CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 730
- Points
- 113
How to search for site vulnerabilities
Attention! All information is provided for informational and educational purposes only. The author is not responsible for any possible damage caused by the materials of this article.
Hello everyone. Today we will look for vulnerabilities and holes in sites.
Enjoy reading it!
If you are a good programmer, then you probably had an idea-to search for site vulnerabilities (in web applications) and earn money on the Bug bounty program. This is a good idea, but first it would not be bad to practice finding vulnerabilities on sites and do it without breaking the law. The Juice Shop platform created by OWASP specialists will help you do this.
Today I will show you how to install and use OWASP Juice Shop to search for web application vulnerabilities. Let's go!
Installing and Running OWASP Juice Shop
There are different ways to install Juice Shop. I prefer and recommend using Node.js, since Docker doesn't have all possible vulnerabilities.
Never use such things in real online stores! This is a criminal offense in almost all countries. An exception may be the store's participation in the bug bounty program, but there are many different nuances that you need to familiarize yourself with before starting the search for vulnerabilities on the site!
Installation Node.js
Juice Shop works with different Node releases.js. As of today, the latest version is LTS (Long Term Support) Node.js 14, and we'll install it. First, install Node Version Manager. It was created in order not to clutter up your operating system with packages and be able to use various releases.
At the time of writing, the latest version is 0.38. Installation of Node Version Manager is performed by a single command in the home folder.
Now you need to open and close the terminal to apply the changes made by the script.
Check the installed nvm version and proceed directly to the installation Node.js.
Check the version of the installed node command and remember it.
If you need several different versions at the same time, then install the necessary ones and select the current one if necessary.
Installing OWASP Juice Shop
New releases often appear on GitHub, so always download the latest one. But don't forget, it must be compatible with your Node.js. If you installed Node in the previous step.js 14, then you will need juice-shop-xx.x. x_node14_linux_x64.tgz. Download and unpack it.
This completes the installation. Go to the folder with Juice Shop and run it:
If the installation went well, you will see the message "info: Server listening on port 3000". Open your browser and go to http://localhost:3000. From the top right, select English. Why English? So in the future there will be no problems translating all sorts of terms.
Setting up Burp Suite
In my case, Burp Suite will be used, but you can use any other tool.
Search for a task board
You probably already noticed the juice package when you first started it, which offers you to solve a very simple task, namely, to find a board with tasks and results, also known as the Score Board. This extremely simple task has two possible solutions.
Source code for the Juice Shop homepage
What immediately catches your eye? A huge number of plug-in scripts in JS! We will be interested in the script main. You can find out what other scripts are responsible for at your leisure using your favorite anonymous search engines.
Now go to the Debugger tab and look at the main source code. It doesn't look good, does it? There are two ways: either try to restore the code after the JS minimizer using one of the many deobfuscator sites, or simply select Pretty print source in Firefox (by clicking on the bookmark with the file name) and get a more readable source code. For our purposes, this is enough for now.
The code is impressive. This is both bad and good. This usually means that a lot of the site's logic has been converted to client-side JavaScript, which means that it can be easily bypassed with a simple debugger. Let's finally find the Score Board. How best to search in the source code, everyone decides for themselves, but as a result, you should get to a piece with routes that are already familiar to you like /#/search.
Enter it in the address bar:
and complete the first task successfully. By the way, now in the left menu there is a corresponding item and the ability to quickly open the board.
On the Internet and on YouTube, there are complete solutions for all Juice Shop tasks. In addition, you can always read a detailed explanation of almost every task with a solution in developer book, but I recommend looking at the solution only as a last resort. Moreover, some tasks can be solved using completely different methods.
In version Juice Shop 12.7.0, a great feature has appeared — now, by clicking the button with triangular brackets, you can see the source code of the vulnerable module and the line in which the error occurs. Just compare the source code before minimizing and the one you saw in the browser. You may find interesting new routes hidden from you by the site's interface.
By the way, in the screenshot above, I have already completed two tasks. I just wondered what would happen if I tried to open a route /#/complainwithout registering on the site? You do remember that without logging in to your account, it's not in the left menu? Try opening it as a guest and send an anonymous complaint! Did you get a new achievement card? You should not do this, and always keep in mind that any route can be opened by simply typing the desired address in the address bar. I will show you why you should not trust absolutely anything that came to you over the network later.
Opening the admin panel
I recommend that you read the contents of the board carefully before rushing out to complete tasks. All tasks on it are divided by difficulty level from one to six stars. The division is rather arbitrary. For example, you need to inform the store about the use of "weak" cryptography. The problem itself is solved by simply sending the name of the vulnerable algorithm to the chat, but you can find out and determine these algorithms by performing tasks of a higher level of complexity.
Some tasks have a hint or tutorial. Try to do without help first. However, some tasks are so vague that it makes sense to read a more detailed description in the developers ' book. Here, for example, the "Diverse" category.
Now let's go to the admin panel search and try to get into it. I hope you haven't forgotten the place where we found the Score Board address? There you can also find the address of the admin panel! However, when trying to go to this address, we will be met with a red banner with the error 403... It's time to launch Burp Suite and look at the network exchange.
Surprisingly, there is nothing like access to the admin panel here! Remember the huge size of the main script? For sure, all access checks are processed in it. Time to work with the debugger. The easiest way to find the right place in the code is by using the access error - 403.
Do you see the first and second functions CanActivate()? If we don't have a token or access is denied, we get a 403 error. To reduce the number of screenshots, I'll tell you right away-you'll have to register. Unregistered users don't have an access token. So it's time to log in as a previously created user or create a new one.
Now let's try to trick the script. To do this, set a breakpoint (breakpoint)on line 579 and add the t variable to Watch.
Try opening the page with the admin panel again. Remember, in order for the breakpoint to work, you must have the debugging console open!
Now the simplest thing remains. The script above checks whether the role matches the admin value. If not, you will see an access error. So you just need to fix the role value to admin. Unfortunately, with the introduction of the new developer console in Firefox, the ability to edit variables in the viewport was broken and has not yet been returned… Remember the path to the desired valuet.data.role, switch to the Console tab in the developer window and change the role value to admin.
Now go back to the debugger and continue executing the script. Congratulations, you will get access to the administrative part of the site! Why did this happen? You can't expect access control at the client code level, because the client can always change this code. By the way, this solution draws three stars in terms of difficulty level. A little later, you will register a normal admin account and use SQLi to access the admin panel. They are much simpler, as they do not require studying the source code.
I want to note that the correct server code would not have shown a list of users or reviews, because when requesting them from the server, it should have checked the user's rights token. In our case, this does not happen and, once in the admin panel, you can safely see all the data…
If you haven't turned off Burp, you can find these lines in the exchange and make sure that access rights are not checked on the server side! How can this be understood? Do you see the token cookie? This is a so-called JWT token, and it can be easily decoded.
This token, in fact, contains the entire user profile and explicitly specifies their original customer role, but the server backend does not check the rights when requesting all reviews or profiles. This means that by intercepting such a request, you can easily get information about registered users without even opening the admin panel. If you are a developer, never do this! This is a prime example Broken Access Control according to the OWASP classification. Unfortunately, even in real life, it occurs at every turn… This is especially true for microservice architectures.
Registering an administrator account
It's time to register for a full-fledged administrator account! To do this, you need to find out what information is sent when registering a regular account from the site. Burp Suite will help you do this. Run it and go through the registration process completely.
As you can see, after submitting information from the form, you will receive a user profile with the role in response customer. One of the traditional mistakes of a developer is related to the so-called mass assignment, or mass filling in of fields. The user registration code accepts a list of profile fields to process, and the default value is assigned for missing fields. Do you see an empty username field in the response? Try intercepting this request before sending it and inserting the username field in it, as shown in the screenshot below.
Now take a good look at the server's response! Do you see our changed username in the response? Also, it is no longer returned as the first row in the data. I hope you understand what you need to do with the value of the role field. Perform this simple operation, and the admin account is in your pocket, as well as the next completed task! By the way, it is officially also counted for three stars.
Using SQL injection for login
I really hope you've heard about SQL injections and their causes more than once. If not, then it's time to go study theory. I really like the extensive injection reference. Open the user login window and start with the simplest one by inserting a single back quote in the login field and a custom password. Judging by the bright red error, we are on the right track!
Unfortunately, it is completely unclear what exactly is happening and how to further develop this injection. There are two possible solutions: either you have a lot of experience with injections and systematically select the necessary values, or, if this is not about you, run Burp and see what is happening on the network. Remember, this is a very vulnerable application, and the developers probably made more than one mistake…
Who would doubt it, there is even the code of the original SQL query. Now it won't be difficult to find the right load for the login window!
Here I must make some important points.
Selecting an administrator password
It seems to me that the administrator of this store has already suffered enough from you, but in the list of tasks there is quite an interesting one-to select the administrator password. Judging by just two stars of the rating, it is extremely simple – we will solve it with a more complex, but universal method!
What mistakes did the developers of this app make in implementing authentication? And all the most popular ones from Broken Authentication:
First, you need to intercept the authentication request. To do this, just open Burp and try to log in alternately as any user with the correct and incorrect passwords.
As you can see, just send JSON with two fields for the username. If the password is incorrect, you will get the 401 code back. Here I tried to set up the most famous password picker Hydra, but after half an hour of struggling with it, I just wrote this little Python code.
The fact is that Hydra really does not like JSON and some nuances of the behavior of this application. If you want, you can try to solve these problems yourself.
A small recommendation: before you run a search through the entire dictionary for unknown users, make sure that you can choose your own password and there are no errors in the code. In my case, I had to add a code to remove the line break character from the password.
Getting a Deluxe Membership for Free
Finally, I will show you how to solve a more complex problem, namely getting a Deluxe Membership for free!
First, run Burp and look at the entire exchange with the server when you try to buy Deluxe without money in your wallet or cards. As you can see, in one of the requests, you will be returnedthey set the price at 49 conventional units. Take advantage of your Burp skills and turn them into 0s.
After that, on the next screen, you will be able to pay 0 from your wallet, but for some reason this is not so easy... If you look at the exchange, you will see a payment from your wallet and the error "not enough money".
What if you replace paymentMode with something more interesting, like freeor deluxe?
Congratulations! /rest/deluxe-membership in the POST request and add JSON data paymentModeto it with any walletcardvalue other than or.
Conclusions
I really hope that this article has encouraged you to learn more about the OWASP recommendations and common web application errors.
Attention! All information is provided for informational and educational purposes only. The author is not responsible for any possible damage caused by the materials of this article.
Hello everyone. Today we will look for vulnerabilities and holes in sites.
Enjoy reading it!
If you are a good programmer, then you probably had an idea-to search for site vulnerabilities (in web applications) and earn money on the Bug bounty program. This is a good idea, but first it would not be bad to practice finding vulnerabilities on sites and do it without breaking the law. The Juice Shop platform created by OWASP specialists will help you do this.
Today I will show you how to install and use OWASP Juice Shop to search for web application vulnerabilities. Let's go!
Installing and Running OWASP Juice Shop
There are different ways to install Juice Shop. I prefer and recommend using Node.js, since Docker doesn't have all possible vulnerabilities.
Never use such things in real online stores! This is a criminal offense in almost all countries. An exception may be the store's participation in the bug bounty program, but there are many different nuances that you need to familiarize yourself with before starting the search for vulnerabilities on the site!
Installation Node.js
Juice Shop works with different Node releases.js. As of today, the latest version is LTS (Long Term Support) Node.js 14, and we'll install it. First, install Node Version Manager. It was created in order not to clutter up your operating system with packages and be able to use various releases.
At the time of writing, the latest version is 0.38. Installation of Node Version Manager is performed by a single command in the home folder.
Code:
$curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bashNow you need to open and close the terminal to apply the changes made by the script.
Check the installed nvm version and proceed directly to the installation Node.js.
Code:
$nvm -v
$nvm install --ltsCheck the version of the installed node command and remember it.
Code:
$node --versionIf you need several different versions at the same time, then install the necessary ones and select the current one if necessary.
Code:
$nvm install <version number>
$nvm use <version number>Installing OWASP Juice Shop
New releases often appear on GitHub, so always download the latest one. But don't forget, it must be compatible with your Node.js. If you installed Node in the previous step.js 14, then you will need juice-shop-xx.x. x_node14_linux_x64.tgz. Download and unpack it.
Code:
$tar -xzf juice-shop-xx.x.x_node14_linux_x64.tgzThis completes the installation. Go to the folder with Juice Shop and run it:
Code:
$npm startIf the installation went well, you will see the message "info: Server listening on port 3000". Open your browser and go to http://localhost:3000. From the top right, select English. Why English? So in the future there will be no problems translating all sorts of terms.
Setting up Burp Suite
In my case, Burp Suite will be used, but you can use any other tool.
Search for a task board
You probably already noticed the juice package when you first started it, which offers you to solve a very simple task, namely, to find a board with tasks and results, also known as the Score Board. This extremely simple task has two possible solutions.
- Take a close look at the /#/search, /#/loginlike and so on and think, what would be the line for accessing the Score Board? I must say right away that I don't really like this option, because you need to play a guessing game, and not always successfully. So I prefer option number two.
- Let's study the source code of the site and see if there is anything interesting there. I hope you can read the source code of the site in your favorite browser? In Firefox, just press F12.
Source code for the Juice Shop homepage
What immediately catches your eye? A huge number of plug-in scripts in JS! We will be interested in the script main. You can find out what other scripts are responsible for at your leisure using your favorite anonymous search engines.
Now go to the Debugger tab and look at the main source code. It doesn't look good, does it? There are two ways: either try to restore the code after the JS minimizer using one of the many deobfuscator sites, or simply select Pretty print source in Firefox (by clicking on the bookmark with the file name) and get a more readable source code. For our purposes, this is enough for now.
The code is impressive. This is both bad and good. This usually means that a lot of the site's logic has been converted to client-side JavaScript, which means that it can be easily bypassed with a simple debugger. Let's finally find the Score Board. How best to search in the source code, everyone decides for themselves, but as a result, you should get to a piece with routes that are already familiar to you like /#/search.
Enter it in the address bar:
Code:
http://localhost:3000/#/score-boardand complete the first task successfully. By the way, now in the left menu there is a corresponding item and the ability to quickly open the board.
On the Internet and on YouTube, there are complete solutions for all Juice Shop tasks. In addition, you can always read a detailed explanation of almost every task with a solution in developer book, but I recommend looking at the solution only as a last resort. Moreover, some tasks can be solved using completely different methods.
In version Juice Shop 12.7.0, a great feature has appeared — now, by clicking the button with triangular brackets, you can see the source code of the vulnerable module and the line in which the error occurs. Just compare the source code before minimizing and the one you saw in the browser. You may find interesting new routes hidden from you by the site's interface.
By the way, in the screenshot above, I have already completed two tasks. I just wondered what would happen if I tried to open a route /#/complainwithout registering on the site? You do remember that without logging in to your account, it's not in the left menu? Try opening it as a guest and send an anonymous complaint! Did you get a new achievement card? You should not do this, and always keep in mind that any route can be opened by simply typing the desired address in the address bar. I will show you why you should not trust absolutely anything that came to you over the network later.
Opening the admin panel
I recommend that you read the contents of the board carefully before rushing out to complete tasks. All tasks on it are divided by difficulty level from one to six stars. The division is rather arbitrary. For example, you need to inform the store about the use of "weak" cryptography. The problem itself is solved by simply sending the name of the vulnerable algorithm to the chat, but you can find out and determine these algorithms by performing tasks of a higher level of complexity.
Some tasks have a hint or tutorial. Try to do without help first. However, some tasks are so vague that it makes sense to read a more detailed description in the developers ' book. Here, for example, the "Diverse" category.
Now let's go to the admin panel search and try to get into it. I hope you haven't forgotten the place where we found the Score Board address? There you can also find the address of the admin panel! However, when trying to go to this address, we will be met with a red banner with the error 403... It's time to launch Burp Suite and look at the network exchange.
Surprisingly, there is nothing like access to the admin panel here! Remember the huge size of the main script? For sure, all access checks are processed in it. Time to work with the debugger. The easiest way to find the right place in the code is by using the access error - 403.
Do you see the first and second functions CanActivate()? If we don't have a token or access is denied, we get a 403 error. To reduce the number of screenshots, I'll tell you right away-you'll have to register. Unregistered users don't have an access token. So it's time to log in as a previously created user or create a new one.
Now let's try to trick the script. To do this, set a breakpoint (breakpoint)on line 579 and add the t variable to Watch.
Try opening the page with the admin panel again. Remember, in order for the breakpoint to work, you must have the debugging console open!
Now the simplest thing remains. The script above checks whether the role matches the admin value. If not, you will see an access error. So you just need to fix the role value to admin. Unfortunately, with the introduction of the new developer console in Firefox, the ability to edit variables in the viewport was broken and has not yet been returned… Remember the path to the desired valuet.data.role, switch to the Console tab in the developer window and change the role value to admin.
Now go back to the debugger and continue executing the script. Congratulations, you will get access to the administrative part of the site! Why did this happen? You can't expect access control at the client code level, because the client can always change this code. By the way, this solution draws three stars in terms of difficulty level. A little later, you will register a normal admin account and use SQLi to access the admin panel. They are much simpler, as they do not require studying the source code.
I want to note that the correct server code would not have shown a list of users or reviews, because when requesting them from the server, it should have checked the user's rights token. In our case, this does not happen and, once in the admin panel, you can safely see all the data…
If you haven't turned off Burp, you can find these lines in the exchange and make sure that access rights are not checked on the server side! How can this be understood? Do you see the token cookie? This is a so-called JWT token, and it can be easily decoded.
This token, in fact, contains the entire user profile and explicitly specifies their original customer role, but the server backend does not check the rights when requesting all reviews or profiles. This means that by intercepting such a request, you can easily get information about registered users without even opening the admin panel. If you are a developer, never do this! This is a prime example Broken Access Control according to the OWASP classification. Unfortunately, even in real life, it occurs at every turn… This is especially true for microservice architectures.
Registering an administrator account
It's time to register for a full-fledged administrator account! To do this, you need to find out what information is sent when registering a regular account from the site. Burp Suite will help you do this. Run it and go through the registration process completely.
As you can see, after submitting information from the form, you will receive a user profile with the role in response customer. One of the traditional mistakes of a developer is related to the so-called mass assignment, or mass filling in of fields. The user registration code accepts a list of profile fields to process, and the default value is assigned for missing fields. Do you see an empty username field in the response? Try intercepting this request before sending it and inserting the username field in it, as shown in the screenshot below.
Now take a good look at the server's response! Do you see our changed username in the response? Also, it is no longer returned as the first row in the data. I hope you understand what you need to do with the value of the role field. Perform this simple operation, and the admin account is in your pocket, as well as the next completed task! By the way, it is officially also counted for three stars.
Using SQL injection for login
I really hope you've heard about SQL injections and their causes more than once. If not, then it's time to go study theory. I really like the extensive injection reference. Open the user login window and start with the simplest one by inserting a single back quote in the login field and a custom password. Judging by the bright red error, we are on the right track!
Unfortunately, it is completely unclear what exactly is happening and how to further develop this injection. There are two possible solutions: either you have a lot of experience with injections and systematically select the necessary values, or, if this is not about you, run Burp and see what is happening on the network. Remember, this is a very vulnerable application, and the developers probably made more than one mistake…
Who would doubt it, there is even the code of the original SQL query. Now it won't be difficult to find the right load for the login window!
Here I must make some important points.
- You didn't specify your email address anywhere, but you are logged in as an administrator. This is because in this version of the injection, the first row in the database is selected, and it will most often be the first registered user or superadministrator. This behavior is found in most CMS systems.
- If you have the email address of the user you are interested in, then you can modify the injection a little and log in immediately on their behalf.
- This is the simplest and clearest example of the Injection class. No wonder they are ranked first in the OWASP classification.
- There are still a lot of places in the application code with injections, as well as tasks for it, but they are already more complex in terms of the level of execution and damage inflicted. For example, you can get the entire database along with user passwords!
Selecting an administrator password
It seems to me that the administrator of this store has already suffered enough from you, but in the list of tasks there is quite an interesting one-to select the administrator password. Judging by just two stars of the rating, it is extremely simple – we will solve it with a more complex, but universal method!
What mistakes did the developers of this app make in implementing authentication? And all the most popular ones from Broken Authentication:
- there is no protection against brute force of the password;
- the user can set a weak password;
- the user can set a simple one‑two-three password…
First, you need to intercept the authentication request. To do this, just open Burp and try to log in alternately as any user with the correct and incorrect passwords.
As you can see, just send JSON with two fields for the username. If the password is incorrect, you will get the 401 code back. Here I tried to set up the most famous password picker Hydra, but after half an hour of struggling with it, I just wrote this little Python code.
The fact is that Hydra really does not like JSON and some nuances of the behavior of this application. If you want, you can try to solve these problems yourself.
Code:
import requests
passwords = open('/usr/share/wordlists/rockyou.txt','r')
for password in passwords:
password = password.rstrip("\n")
data = {'email':'admin@juice-sh.op','password':password}
r = requests.post('http://localhost:3000/rest/user/login',json=data)
if r.status_code == 200:
print("Password is ",password)
break
print("That's all... ")A small recommendation: before you run a search through the entire dictionary for unknown users, make sure that you can choose your own password and there are no errors in the code. In my case, I had to add a code to remove the line break character from the password.
Getting a Deluxe Membership for Free
Finally, I will show you how to solve a more complex problem, namely getting a Deluxe Membership for free!
First, run Burp and look at the entire exchange with the server when you try to buy Deluxe without money in your wallet or cards. As you can see, in one of the requests, you will be returnedthey set the price at 49 conventional units. Take advantage of your Burp skills and turn them into 0s.
After that, on the next screen, you will be able to pay 0 from your wallet, but for some reason this is not so easy... If you look at the exchange, you will see a payment from your wallet and the error "not enough money".
What if you replace paymentMode with something more interesting, like freeor deluxe?
Congratulations! /rest/deluxe-membership in the POST request and add JSON data paymentModeto it with any walletcardvalue other than or.
Conclusions
I really hope that this article has encouraged you to learn more about the OWASP recommendations and common web application errors.
