OWASP Juice Shop – Medium Challenges

Medium Challenges

Admin Registration

This was a fun little challenge. Can you register as an admin. The problem you might see is that when you capture the traffic in burp during registering, there is no a field for admin or type or level. This makes it slightly harder. I also noticed when looking at users on the administration page there is nothing to indicate it’s an admin, so that doesn’t give us a field name or anything useful like that.

So, what shall we look at? Well lets go back to Burp and see if we can just take a lucky guess. Capturing the traffic using Intercept i’ll add in “admin”:”true” for admin=true.

No good. Maybe the field is in the mainjs script. A quick search for admin doesn’t come up with anything, user is also drawing blanks.

Looking through there I can find passwordrepeat field, this is close, it starts with [“id”, Doing a search for this gives a few items but nothing that looks to be right. Back to the drawing board!

Ok, lets be honest, the gut feeling is the answer will be in the request which we can only get through burp so lets go back to trying to register and chuck it across to Repeater, maybe we can try more options quickly.

Interestingly, the response gives us some additional hints when we don’t add in anything new.

Here we go, “isAdmin”:false That is exactly what we need. So lets re-create our original request adding in “isAdmin”:true

Success! There we go, we have registered as an admin user!

Basket Access Tier 2

Ok, so our clue for this one is “Put an additional product into another user’s shopping basket”.

Would seem like catching the request and changing a userID would be sufficient? Lets go take a look:

So, this is our request, interestingly at the top we have /rest/basket/4. Sending this over to repeater and changing that to 2, lets see what happens.

“{“status”:”success”,”data”:{“id”:2,”

Seems, good. Lets try it for real! Ok, the request went through without an issue and nothing in our basket.

Lets take a look into ID=2’s basket. Is it in there? Again capture the request and change the ID. Well there are 2 rapsberry juice’s in there. So I think that has worked.

Lets try a different product to double check. We went for a bike this time, and this didn’t get put into the basket. So something went askew there. I think the first was just a lucky pick. I don’t think this has worked so far.

The 2nd request we get is the api for BasketItems.


Just changing the BasketID hasn’t worked. So lets see if we can find the API and work out what it is doing!

CAPTCHA Bypass Tier 1

Forged Feedback

Forgotten Sales Backup

Login Amy

Login Bender

Login Jim

Payback Time

This challenge is to place an order to make you rich. Straight away I thought of either, changing the total on the checkout. After a bit of poking about this wasn’t an option.

I then wondered how else I could get a negative number. In an early challenge we changed the stars in the burp request to be 0. Surely we can’t change the number of products to a minus number? Well lets have a go.

With intercept on, we put something into our basket. The Melon bike at 2999 looks like an amount of money I’d want back.

When the API calls the basketitems there are some bits we can play this. This includes which item, who’s basket we put things in and the quantity.

Let’s change the quantity to -100 and see what happens.

Lets have a quick look at our basket.

Oh dear! That’s not good. With some comma’s that is a cool 299,000. That’s rich enough for me!

Clicking Checkout and we have made ourselves rich!

Product Tampering

Reset Bjoern’s Password Tier 1

Reset Jim’s Password

Upload Size

Upload Type

XXS Tier 2

XXS Tier 3

OWASP Juice Shop – Easy Challenges

Easy Challenges

So I have decided to split this into a new blog for each difficulty levels, mostly for ease of me hopping around and trying different challenges.

Now onto something slightly harder!

Basket Access Tier 1

Using an account I already created, I clicked on basket with intercept of Burp on.

The results are shown as:

GET /rest/basket/5 HTTP/1.1
Host: yekki-juiceshop.herokuapp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://yekki-juiceshop.herokuapp.com/
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTQsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraUB5ZWtraS55ZWtraSIsInBhc3N3b3JkIjoiNWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTkiLCJpc0FkbWluIjpmYWxzZSwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiZGVmYXVsdC5zdmciLCJjcmVhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAifSwiaWF0IjoxNTUxMTg0Mjk4LCJleHAiOjE1NTEyMDIyOTh9.pxpAffeeWVNoHMPS0lrfqguu1AKaWVbYes204GDImFdF-JDmuXt-lZSmGvvNVCohnsniesUgLi7J_IQwWRI9VID7bs_UgOwJVhUdIHlDagqO48jl2NVRtIDrxX0j5CQ0DIR1u84Vg21szWvll-GUqYNzfFXK269k_TCyDpxMpuc
Connection: close
Cookie: io=uWkpzcRDzu1s9zzsAAAB; continueCode=wjKRWbLRo7kYz8mjyQ3p9aJEDngB0NV05ev1WwPNxZq64KV2OrMXblog1LEQ; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTQsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraUB5ZWtraS55ZWtraSIsInBhc3N3b3JkIjoiNWY0ZGNjM2I1YWE3NjVkNjFkODMyN2RlYjg4MmNmOTkiLCJpc0FkbWluIjpmYWxzZSwibGFzdExvZ2luSXAiOiIwLjAuMC4wIiwicHJvZmlsZUltYWdlIjoiZGVmYXVsdC5zdmciLCJjcmVhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAiLCJ1cGRhdGVkQXQiOiIyMDE5LTAyLTI2IDEyOjMxOjI3LjI5MyArMDA6MDAifSwiaWF0IjoxNTUxMTg0Mjk4LCJleHAiOjE1NTEyMDIyOTh9.pxpAffeeWVNoHMPS0lrfqguu1AKaWVbYes204GDImFdF-JDmuXt-lZSmGvvNVCohnsniesUgLi7J_IQwWRI9VID7bs_UgOwJVhUdIHlDagqO48jl2NVRtIDrxX0j5CQ0DIR1u84Vg21szWvll-GUqYNzfFXK269k_TCyDpxMpuc
If-None-Match: W/"9c-noTugLDgldQoJKiJFrzGD9ROoKE"

Ok interesting, we have the get request at the top, then we have the authorization, cookie and token. Any one of these could alter the basket to view someone elses. To work out which of these it might be. I created a 2nd account, and did the same test.

GET /rest/basket/6 HTTP/1.1
Host: yekki-juiceshop.herokuapp.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://yekki-juiceshop.herokuapp.com/
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTUsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraTJAeWVra2kueWVra2kiLCJwYXNzd29yZCI6IjVmNGRjYzNiNWFhNzY1ZDYxZDgzMjdkZWI4ODJjZjk5IiwiaXNBZG1pbiI6ZmFsc2UsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6ImRlZmF1bHQuc3ZnIiwiY3JlYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIiwidXBkYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIn0sImlhdCI6MTU1MTE4NDQ2MywiZXhwIjoxNTUxMjAyNDYzfQ.C3BvkvzfpiYxkmmdAtg6ZGphuTdpsrEqTcH7hP0ADKqnRmpcMpwaO_NkCBLUQnVYNlc7conpc6AKUnPaXJ39MdG4CRAgeJhycjiL1HxI4Hm_Tu_ZQkprFsYu46C0t8auWlxwRvco_I5RQwVZ20J8UO3BAWilEf5YHRdTSKPFJyM
Connection: close
Cookie: io=b6ksDfg_OvjJbmbWAAAC; continueCode=wjKRWbLRo7kYz8mjyQ3p9aJEDngB0NV05ev1WwPNxZq64KV2OrMXblog1LEQ; token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MTUsInVzZXJuYW1lIjoiIiwiZW1haWwiOiJ5ZWtraTJAeWVra2kueWVra2kiLCJwYXNzd29yZCI6IjVmNGRjYzNiNWFhNzY1ZDYxZDgzMjdkZWI4ODJjZjk5IiwiaXNBZG1pbiI6ZmFsc2UsImxhc3RMb2dpbklwIjoiMC4wLjAuMCIsInByb2ZpbGVJbWFnZSI6ImRlZmF1bHQuc3ZnIiwiY3JlYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIiwidXBkYXRlZEF0IjoiMjAxOS0wMi0yNiAxMjozNDowNi40ODEgKzAwOjAwIn0sImlhdCI6MTU1MTE4NDQ2MywiZXhwIjoxNTUxMjAyNDYzfQ.C3BvkvzfpiYxkmmdAtg6ZGphuTdpsrEqTcH7hP0ADKqnRmpcMpwaO_NkCBLUQnVYNlc7conpc6AKUnPaXJ39MdG4CRAgeJhycjiL1HxI4Hm_Tu_ZQkprFsYu46C0t8auWlxwRvco_I5RQwVZ20J8UO3BAWilEf5YHRdTSKPFJyM

I stopped almost straight away that a very simple thing is different. The Get request, uses the userID. In the first case it was 5, then 6. Changing that GET request to 2 brings up the basket for user number 2.

Depreciated Interface

Five-Star Feedback

Going into the Administration screen (that we found under trivial challenges above) and using the Delete (trash) symbol next to the 5-star review gave us this achievement.

Login Admin

To log in as the admin, first we need to work out if we have the username. Going to the administration page when logged in brings up the list of users:

Under Payloads, we want to use a simple list, and under the options, use the drop down to select “passwords” click Start Attack and a new windows will appear. Using the filter button, filter out anything that starts with a 4XX error, as this is request error, i.e wrong username and password.

Letting this run, resulted in all passwords being wrong.

Ok, maybe we need a bigger wordlist. Lets try with rockyou. To do this, have a copy of rockyou on your local machine, click “Load…” and select the file. This will look like its crashed so leave it for a while until it’s ready to go.

After a fair few requests and a lot more patience than I usually have. I got a 200 code. Meaning success!

Logged in to double check and the creds work!

Login MC SafeSearch

Password Strength

Security Policy

Weird Crypto