I recently got told about the OWASP Juice Shop. This is the latest offering from OWASP in terms of vulnerable web apps. Previous versions being things like DVWA – Damn Vulnerable Web App.
What I like about Juice Shop, is that it can be hosted on heroku and therefore accessible to anywhere. Sure other people can look at it, but is there too much danger there?
The site has a range of vulnerabilities that work through the OWASP Top 10 (and probably more).
Now you might ask, why am I writing a blog on this, there must be thousands of walkthroughs for it? Well there are, there is even an official walkthrough, which is free and hosted on gitbooks.io here: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
I am doing this, because well why the fuck not. I might as well write up my adventures!
So, the first thing I learnt, is that the site is cookie based. This is interesting and means clearing your cookies starts you over again, so this is exactly what I’m going to do, and try to do each challenge one by one.
In the setup guide, it lets you know there is a scoreboard which lists the challenges. This seems useful so this will be my first stop!
I’m going to do all my work in firefox, within a kali VM. I don’t know what tools i’ll need, but best to start in a position where everything is available!
The ScoreBoard
Now, the site is java script. It’s in the set up instructions. So my first bet, is that there will be some JS modules I can look at. However, this wasn’t my first thought. I thought it might be something pretty straightforward, so I used dirb to try and find more on the site.
dirb http://yekki-juiceshop.herokuapp.com /usr/share/dirb/wordlists/big.txt
I got some pretty good results, which I have no doubt we will come back to. However nothing about scoreboard!
So after that, I realised that the page is java-script. So therefore there must be something I can read to get a look at how the website works.
In firefox, I right clicked and went to Inspect. This bought up the Inspector toolbar thing. I had a look through here, I found a nice youtube link under the cookie section. However other than style sheets, I didn’t find a huge amount more than that.
So I went across to the Debugger tab. Here we go.
These are something we can look at. Clicking on main just gives us 1 long line of javascript. No way we can go through that.
This is when I remembered, someone at work mentioned a way to make javascript more beautiful, so I headed over to: https://beautifier.io
This makes it all a lot more readable. scrolling through, there seems to be an interesting list of paths.
This is great, however look at that top one. That’s a good one. Anything like admin/administrator/administration is always worth checking out.
This shows all registered users, some reviews and recycling requests. Oh look at that, we also completed a challenge. That’s cool!
Now to check out the score-board page!
Heading over to http://yekki-juiceshop.herokuapp.com/#/score-board brings up the scoreboard. Look at that, another challenge done and the scoreboard is shown in the top of the page!
Ok, first 2 challenges complete!
Now we have a list! This is useful, so what I’ll do. Is create a header for each and go through in order!
Trivial Challenges
Admin Section
Well we completed this earlier. That list of paths included it. Nice and easy!
Confidential Document
So earlier, our dirb found a /ftp/ directory. I think a confidential document will be in there. Lets go have a look.
Oooh, lots of documents:
The PDF is from an order I created earlier. That’s good to know they get saved here where we can see them later. However that’s not going to be a restricted file. I feel eastere.gg is a good one!
Oh 403 Error: only .md and .pdf files are allowed. How the fuck do we get round this?
Ok, so we can open any .pdfs and .md’s. That’s cool. Turns out currently, we don’t need to get round this! We just need to open a confidential document and acquisitions.md is confidential! It even says so as it’s title! Great news, that’s another tick!
Error Handling
I’m not sure how I completed this challenge. I just clicked on a link and it appeared. So just click around and see what makes it pop.
Redirects Tier 1
So, somewhere something performs a redirect. Might be worth going back to our main.js and doing any searches for redirect.
There are a few, most look to be for payment methods e.g bitcoin takes you to blockchain.info.
I guess we click on each and see what happens. Nope, they are all legit ways to donate to the project.
So there are other javascript parts there. How about we look at the others. Vendor.js could have information about redirects, possibly to do with payment plans?
Back to our javascript beautifier to make it readable. Then lets look for any redirects. There are loads, it looks useful but unfortunately not for right now.
I had missed the important one, under the main.js there was function yn(1) which redirects to gratipay.com. Putting this in the browser “https://yekki-juiceshop.herokuapp.com/redirect?to=https://gratipay.com/juice-shop” takes you to a 404 page, and gives that achievement.
Score Board
Well here we are. Full explanation above!
XXS Tier 0 & XXS Tier 1
This is a reflected XXS attack with an iframe. I honestly had no idea about the XXS types, or really what they did, so I went to google and found the page on owasp. Seems a good place to start.
Turns out reflected XXS is where injected script is reflected off the web server. Such as an error message, search result etc.
Looking into it further, it looks if we run a “script” for example <script>alert(Hello)</script> somewhere that there is a command being run, this should count. So lets try it, what we need first, is to find a place where the url will have a ?<field>=Answer.
Ahah, got one! If we do a search, the URL becomes “http://yekki-juiceshop.herokuapp.com/#/search?q=hello”
This is exactly what we are looking for. So if we change the “hello” to “<script>alert(Hello)</script>” lets see what happens.
Nothing, ok. Just comes back with no results. I’m sure you’ve seen the most basic mistake here. We are using HTML tags, not Javascript.
So the similar is javascript will use an iframe. The clues were on the scoreboard.
So we need to tweak our script to be:
<iframe src%3D”javascript:alert(‘Hello’)”>
Ah look at that!
Now, this appears in my version to have been a success for XXS Tier 1, which is a DOM based XXS attack.
So again, lets go back to OWASP, what the heck is a DOM XXS?
Well, it’s when the attack payload is executed as a result of modifying the DOM “environment” in the victims browser used by the original client side script.
So I wonder if, because we put it in the URL directly, it was only DOM (document object module) based.
To get the reflected, we need to make a request to the server right? How about doing the same thing, but in the search bar!
Well it creates an empty iframe frame, if you were. So bugger. That’s not it either!
I feel that these have been given to me in the wrong order. I feel that adding the URL is a reflected attack, as it calls that page from the server directly.
So, with that in mind, lets carry on trying to get the DOM XXS. We need to know what happens on the javascript page, is there an easy way to tweak something client side.
Lets go back to our Inspector. On the right, there are “rules”, What if we change some of those? I changed height to 50% and it changed on screen, but nothing else. So that’s not it!
Back to the reading, how does one perform a DOM XXS? What we need to work out, is how does the javascript work with user input?
Good question, lets go to burp and intercept that request. So I’ve got firefox proxying through Burp and Interceptor On.
I’ve done a search for “Read This Blog”, lets see what happens.
We see a GET request, using the API of /rest/product/search
I’ll send this to repeater and we can use this later. However you’ll notice, it doesn’t say “Read This Blog” anywhere in it.
What we can try though, is changing the GET request, to include our javascript.
That did nothing.
Maybe we are looking at this wrong. The search form, does a search on the database? Maybe.
Does anything add or change anything in that database? Let’s hunt around further in the pages.
If we click on a product when logged in, there is a reviews part. What if we try our malicious code in there? Nope, that just prints it out as text.
All we need to find, is somewhere else that does a search or an input of some sort.
All the above was nonsense. For the reflected XXS we needed to get something off the server, so looking around for somewhere you can make requests, I found when logged in under the User there is a “track orders” option.
This gives a input box, which then requests information from the server. Perfect, this is the exact definition of a reflected XSS attack.
If we put in our code as above <iframe src%3D”javascript:alert(‘Hello’)”> we should get an iframe back.
Perfect, we get the score up on that board!
Zero Stars
So we need to give a review 0 stars. Lets first look at how to give a review. If we view a product we can review it. however it doesn’t have any stars, so doesn’t seem right.
The customer feedback form seems better, it has stars. Lets fill in the basics comment of “0 stars”, then lets just leave no stars clicked. Complete the captha. Ok we can’t submit feedback without a rating. Lets give it a 1, and we will catch the process in Burp and see what it’s doing.
Oh look at that last part. I’m UserID = 14 (I wonder who 1-13 are. Admin user maybe?) The captcha has an ID and result. There is the comment of 0 stars that we entered and bingo, a rating!
What if we change this rating to a 5. Lets see if the review reflects that on the page. (Sure I could change it to 0, but if that doesn’t work, I’ve learnt nothing)
Ok, result “Thank you for your feedback and your 5-star rating”
If we go back to the administration page. It also shows up there!
Look at that. User 14, our comment of 0 stars with 5 stars next to it.
Ok I wonder if we can delete that. It could be useful. Yes we can. That’s gone.
So lets try again, this time, if we change the rating to 0.
Hooray, the green banner of success! Nice and easy to finish off the trivial challenges.