIALLY,

   YOU SHOULD HAVE FOUND THE PRIVACY POLICY  IF NOT, NAVIGATE TO THE PRIVACY POLICY UNDER THE PRIVACY AND SECURITY DROP DOWN

10. REFLECTED XSS  A REFLECTED XSS IS A SPECIFIC TYPE

    OF XSS WHOSE MALICIOUS SCRIPT BOUNCES OFF OF ANOTHER WEBSITE TO THE VICTIM BROWSER  TRACK ORDERS SEEMS LIKE A VIABLE OPTION HERE  IT IS LIKELY THE JUICE SHOP QUERIES A SHIPPING SERVICE FOR THE TRACKING INFORMATION  COPY AND PASTE THE GIVEN XSS ATTACK TO COMPLETE

11. REPETITIVE REGISTRATION  DRY PRINCIPLE  DON’T REPEAT YOURSELF 

    THIS IS TRUE FOR COMPUTER SCIENCE IN THE WAYS THAT YOU DON’T WANT TO KEEP TYPING OUT A COMMONLY USED SET OF COMMANDS  MAYBE MAKE A FUNCTION FOR THIS SET OF COMMANDS AND ONLY TYPE IT ONCE?  THIS ONE IS A LITTLE TRICKY AS IT WASN’T IMMEDIATELY APPARENT TO ME TO MAKE THE TWO PASSWORDS DIFFERENT  FOR COMPLETION, WHILE REGISTERING A USER CHANGE THE “PASSWORD” FIELD AFTER MAKING BOTH PASSWORDS MATCH  IT SEEMS THE APPLICATION IS NOT CONSITENTLY CHECKING THE TWO FIELDS FOR CORRECTNESS AND ONLY REQUIRES THEM TO BE THE SAME ONE TIME

12. ZERO STARS  THIS CHALLENGE WANTS US TO LEAVE A

    ZERO STAR REVIEW FOR THE APPLICATION  NAVIGATE TO THE ‘CUSTOMER FEEDBACK’ IN THE DROP DOWN MENU  COMPLAINT WONT WORK HERE AS IT HAS NO STAR RATING TO GIVE  FILL IN THE FEEDBACK FORM  ANSWER THE CAPTCHA QUESTION

13. ZERO STARS CONTINUED  UPON SUBMITTING WE SEE THAT THE

    BUTTON IS NOT CLICKABLE  LETS INSPECT THIS WITH OUR DEVELOPER TOOLS  INSTEAD OF TRYING TO FIND IT YOURSELF, USE THE ELEMENT SELECTOR TOOL AT THE TOP LEFT TO QUICKLY FIND THE LOCATION IN THE CODE FILE  WE SEE THERE IS A DISABLED ATTRIBUTE SET  CHANGE IT TO FALSE?  REMOVE IT?  SUBMIT THE FORM ONCE IT IS SELECTABLE TO COMPLETE

14. WE DID IT  ALL OF THE ONE STAR CHALLENGES

    FOR JUICE SHOP ARE NOW COMPLETE  DID YOU SPOT DIFFERENT WAYS TO COMPLETE SOME OF THE CHALLENGES?

15. Q&A

16. FOR NEXT TIME  OFFICER ELECTIONS WILL BE HELD NEXT

    WEEK DURING THE MEETING  PRESIDENT  VICE PRESIDENT  TREASURER  WEB MASTER  EVENT COORDINATOR  ORGANIZATION OUTREACH MANAGER  SOCIAL MEDIA MANAGER  STUDENT OUTREACH MANAGER  ANYTHING YOU WANT TO SEE?