I recently got told about the OWASP Juice Shop. This is the latest offering from OWASP in terms of vulnerable web apps. Previous versions being things like DVWA – Damn Vulnerable Web App.
What I like about Juice Shop, is that it can be hosted on heroku and therefore accessible to anywhere. Sure other people can look at it, but is there too much danger there?
The site has a range of vulnerabilities that work through the OWASP Top 10 (and probably more).
Now you might ask, why am I writing a blog on this, there must be thousands of walkthroughs for it? Well there are, there is even an official walkthrough, which is free and hosted on gitbooks.io here: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
I am doing this, because well why the fuck not. I might as well write up my adventures!
So, the first thing I learnt, is that the site is cookie based. This is interesting and means clearing your cookies starts you over again, so this is exactly what I’m going to do, and try to do each challenge one by one.
In the setup guide, it lets you know there is a scoreboard which lists the challenges. This seems useful so this will be my first stop!
I’m going to do all my work in firefox, within a kali VM. I don’t know what tools i’ll need, but best to start in a position where everything is available!
Now, the site is java script. It’s in the set up instructions. So my first bet, is that there will be some JS modules I can look at. However, this wasn’t my first thought. I thought it might be something pretty straightforward, so I used dirb to try and find more on the site.
dirb http://yekki-juiceshop.herokuapp.com /usr/share/dirb/wordlists/big.txt
I got some pretty good results, which I have no doubt we will come back to. However nothing about scoreboard!
So after that, I realised that the page is java-script. So therefore there must be something I can read to get a look at how the website works.
In firefox, I right clicked and went to Inspect. This bought up the Inspector toolbar thing. I had a look through here, I found a nice youtube link under the cookie section. However other than style sheets, I didn’t find a huge amount more than that.
So I went across to the Debugger tab. Here we go.
This makes it all a lot more readable. scrolling through, there seems to be an interesting list of paths.
This is great, however look at that top one. That’s a good one. Anything like admin/administrator/administration is always worth checking out.
This shows all registered users, some reviews and recycling requests. Oh look at that, we also completed a challenge. That’s cool!
Now to check out the score-board page!
Heading over to http://yekki-juiceshop.herokuapp.com/#/score-board brings up the scoreboard. Look at that, another challenge done and the scoreboard is shown in the top of the page!
Ok, first 2 challenges complete!
Now we have a list! This is useful, so what I’ll do. Is create a header for each and go through in order!
Well we completed this earlier. That list of paths included it. Nice and easy!
So earlier, our dirb found a /ftp/ directory. I think a confidential document will be in there. Lets go have a look.
Oooh, lots of documents:
The PDF is from an order I created earlier. That’s good to know they get saved here where we can see them later. However that’s not going to be a restricted file. I feel eastere.gg is a good one!
Oh 403 Error: only .md and .pdf files are allowed. How the fuck do we get round this?
Ok, so we can open any .pdfs and .md’s. That’s cool. Turns out currently, we don’t need to get round this! We just need to open a confidential document and acquisitions.md is confidential! It even says so as it’s title! Great news, that’s another tick!
I’m not sure how I completed this challenge. I just clicked on a link and it appeared. So just click around and see what makes it pop.
Redirects Tier 1
So, somewhere something performs a redirect. Might be worth going back to our main.js and doing any searches for redirect.
There are a few, most look to be for payment methods e.g bitcoin takes you to blockchain.info.
I guess we click on each and see what happens. Nope, they are all legit ways to donate to the project.
I had missed the important one, under the main.js there was function yn(1) which redirects to gratipay.com. Putting this in the browser “https://yekki-juiceshop.herokuapp.com/redirect?to=https://gratipay.com/juice-shop” takes you to a 404 page, and gives that achievement.
Well here we are. Full explanation above!
XXS Tier 0 & XXS Tier 1
This is a reflected XXS attack with an iframe. I honestly had no idea about the XXS types, or really what they did, so I went to google and found the page on owasp. Seems a good place to start.
Turns out reflected XXS is where injected script is reflected off the web server. Such as an error message, search result etc.
Looking into it further, it looks if we run a “script” for example <script>alert(Hello)</script> somewhere that there is a command being run, this should count. So lets try it, what we need first, is to find a place where the url will have a ?<field>=Answer.
Ahah, got one! If we do a search, the URL becomes “http://yekki-juiceshop.herokuapp.com/#/search?q=hello”
This is exactly what we are looking for. So if we change the “hello” to “<script>alert(Hello)</script>” lets see what happens.
So we need to tweak our script to be:
Ah look at that!
Now, this appears in my version to have been a success for XXS Tier 1, which is a DOM based XXS attack.
So again, lets go back to OWASP, what the heck is a DOM XXS?
Well, it’s when the attack payload is executed as a result of modifying the DOM “environment” in the victims browser used by the original client side script.
So I wonder if, because we put it in the URL directly, it was only DOM (document object module) based.
To get the reflected, we need to make a request to the server right? How about doing the same thing, but in the search bar!
Well it creates an empty iframe frame, if you were. So bugger. That’s not it either!
All the above was nonsense. For the reflected XXS we needed to get something off the server, so looking around for somewhere you can make requests, I found when logged in under the User there is a “track orders” option.
This gives a input box, which then requests information from the server. Perfect, this is the exact definition of a reflected XSS attack.
Perfect, we get the score up on that board!
So we need to give a review 0 stars. Lets first look at how to give a review. If we view a product we can review it. however it doesn’t have any stars, so doesn’t seem right.
The customer feedback form seems better, it has stars. Lets fill in the basics comment of “0 stars”, then lets just leave no stars clicked. Complete the captha. Ok we can’t submit feedback without a rating. Lets give it a 1, and we will catch the process in Burp and see what it’s doing.
Oh look at that last part. I’m UserID = 14 (I wonder who 1-13 are. Admin user maybe?) The captcha has an ID and result. There is the comment of 0 stars that we entered and bingo, a rating!
What if we change this rating to a 5. Lets see if the review reflects that on the page. (Sure I could change it to 0, but if that doesn’t work, I’ve learnt nothing)
Ok, result “Thank you for your feedback and your 5-star rating”
If we go back to the administration page. It also shows up there!
Look at that. User 14, our comment of 0 stars with 5 stars next to it.
Ok I wonder if we can delete that. It could be useful. Yes we can. That’s gone.
So lets try again, this time, if we change the rating to 0.
Hooray, the green banner of success! Nice and easy to finish off the trivial challenges.