-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOWASP Juice Shop
258 lines (192 loc) · 14.5 KB
/
OWASP Juice Shop
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
#Task 1 Open for business!
Within this room, we will look at OWASP's TOP 10 vulnerabilities in web applications. You will find these in all types in all types of web applications. But for today we will be looking at OWASP's own creation, Juice Shop!
We will be using Burp Suite, so if you haven't already got it set up, here is a link to the 'Burp Suite' room.
[The 'Burp Suite' room is a subscriber-only room, meaning you will require a TryHackMe subscription in order to access it]
In addition, it's highly recommended to check out the 'Web Fundamentals' room.
[The 'Web Fundamentals' room is a free room, meaning that, like this room, anyone is able to complete it]
Juice Shop is a large application so we will not be covering every topic from the top 10.
We will, however, cover the following topics which we recommend you take a look at as you progress through this room.
<------------------------------------------------->
Injection
Broken Authentication
Sensitive Data Exposure
Broken Access Control
Cross-Site Scripting XSS
<------------------------------------------------->
[Task 3] and onwards will require a flag, which will be displayed on completion of the task.
- Deploy the VM attached to this task to get started! You can access this machine by using your browser-based machine, or if you're connected through OpenVPN.
No answer
- Once the machine has loaded, access it by copying and pasting its IP into your browser; if you're using the browser-based machine, paste the machines IP into a browser on that machine.
No answer
#Task 2 Let's go on an adventure!
- Question #1: What's the Administrator's email address?
admin@juice-sh.op
- Question #2: What parameter is used for searching?
q
- Question #3: What show does Jim reference in his review?
Jim did a review on the Green Smoothie product. We can see that he mentions a replicator.
If we google "replicator" we will get the results indicating that it is from a TV show called Star Trek
Star Trek
#Task 3 Inject the juice
This task will be focusing on injection vulnerabilities. Injection vulnerabilities are quite dangerous to a company as they can potentially cause downtime and/or loss of data. Identifying injection points within a web application is usually quite simple, as most of them will return an error. There are many types of injection attacks, some of them are:
SQL Injection
SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts.
Command Injection
Command Injection is when web applications take input or user-controlled data and run them as system commands. An attacker may tamper with this data to execute their own system commands. This can be seen in applications that perform misconfigured ping tests.
Email Injection
Email injection is a security vulnerability that allows malicious users to send email messages without prior authorization by the email server. These occur when the attacker adds extra data to fields, which are not interpreted by the server correctly.
https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection
- Question #1: Log into the administrator account!
After we navigate to the login page, enter some data into the email and password fields.
Before clicking submit, make sure Intercept mode is on.
This will allow us to see the data been sent to the server!
Burp Suite --> Intercept is on
--> Proxy on Burp
--> POST /rest/user/login HTTP/1.1
---> sent to Repeater
We will now change the password:"a" next to the email to: ' or 1=1-- and forward it to the server.
--> Send to web
Why does this work?
1.The character ' will close the brackets in the SQL query
2.'OR' in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.
3.The -- character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.
32a5e0f21372bcc1000a6088b93b458e41f0e02a
- Question #2: Log into the Bender account!
Similar to what we did in Question #1, we will now log into Bender's account! Capture the login request again, but this time we will put: bender@juice-sh.op'-- as the email.
hint: login with account: bender@juice-sh.op'--
fb364762a3c102b2db932069c0e6b78e738d4066
#Task 4 Who broke my lock?!
In this task, we will look at exploiting authentication through different flaws. When talking about flaws within authentication, we include mechanisms that are vulnerable to manipulation. These mechanisms, listed below, are what we will be exploiting.
Weak passwords in high privileged accounts
Forgotten password pages
- Question #1: Bruteforce the Administrator account's password!
We have used SQL Injection to log into the Administrator account but we still don't know the password. Let's try a brute-force attack! We will once again capture a login request, but instead of sending it through the proxy, we will send it to Intruder.
Go to Positions and then select the Clear § button. In the password field place two § inside the quotes. To clarify, the § § is not two sperate inputs but rather Burp's implementation of quotations e.g. "". The request should look like the image below.
hint: run Burp Suite --> enable Burp proxy on firefox --> POST /rest/user/login HTTP/1.1 --> sent Instruder
--> Payloads --> load wordlists
with wordlist: For the payload, we will be using the best1050.txt from Seclists. (Which can be installed via: apt-get install seclists)
You can load the list from /usr/share/seclists/Passwords/Common-Credentials/best1050.txt
--> Whereas a successful request will return a status 200 OK <<--admin123
login with admin@juice-sh.op:admin123
c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
- Question #2: Reset Jim's password!
Believe it or not, the reset password mechanism can also be exploited! When inputted into the email field in the Forgot Password page, Jim's security question is set to "Your eldest siblings middle name?". In Task 2, we found that Jim might have something to do with Star Trek. Googling "Jim Star Trek" gives us a wiki page for Jame T. Kirk from Star Trek.
hint: google "Jim Star Trek"
Looking through the wiki page we find that he has a brother.
Looks like his brother's middle name is Samuel
Inputting that into the Forgot Password page allows you to successfully change his password.
You can change it to anything you want!
Samuel is middle name
--> forget password
Security question: Samuel
094fbc9b48e525150ba97d05b942bbf114987257
#Task 5 AH! Don't look!
- Question #1: Access the Confidential Document!
You will see that it links to http://MACHINE_IP/ftp/legal.md. Navigating to that /ftp/ directory reveals that it is exposed to the public!
hint: http://$IP/ftp
We will download the acquisitions.md and save it. It looks like there are other files of interest here as well.
After downloading it, navigate to the home page to receive the flag!
--return home page...
edf9281222395a1c5fee9b89e32175f1ccf50c5b
- Question #3: Download the Backup file!
We will now go back to the http://MACHINE_IP/ftp/ folder and try to download package.json.bak. But it seems we are met with a 403 which says that only .md and .pdf files can be downloaded.
To get around this, we will use a character bypass called "Poison Null Byte". A Poison Null Byte looks like this: %00.
Note that we can download it using the url, so we will encode this into a url encoded format.
The Poison Null Byte will now look like this: %2500. Adding this and then a .md to the end will bypass the 403 error!
Why does this work?
A Poison Null Byte is actually a NULL terminator. By placing a NULL character in the string at a certain byte, the string will tell the server to terminate at that point, nulling the rest of the string.
hint: http://$IP/ftp/package.json.bak%2500.md
--> return home page...
bfc1e6b4a16579e85e06fee4c36ff8c02fb13795
#Task 6 Who's flying this thing?
Modern-day systems will allow for multiple users to have access to different pages. Administrators most commonly use an administration page to edit, add and remove different elements of a website. You might use these when you are building a website with programs such as Weebly or Wix.
When Broken Access Control exploits or bugs are found, it will be categorised into one of two types:
Horizontal Privilege Escalation
Occurs when a user can perform an action or access data of another user with the same level of permissions.
Vertical Privilege Escalation
Occurs when a user can perform an action or access data of another user with a higher level of permissions.
- Question #1: Access the administration page!
First, we are going to open the Debugger on Firefox. (F12)
(Or Sources on Chrome.)
This can be done by navigating to it in the Web Developers menu.
We are then going to refresh the page and look for a javascript file for main-es2015.js
We will then go to that page at: http://MACHINE_IP/main-es2015.js
To get this into a format we can read, click the { } button at the bottom
Now search for the term "admin"
You will come across a couple of different words containing "admin" but the one we are looking for is "path: administration"
This hints towards a page called "/#/administration" as can be seen by the about path a couple lines below, but going there while not logged in doesn't work.
As this is an Administrator page, it makes sense that we need to be in the Admin account in order to view it.
A good way to stop users from accessing this is to only load parts of the application that need to be used by them. This stops sensitive information such as an admin page from been leaked or viewed.
hint: http://$IP/#/administration
...
946a799363226a24822008503f5d1324536629a0
- Question #2: View another user's shopping basket!
Login to the Admin account(admin@juice-sh.op) and click on 'Your Basket'. Make sure Burp is running so you can capture the request!
Forward each request until you see: GET /rest/basket/1 HTTP/1.1
hint: run Burp --> sent GET /rest/basket/1 HTTP/1.1 --> to Repeater
On Repeater : Now, we are going to change the number 1 after /basket/ to 2
(GET /rest/basket/1 HTTP/1.1) to (GET /rest/basket/2 HTTP/1.1)
--->Send
41b997a36cc33fbe4f0ba018474e19ae5ce52121
- Question #3: Remove all 5-star reviews!
Navigate to the http://MACHINE_IP/#/administration page again and click the bin icon next to the review with 5 stars!
hint: login with acount admin(admin@juice-sh.op)--->Customer feedback
--> remove 5 stars
50c97bcce0b895e446d61c83a21df371ac2266ef
#Task 7 Where did that come from?
XSS or Cross-site scripting is a vulnerability that allows attackers to run javascript in web applications. These are one of the most found bugs in web applications. Their complexity ranges from easy to extremely hard, as each web application parses the queries in a different way.
There are three major types of XSS attacks:
DOM (Special)
DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script></script> HTML tag.
Persistent (Server-side)
Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts.
Reflected (Client-side)
Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn't sanitise search data.
- Question #1: Perform a DOM XSS!
We will be using the iframe element with a javascript alert tag:
<iframe src="javascript:alert(`xss`)">
Inputting this into the search bar will trigger the alert.
Note that we are using iframe which is a common HTML element found in many web applications, there are others which also produce the same result.
This type of XSS is also called XFS (Cross-Frame Scripting), is one of the most common forms of detecting XSS within web applications.
Websites that allow the user to modify the iframe or other DOM elements will most likely be vulnerable to XSS.
Why does this work?
It is common practice that the search bar will send a request to the server in which it will then send back the related information, but this is where the flaw lies. Without correct input sanitation, we are able to perform an XSS attack against the search bar.
hint: search --> <iframe src="javascript:alert(`xss`)">
...
9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
- Question #2: Perform a persistent XSS!
First, login to the admin account.
We are going to navigate to the "Last Login IP" page for this attack.
It should say the last IP Address is 0.0.0.0 or 10.x.x.x
As it logs the 'last' login IP we will now logout so that it logs the 'new' IP.
Make sure that Burp intercept is on, so it will catch the logout request.
We will then head over to the Headers tab where we will add a new header:
hint: relogin with acount admin
---> last IP
Run Burp --> GET /rest/saveLoginIp HTTP/1.1
Sent Repeater -->Inspector --> Header --> Add
name: True-Client-IP
value: <iframe src="javascript:alert(`xss`)">
Send
....
Return home page
149aa8ce13d7a4a8a931472308e269c94dc5f156
- Question #3: Perform a reflected XSS!
First, we are going to need to be on the right page to perform the reflected XSS!
Login into the admin account and navigate to the 'Order History' page.
From there you will see a "Truck" icon, clicking on that will bring you to the track result page. You will also see that there is an id paired with the order.
We will use the iframe XSS, <iframe src="javascript:alert(`xss`)">, in the place of the 5267-f73dcd000abcc353
After submitting the URL, refresh the page and you will then get an alert saying XSS!
hint: change http://$ip/#/track-result?id=5267-f73dcd000abcc353 -- http://$ip/#/track-result?id=<iframe src="javascript:alert(`xss`)">
....
23cefee1527bde039295b2616eeb29e1edc660a0
#Task 8 Exploration!
If you wish to tackle some of the harder challenges that were not covered within this room, check out the /#/score-board/ section on Juice-shop. Here you can see your completed tasks as well as other tasks in varying difficulty.
Access the /#/score-board/ page
hint: http://$Ip/#/score-board/
7efd3174f9dd5baa03a7882027f2824d2f72d86e
https://tryhackme.com/room/owaspjuiceshop
https://ex0a.medium.com/tryhackme-owasp-juice-shop-53e87fb1af36
http://www.zcyber.org/tryhackme-thm-owasp-juice-shop-writeup/
https://www.aldeid.com/wiki/TryHackMe-OWASP-Juice-Shop
https://medium.com/r3d-buck3t/top-10-tips-for-burp-suite-72212d22328f