OWASP Juice Shop – Medium Challenges

Medium Challenges

Admin Registration

This was a fun little challenge. Can you register as an admin. The problem you might see is that when you capture the traffic in burp during registering, there is no a field for admin or type or level. This makes it slightly harder. I also noticed when looking at users on the administration page there is nothing to indicate it’s an admin, so that doesn’t give us a field name or anything useful like that.

So, what shall we look at? Well lets go back to Burp and see if we can just take a lucky guess. Capturing the traffic using Intercept i’ll add in “admin”:”true” for admin=true.

No good. Maybe the field is in the mainjs script. A quick search for admin doesn’t come up with anything, user is also drawing blanks.

Looking through there I can find passwordrepeat field, this is close, it starts with [“id”, Doing a search for this gives a few items but nothing that looks to be right. Back to the drawing board!

Ok, lets be honest, the gut feeling is the answer will be in the request which we can only get through burp so lets go back to trying to register and chuck it across to Repeater, maybe we can try more options quickly.

Interestingly, the response gives us some additional hints when we don’t add in anything new.

Here we go, “isAdmin”:false That is exactly what we need. So lets re-create our original request adding in “isAdmin”:true

Success! There we go, we have registered as an admin user!

Basket Access Tier 2

Ok, so our clue for this one is “Put an additional product into another user’s shopping basket”.

Would seem like catching the request and changing a userID would be sufficient? Lets go take a look:

So, this is our request, interestingly at the top we have /rest/basket/4. Sending this over to repeater and changing that to 2, lets see what happens.

“{“status”:”success”,”data”:{“id”:2,”

Seems, good. Lets try it for real! Ok, the request went through without an issue and nothing in our basket.

Lets take a look into ID=2’s basket. Is it in there? Again capture the request and change the ID. Well there are 2 rapsberry juice’s in there. So I think that has worked.

Lets try a different product to double check. We went for a bike this time, and this didn’t get put into the basket. So something went askew there. I think the first was just a lucky pick. I don’t think this has worked so far.

The 2nd request we get is the api for BasketItems.


Just changing the BasketID hasn’t worked. So lets see if we can find the API and work out what it is doing!

CAPTCHA Bypass Tier 1

Forged Feedback

Forgotten Sales Backup

Login Amy

Login Bender

Login Jim

Payback Time

This challenge is to place an order to make you rich. Straight away I thought of either, changing the total on the checkout. After a bit of poking about this wasn’t an option.

I then wondered how else I could get a negative number. In an early challenge we changed the stars in the burp request to be 0. Surely we can’t change the number of products to a minus number? Well lets have a go.

With intercept on, we put something into our basket. The Melon bike at 2999 looks like an amount of money I’d want back.

When the API calls the basketitems there are some bits we can play this. This includes which item, who’s basket we put things in and the quantity.

Let’s change the quantity to -100 and see what happens.

Lets have a quick look at our basket.

Oh dear! That’s not good. With some comma’s that is a cool 299,000. That’s rich enough for me!

Clicking Checkout and we have made ourselves rich!

Product Tampering

Reset Bjoern’s Password Tier 1

Reset Jim’s Password

Upload Size

Upload Type

XXS Tier 2

XXS Tier 3

Leave a Reply

Your email address will not be published. Required fields are marked *