Juice Shop for Newbies
Hi Everyone !
I hope you’re all having a great day :)
I’ve recently embarked on a career in Red Team Security Testing and completed a five day express run of Juice Shop web app created by Björn Kimminich from OWASP. This is a fantastic exercise that I would recommend to anyone starting out in a career in pen-testing. It is a great learning activity that allows you to put the skills you may have learnt and practiced to the test on a (sorta but not really) real web application.
With little pen-testing experience, I didn’t expect to find too many vulnerabilities. But, thanks to some hints and gentle nudges from friends and colleagues, I was able to uncover a handful of decent exploits.
I am publishing this writeup because I found that all the information I was researching for assistance on certain exploits was going straight over my head, because I didn’t have a grasp on a lot of the technical, security jargon. So I’m hoping that this (slightly less technical) writeup will be helpful for any other security newbies out there who have been struggling like I did.
I’ll leave out all of the explicitly obvious attacks.
Disclaimer: By no means should you take everything I say as fact! I’m writing up issues as I understood them. So if there is anywhere you think I’ve misunderstood any concepts, please let me know. Constructive feedback is very welcome!
Alright — Let’s get started !
Getting Started
Tools
There are so so many fantastic security tools out there to help you test. For this exercise, I tried to keep things as manual as possible(since for me this was a learning exercise). So the only tool I used was Burp Suite (which I would highly recommend downloading). If you’ve not used Burp Suite before, I would suggest having a play around on PortSwigger Web Security Academy in order to get comfortable with the functionality.
If you’re stuck setting up Burp, have a look at THIS resource which I found pretty useful.
I created some small scripts along the way to make life easier (but also harder lol). You can access them here:
* JWT None Signing
* 5 Star Vuln: Batch DEL requests to /api/Feedbacks
Setting it up
I am ashamed to say it took me a FULL day to set up this application correctly (mind you, I was practicing on PortSwigger at the same time). The main page will provide you various ways of installing the app — use whichever method you feel comfortable with (I set mine up in Docker … mainly because my partner did his thesis using Docker and he was kind enough to help me out). Be patient, and if it doesn’t work, try a different method of installation.
What should I do now?
Before you jump straight into reading this, have a little poke around JuiceShop and familiarise yourself with the functionality available in the application. The app is suuuuper buggy, so you will probably find some small vulnerabilities along the way. I would definitely try and find as many as you can before reading this or looking at the score board (it was the best way to learn where my shortfalls where afterwards).
But how do I know if I’ve found a vulnerability?
Great question … I have no idea!
This is something I struggled with a lot when I got started — I didn’t know when I found something bad, and when I knew I found something bad I didn’t know what to label it. My only advice here is to trust your gut, and if something seems dodgy then it probably is.
JuiceShop is really handy because it will send you an alert when you have exposed a vulnerability. You can also find a list of all (intentional) vulnerabilities at the /#/score-board path.
1 Star Vulnerabilities
Bonus Payload
I actually found this payload when I was looking through Burp traffic and found a request was being made to /rest/admin/application-configuration when I accessed the main page.
When you throw that payload (with some tweaking) into the search bar, you get a DOM XSS with the lovely Juice Shop theme song.
🎵“Juice Shop! Juice Shop! It has got more holes then a warehouse filled with gallons of Swiss cheese" 🎵
Bully Chatbot
This one didn’t really feel like a proper exploit, but it was still pretty fun. The chatbot has a very limited range of responses: If you say “Hi” or “Bye” it will say it back to you, if you put in a product name it will provide you information, and if you ask it for a discount code it will say no… until you bully it and it caves.
DOM XSS
I used a different payload to the one the scoreboard provided. A resource I find super useful when looking for diverse payloads is PayloadsAllTheThings by swisskyrepo. You really didn’t need a complicated payload for this one, once you identified which characters were being sanitised (namely the “/” character). You could choose a payload that didn’t need a closing tag such as:
<img src=x onerror=alert('XSS');>Throw that in the search bar and you should pop another DOM XSS.
Zero Stars
I found this vulnerability when poking around different POST requests and seeing if I could update the field values with unexpected inputs. If you intercept a request on the /contact page, you can alter the value of “rating” to be beyond it’s desired constraints of 1–5 stars. Update the field to contain a “0” and send the request and it will work (whoops).
Error Handling
I found this again just poking around and trying to access paths that I shouldn’t be allowed to. If you try the file path “/api/notAPath” you should get an error that provides a Server Disclosure and Detailed Error Message Vulnerability.
Missing Encoding
If you inspect the HTML over the missing image on the /photo-wall page, you can see that the src URL contains hash symbols, which is a special reserved symbol in URLS. This is why the photo is not displaying. Once you alter the URL (exchanging the # symbols with its URL encoded value %23) the image will be available.
2 Star Vulnerabilities
Login Admin
If you place a ‘ character into the username and view the POST response you will be able too see a series of SQL errors that includes the DB type (SQLite) as well as the query being used. From here you can inject a query into the user email field that will comment out the the check for a password:
'admin@juice-sh.op' -- 
TIP: Make sure you don’t forget the space at the end, you need a space after the comment characters.
Five-Star Feedback
All feedback reviews can be accessed if you make a GET request to /api/Feedbacks. There are also no restrictions for making a delete requests when you use the path(‘s) /api/Feedbacks/[ID]. For this task, you need to go through and make a delete request to every entry with 5 stars. You can do this through Burp, but I decided to make a quick script to automate this (since I tested the 3 star CAPTCHA Bypass before I did this one where I fired off 10+ feedbacks with 5 stars…).
You can access the script on my GitHub.
3 Star Vulnerabilities
Login Bender & Login Jim
Follow the instructions from Login Admin.
CAPTCHA Bypass
Just be super zoomy and fire off the same feedback form 10 times really quick. Nothing super fancy.
Admin Registration
If you intercept a sign up POST request, you will be able to see how customer data is formatted from the form and then on the server. All customers are defaulted to the role “customer”. However, if you add your own “role” field and set that to “admin”, that will override the default customer value and you will successfully create an admin account.
Forged Feedback
Before you perform this exploit, I would recommend you read up on JWT and the “None” Algorithm Signing exploit.
If you intercept another feedback form POST request, you will see that it contains an authorization JWT token and token cookie. We can use “none” signing to pose as another user and elevate our privilege's. So if you take that token, decode it using JWT.io, change the values to what you want, re-encode it back into Base64, and replace it as your authorization header value and token cookie.
I found this process of decoding, changing, encoding super tedious, so here is another script I made to automate that process.
Forged Review
Juice shop doesn’t check whether the “author” matches the value in the JWT token, it just relies on the “author” field autogenerated when you make the PUT request. If you intercept that request, you can change the author field to whatever your heart desires and send it off to post a review on some else’s behalf.
Database Schema
I found that once I knew where to search this one wasn’t too bad. I spent way too much time trying to exploit the login portal, when the only SQL results being reflected was from search bar queries (DUH!)
Anyway, I got there in the end! A few step were involved in this one:
- To make sure it was exploitable I tried forcing an error by adding a comment (The + symbols are there as URL Encoded spaces). When I checked the response in Burp, I saw there were very detailed SQL error messages detailing the DB type (SQLite) and the query being used by the search bar.
localhost:3000/rest/products/search?q=apple'+--+2. I researched a bit about SQLite syntax and found they had a system table called “sqlite_master” which contained schema information. I made note of the columns in the table to use later.
3. I was planning on using a UNION attack, so I had to made sure I had the same amount of columns as the search bar query. To determine how many columns there were I added the condition “ORDER+BY+1” on the end of the query and kept incrementing the value until an error occurred.
4. Last of all, I constructed an injection that contained 9 columns so that I could output some of the sqlite_master table values into the results and we could see all the tables JuiceShop has (YAHOOO!!)
apple'))+UNION+SELECT+name,type,tbl_name,rootpage,sql,NULL,NULL,NULL,NULL+FROM+sqlite_master+--+
I hope this was article was useful: Happy hacking everyone :)
