The content of the article
If you are a good programmer, then you have probably thought about searching for website vulnerabilities (in web applications) and making money from the Bug bounty program. This is a good idea, but first it would be a good idea to practice finding vulnerabilities on websites and do it without breaking the law. The Juice Shop platform, created by OWASP specialists, will help with this.
Today I'll show you how to install and use OWASP Juice Shop to find web application vulnerabilities. Let's go!
Never use such things in real online stores! This is a criminal offense in almost all countries. An exception may be the store's participation in the bug bounty program, but there are many different nuances that you need to familiarize yourself with before you start searching for vulnerabilities on the site!
At the time of writing, the latest version is 0.38. Installing Node Version Manager is done with one command in your home folder.
Now you need to open and close the terminal to apply the changes made by the script.
Check the installed version of nvm and proceed directly to install Node.js.
Check the version of the installed node command and remember it.
If you need several different versions at the same time, then install the ones you need and select the current one as needed.
This completes the installation. Let's go to the folder with Juice Shop and launch it:
If the installation went well, you will see the message “info: Server listening on port 3000”. Open your browser and go to http://localhost:3000. From the top right, select English. Why English? This way, in the future there will be no problems translating in any terms.
Juice Shop Home Page Source Code
What immediately catches your eye? A huge number of plug-in JS scripts! We will be interested in the script main. You can find out what other scripts are responsible for at your leisure using your favorite anonymous search engines.
Now go to the Debugger tab and look at the main source code. Doesn't look very good, does it? There are two ways: either try to restore the code after the JS minifier using one of the many deobfuscator sites, or simply select Pretty print source in Firefox (by clicking on the bookmark with the file name) and get a more readable source code. For our purposes, this will suffice for now.
The code is impressive. This is bad and good at the same time. This usually means that a lot of the site's logic has been transferred to client-side JavaScript, which means it can be easily bypassed with a simple debugger. Let's finally find the Score Board. How to search more effectively in the source codes is up to everyone to decide for themselves, but in the end you should get to a piece with routes already familiar to you, like /#/search.
Type into the address bar:
and successfully complete the first task. By the way, now a corresponding item has appeared in the left menu and the ability to quickly open the board.
There are complete solutions to all Juice Shop problems on the Internet and on YouTube. In addition, you can always read a detailed explanation of almost every task with a solution in the developers' book, but I recommend looking at the solution only as a last resort. Moreover, some problems can be solved using completely different methods.
Juice Shop version 12.7.0 introduced a wonderful feature - now, by clicking the button with triangular brackets, you can see the source code of the vulnerable module and the line where the error occurs. Just compare the source code before minification and the one you saw in the browser. Perhaps you will find new interesting routes hidden from you by the site interface.
By the way, in the screenshot above I have already completed two tasks. I just wondered what would happen if I tried to open a route /#/complainwithout registering on the site? Do you remember that without logging into your account it is not in the left menu? Try opening it as a guest and submitting an anonymous complaint! Got a new achievement? You shouldn't do this and you should always take into account that any route can be opened by simply typing the desired address in the address bar. I'll show you a little later why you shouldn't trust absolutely anything that comes to you over the network.
Some tasks have a hint or tutorial. Try to do without help first. However, some tasks are so vague that it makes sense to read a more detailed description in the developers' book. Here, for example, is the “Variable” category .
Now let's move on to searching for the admin panel and try to get into it. I hope you haven't forgotten where we found the Score Board address? You can also find the admin panel address there! However, when we try to go to this address, we will be greeted by a red banner with a 403 error... It's time to launch Burp Suite and look at the network exchange.
Surprisingly, there is nothing like access to the admin panel here! Remember the huge size of the main script? Surely all access checks are processed there. Time to work with the debugger. The easiest way to find the right place in the code is by access error - 403.
Do you see the first and second functions CanActivate()? If we don't have a token or are denied access, then we get a 403 error. To reduce the number of screenshots, I'll tell you right away - you'll have to register. Unregistered users do not have an access token. So it's time to log in using the previously created user or create a new one.
Now let's try to fool the script. To do this, set a breakpoint (breakpoint)on line 579 and add the t variable to Watch.
Try opening the admin page again. Remember, in order for the breakpoint to work, you must have the debug console open!
Now the simplest part remains. The script above checks if the role matches the value admin. If not, you will see an access error. So you just need to correct the role value to admin. Unfortunately, with the advent of the new developer console in Firefox, the ability to edit variables in the view window was broken and has not yet been returned... Remember the path to the desired value t.data.role, switch to the Console tab in the developer window and change the role value there to admin.
Now return to the debugger and continue executing the script. Congratulations, you will gain access to the administrative part of the site! Why did it happen? You cannot rely on access control at the client code level, since the client can always change this code. By the way, this solution has three stars in terms of difficulty level. A little later, you will register a normal admin account and use SQLi to access the admin area. They are much simpler since they do not require studying the source code.
I would like to note that the correct server code would not have shown a list of users or reviews either, since it would have checked the user rights token when requesting them from the server. In our case, this does not happen and, once in the admin panel, you can easily see all the data...
If you haven't turned off Burp, you can find these lines in the exchange and make sure that there is no permission checking what is happening on the server side! How can this be understood? Do you see the cookie token? This is the so-called JWT token and can be easily decoded.
This token essentially contains the user's entire profile and explicitly specifies their original role as customer, but the server backend does not check permissions when requesting all reviews or profiles. This means that by intercepting such a request, you can easily obtain information about registered users without even opening the admin panel. If you are a developer, never do this! This is a prime example of Broken Access Control according to the OWASP classification. Unfortunately, in real life it occurs at every step... Microservice architectures are especially guilty of this.
As you can see, by submitting information from the form, in response you will receive a user profile with the role customer. One of the traditional developer mistakes is related to the so-called mass assignment, or mass filling of fields. The user registration code accepts a list of profile fields to process, and a default value is assigned to missing fields. See the empty username field in the response? Try to intercept this request before sending and insert the username field into it, as in the screenshot below.
Now look carefully at the server's response! See our changed username in the response? Additionally, it is no longer returned as the first row in the data. I hope you understand what needs to be done with the value of the role field. Perform this simple operation, and the admin account is in your pocket, as well as the next completed task! By the way, it officially also counts as three stars.
Unfortunately, it is completely unclear what exactly is happening and how to further develop this injection. There are two solutions here: either you have extensive experience in injections and systematically select the necessary values, or, if this is not your thing, launch Burp and see what is happening on the network. Remember, this is a very vulnerable application, and the developers probably made more than one mistake...
Who would doubt it, there is even the code of the original SQL query. Now choosing the right load for the login window will not be difficult!
I have to make a few important points here.
What mistakes did the developers of this application make in implementing authentication? And all the most popular ones from the Broken Authentication section:
First, you need to intercept the authentication request. To do this, simply open Burp and try to log in alternately as any user with the correct and incorrect passwords.
As you can see, for a login it's enough to send JSON with two fields; if the password is incorrect, you will receive a 401 code. Here I tried to set up the most famous password picker Hydra, but after half an hour of struggling with it I just wrote this small code in Python.
The fact is that Hydra really does not like JSON and some of the nuances of the behavior of this application. If you want, you can try to solve these problems yourself.
A small recommendation: before you start searching through the entire dictionary for unknown users, make sure that you can guess your own password and there are no errors in the code. In my case, I had to add code to remove the line break from the password.
First, launch Burp and look at the entire exchange with the server when trying to buy Deluxe without money in your wallet and cards. As you can see, in one of the requests you are returned a cost of 49 conventional units. Take your Burp skills and turn them into 0.
After that, on the next screen you will be able to pay 0 from your wallet, but for some reason it won't work out so easily... If you look at the exchange, you will see a payment from your wallet and an “insufficient money” error.
What if we replace paymentMode with something more interesting, like freeor deluxe?
Congratulations! You just defrauded the store for 49 conventional units. If you carefully experiment with different payment options, you will find out that changing the price to 0 at the first stage is completely unnecessary. The main thing is to turn the GET request /rest/deluxe-membershipinto a POST request and add JSON data to it paymentModewith any value other than walletor card.
Source
- Installing and running OWASP Juice Shop
- Installing Node.js
- Installing OWASP Juice Shop
- Setting up Burp Suite
- Search for a board with tasks
- Opening the admin panel
- Registering an Administrator Account
- Using SQL injection to login
- Selecting the administrator password
- Get Deluxe Membership for free
- Conclusions
If you are a good programmer, then you have probably thought about searching for website vulnerabilities (in web applications) and making money from the Bug bounty program. This is a good idea, but first it would be a good idea to practice finding vulnerabilities on websites and do it without breaking the law. The Juice Shop platform, created by OWASP specialists, will help with this.
Today I'll show you how to install and use OWASP Juice Shop to find web application vulnerabilities. Let's go!
Installing and running OWASP Juice Shop
You can install Juice Shop in different ways, I prefer and recommend doing it using Node.js, since Docker does not have all possible vulnerabilities.Never use such things in real online stores! This is a criminal offense in almost all countries. An exception may be the store's participation in the bug bounty program, but there are many different nuances that you need to familiarize yourself with before you start searching for vulnerabilities on the site!
Installing Node.js
Juice Shop works with different releases of Node.js. As of today, the latest version is LTS (Long Term Support) Node.js 14, and we will install it. First, let's install Node Version Manager. It was created in order not to clutter up your operating system with packages and to be able to use various releases.At the time of writing, the latest version is 0.38. Installing Node Version Manager is done with one command in your home folder.
Code:
$curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bashNow you need to open and close the terminal to apply the changes made by the script.
Check the installed version of nvm and proceed directly to install Node.js.
Code:
$nvm -v
$nvm install --ltsCheck the version of the installed node command and remember it.
Code:
$node --versionIf you need several different versions at the same time, then install the ones you need and select the current one as needed.
Code:
$nvm install <version number>
$nvm use <version number>Installing OWASP Juice Shop
New releases appear frequently on GitHub, so always download the latest one. But don't forget, it must be compatible with your Node.js. If you installed Node.js 14 in the previous step, then you will need juice-shop-xx.x.x_node14_linux_x64.tgz. Download and extract it.
Code:
$tar -xzf juice-shop-xx.x.x_node14_linux_x64.tgzThis completes the installation. Let's go to the folder with Juice Shop and launch it:
Code:
$npm startIf the installation went well, you will see the message “info: Server listening on port 3000”. Open your browser and go to http://localhost:3000. From the top right, select English. Why English? This way, in the future there will be no problems translating in any terms.
Setting up Burp Suite
In my case I will use Burp Suite, but you can use any other tool.Search for a board with tasks
When you first started it, you probably already noticed a package of juice that was offered to solve a very simple task, namely, find a board with tasks and results, also known as the Score Board. There are two solutions to this extremely simple problem.- Take a close look at the address bar of the view /#/search, /#/loginand so on and think, what would be the line to access the Score Board? I'll say right away that I don't really like this option, because you need to play a guessing game, and not always successfully. Therefore, I prefer option number two.
- Let's examine the site's source code and see if there's anything interesting there. I hope you can read the source code of the site in your favorite browser? In Firefox, just press F12.
Juice Shop Home Page Source Code
What immediately catches your eye? A huge number of plug-in JS scripts! We will be interested in the script main. You can find out what other scripts are responsible for at your leisure using your favorite anonymous search engines.
Now go to the Debugger tab and look at the main source code. Doesn't look very good, does it? There are two ways: either try to restore the code after the JS minifier using one of the many deobfuscator sites, or simply select Pretty print source in Firefox (by clicking on the bookmark with the file name) and get a more readable source code. For our purposes, this will suffice for now.
The code is impressive. This is bad and good at the same time. This usually means that a lot of the site's logic has been transferred to client-side JavaScript, which means it can be easily bypassed with a simple debugger. Let's finally find the Score Board. How to search more effectively in the source codes is up to everyone to decide for themselves, but in the end you should get to a piece with routes already familiar to you, like /#/search.
Type into the address bar:
and successfully complete the first task. By the way, now a corresponding item has appeared in the left menu and the ability to quickly open the board.
There are complete solutions to all Juice Shop problems on the Internet and on YouTube. In addition, you can always read a detailed explanation of almost every task with a solution in the developers' book, but I recommend looking at the solution only as a last resort. Moreover, some problems can be solved using completely different methods.
Juice Shop version 12.7.0 introduced a wonderful feature - now, by clicking the button with triangular brackets, you can see the source code of the vulnerable module and the line where the error occurs. Just compare the source code before minification and the one you saw in the browser. Perhaps you will find new interesting routes hidden from you by the site interface.
By the way, in the screenshot above I have already completed two tasks. I just wondered what would happen if I tried to open a route /#/complainwithout registering on the site? Do you remember that without logging into your account it is not in the left menu? Try opening it as a guest and submitting an anonymous complaint! Got a new achievement? You shouldn't do this and you should always take into account that any route can be opened by simply typing the desired address in the address bar. I'll show you a little later why you shouldn't trust absolutely anything that comes to you over the network.
Opening the admin panel
Before rushing headlong into completing tasks, I recommend carefully reading the contents of the board. All tasks on it are divided by difficulty level from one to six stars. The division is quite arbitrary. For example, you need to inform the store about the use of “weak” cryptography. The problem itself can be solved by simply sending the name of the vulnerable algorithm into the chat, but you can find out and identify these algorithms by completing tasks of a higher level of complexity. Therefore, do not try to complete all tasks of one difficulty level and only then move on to another. I recommend going by the categories (by the way, have you noticed their amazing similarity to the OWASP Top 10?). The tags next to each task can show you the right direction to search.Some tasks have a hint or tutorial. Try to do without help first. However, some tasks are so vague that it makes sense to read a more detailed description in the developers' book. Here, for example, is the “Variable” category .
Now let's move on to searching for the admin panel and try to get into it. I hope you haven't forgotten where we found the Score Board address? You can also find the admin panel address there! However, when we try to go to this address, we will be greeted by a red banner with a 403 error... It's time to launch Burp Suite and look at the network exchange.
Surprisingly, there is nothing like access to the admin panel here! Remember the huge size of the main script? Surely all access checks are processed there. Time to work with the debugger. The easiest way to find the right place in the code is by access error - 403.
Do you see the first and second functions CanActivate()? If we don't have a token or are denied access, then we get a 403 error. To reduce the number of screenshots, I'll tell you right away - you'll have to register. Unregistered users do not have an access token. So it's time to log in using the previously created user or create a new one.
Now let's try to fool the script. To do this, set a breakpoint (breakpoint)on line 579 and add the t variable to Watch.
Try opening the admin page again. Remember, in order for the breakpoint to work, you must have the debug console open!
Now the simplest part remains. The script above checks if the role matches the value admin. If not, you will see an access error. So you just need to correct the role value to admin. Unfortunately, with the advent of the new developer console in Firefox, the ability to edit variables in the view window was broken and has not yet been returned... Remember the path to the desired value t.data.role, switch to the Console tab in the developer window and change the role value there to admin.
Now return to the debugger and continue executing the script. Congratulations, you will gain access to the administrative part of the site! Why did it happen? You cannot rely on access control at the client code level, since the client can always change this code. By the way, this solution has three stars in terms of difficulty level. A little later, you will register a normal admin account and use SQLi to access the admin area. They are much simpler since they do not require studying the source code.
I would like to note that the correct server code would not have shown a list of users or reviews either, since it would have checked the user rights token when requesting them from the server. In our case, this does not happen and, once in the admin panel, you can easily see all the data...
If you haven't turned off Burp, you can find these lines in the exchange and make sure that there is no permission checking what is happening on the server side! How can this be understood? Do you see the cookie token? This is the so-called JWT token and can be easily decoded.
This token essentially contains the user's entire profile and explicitly specifies their original role as customer, but the server backend does not check permissions when requesting all reviews or profiles. This means that by intercepting such a request, you can easily obtain information about registered users without even opening the admin panel. If you are a developer, never do this! This is a prime example of Broken Access Control according to the OWASP classification. Unfortunately, in real life it occurs at every step... Microservice architectures are especially guilty of this.
Registering an Administrator Account
Now is the time to register yourself a full-fledged administrator account! To do this, you need to figure out what information is sent when registering a regular account from the site. Burp Suite will help you with this. Launch it and go through the registration process completely.
As you can see, by submitting information from the form, in response you will receive a user profile with the role customer. One of the traditional developer mistakes is related to the so-called mass assignment, or mass filling of fields. The user registration code accepts a list of profile fields to process, and a default value is assigned to missing fields. See the empty username field in the response? Try to intercept this request before sending and insert the username field into it, as in the screenshot below.
Now look carefully at the server's response! See our changed username in the response? Additionally, it is no longer returned as the first row in the data. I hope you understand what needs to be done with the value of the role field. Perform this simple operation, and the admin account is in your pocket, as well as the next completed task! By the way, it officially also counts as three stars.
Using SQL injection to login
I really hope you have heard more than once about SQL injections and the reasons for their occurrence. If not, then it's time to go study the theory. I really like the extensive injection guide. Open the user login window and start with the simplest thing by inserting a single backticket into the login field and a custom password. Judging by the bright red error, we are on the right track!
Unfortunately, it is completely unclear what exactly is happening and how to further develop this injection. There are two solutions here: either you have extensive experience in injections and systematically select the necessary values, or, if this is not your thing, launch Burp and see what is happening on the network. Remember, this is a very vulnerable application, and the developers probably made more than one mistake...
Who would doubt it, there is even the code of the original SQL query. Now choosing the right load for the login window will not be difficult!
I have to make a few important points here.
- You didn't specify your email anywhere, but you logged in as an administrator. This happened because in this injection option the first row in the database is selected, which will most often be the first registered user or super administrator. This behavior exists in most CMSs.
- If you have the email address of the user you are interested in, then you can slightly modify the injection and log in immediately on his behalf.
- This is the simplest and most striking example of the Injection class. No wonder they are in first place according to the OWASP classification.
- There are still many places in the application code with injections, as well as tasks for it, but they are already more complex in terms of execution level and damage caused. For example, you can get the entire database along with user passwords!
Selecting the administrator password
It seems to me that the administrator of this store has already suffered enough from you, but the list of tasks includes something quite interesting - to guess the administrator's password. Judging by only two stars in the rating, it is extremely simple - we will solve it with a more complex, but universal method!What mistakes did the developers of this application make in implementing authentication? And all the most popular ones from the Broken Authentication section:
- there is no password protection;
- the user can set a weak password;
- the user can set a simple, one-two-three password...
First, you need to intercept the authentication request. To do this, simply open Burp and try to log in alternately as any user with the correct and incorrect passwords.
As you can see, for a login it's enough to send JSON with two fields; if the password is incorrect, you will receive a 401 code. Here I tried to set up the most famous password picker Hydra, but after half an hour of struggling with it I just wrote this small code in Python.
The fact is that Hydra really does not like JSON and some of the nuances of the behavior of this application. If you want, you can try to solve these problems yourself.
Code:
import requests
passwords = open('/usr/share/wordlists/rockyou.txt','r')
for password in passwords:
password = password.rstrip("\n")
data = {'email':'[email protected]','password':password}
r = requests.post('http://localhost:3000/rest/user/login',json=data)
if r.status_code == 200:
print("Password is ",password)
break
print("That's all... ")A small recommendation: before you start searching through the entire dictionary for unknown users, make sure that you can guess your own password and there are no errors in the code. In my case, I had to add code to remove the line break from the password.
Get Deluxe Membership for free
Finally, I'll show you how you can solve a more difficult task, namely, getting a Deluxe Membership for free!First, launch Burp and look at the entire exchange with the server when trying to buy Deluxe without money in your wallet and cards. As you can see, in one of the requests you are returned a cost of 49 conventional units. Take your Burp skills and turn them into 0.
After that, on the next screen you will be able to pay 0 from your wallet, but for some reason it won't work out so easily... If you look at the exchange, you will see a payment from your wallet and an “insufficient money” error.
What if we replace paymentMode with something more interesting, like freeor deluxe?
Congratulations! You just defrauded the store for 49 conventional units. If you carefully experiment with different payment options, you will find out that changing the price to 0 at the first stage is completely unnecessary. The main thing is to turn the GET request /rest/deluxe-membershipinto a POST request and add JSON data to it paymentModewith any value other than walletor card.
Conclusions
I really hope this article has encouraged you to take a deeper look at OWASP recommendations and common web application errors. The Juice Shop still has many interesting challenges for both beginners and experienced pentesters. I say goodbye to you until the next article, in which you will try to solve problems with a large number of stars!Source
