documenting my programming journey here

OWASP Juice Shop

I will be keeping track of the bugs I find as well as notes on those bugs here

link to the owasp juice shop github repo

The Happy Path

Mapping the application

First things first, lets map the application(or as is called in the juice-shop.pdf which I will be using as reference "happy-path " testing), this part simply implies walking through the application as if you were a regular user and writting down what we believe is important information, or possible attack vectors. The first thing that jumps at me is the search bar, usually when you search something the word/words you are searching will be reflected back at you somehere in the page as Results for: hello or something around those lines. I will take a look at this later as this is where I have found some reflected XSS that might allow us to make changes to how the website looks, or grab some user information like cookies. As we contiue to walk the application we also see a Login button, I will be creating an account and seeing how that request gets handled and what cookies if any this creates usually you will see some type of session id being created, this is important because if it does create cookies that will store authentication information in them then we might be able to compromise some accounts by learning how these cookies get created 😈 We also have a contact us link that leads to a form which we might use for something, we'll need to send some requests and see how that form processes such requests, let's keep moving - I see an about us page linked at the top. Now let's see those products, it's a table with an image, a product and a description header, I see a link to a #recycle page which might turn something, I'm also seeing something that looks like product ids, we can probably test some IDORs here to see if we can access some products we are not mean to see. Something I did noticed is that this web app is ruinning Angular 7.2.5 according to wappalyzer, the site also runs jQuery & Hammer.js I will have to do some recon and see if we can leverage some vulnerabilities here, I found an application where I could execute angular expressions like {{1+1}} => 2 but I could not get any arbitrary code to execute because that version of angular was using a sanbox to only execute angular expressions.

Loggin In

Now that I have gone through everything that I could have, I might have missed something, if I did then I will come back later and navigate the app again - at this moment we can see the products, but if you noticed we are not able to buy anything. I will create an account here and see what changes once ther is a user logged into the application, many times once a user is authenticated he/she will be able to see more functionality, in this case I'm guessing I have to be signed in to purchase anything. Creating an account took an email a password & security question, then I got redirected to the login page, I am also checking the network tab in the FireFox dev tools to see what requests are being sent out & received. At first glance once we sign in I see a few requests that might be interesting later on: /whoami and /login checking the /login request I can see that now there's a JSON response which contains an object called authentication which itself contains another object called token this is interesting and we will proabbly use this for something later on, other stuff in the authentication object: bid: 4 & umail:

Logged In

I am now logged in and can see that there is some information that was not there before, the elements that catch my eye are the cart icons, if we click this we can actually add items to our cart, and we also gained an icon on the navigation bar that takes us to /basket. As of right now my basket is completely empty so I should add an item and see what kind of requests are being sent out. I also noticed a small avatar by the Juice Shop logo, if we click on this, it opens a model with the options" user emai, recycle, track orders & change password. The first option takes us to /profile in which we can update our profile pic(checking the source of this image, it might be possible to determined if it is being hosted internally or in a CDN. We can also include a Gravatar URL which we might be able to use for something not intended. There is also a username and email field which have my current username and current email address so these two fields can change. There is also a Logout button which well logs you out, there is a contact us page which when clicked gives us two options - Customer Feedback & Compain. Customer Feedback takes us to a form which can be filled out with a comment and a raiting 1-5 stars, the Complain button takes us to another form which can be submitted with a message body and a invoice can be attached. Here we also have a dropdown of languages that are supported by the website (I recently found a website where I could get SQLi through some HTTP headers related to the language in a Wordpress plugin - not sure if related but will have to check). The search bar looks exactly the same, there is still an about button which takes us to /about and a link to the Github repo.

Let's Shop!

Remeber we want to become familiar with the application, and there is almost no better way to do this than by actually using the application, so I'll add something to my cart, that Apple Juice looks good, can't go wront with a classic. So let's add it to our basket. Once we click the cart icon there isn't really a way of checking to see if we did add it other than by going to /basket which can be done using the Your Basket link on the nav bar. Once in the /basket I can see the item I added, Apple Juice(1000ml) we can also see some more information about this item - Price, Quantity & Total Price, we can also remove the item from our cart with the trash icon. Here we have a couple of buttons, a checkout button, a coupon button which is allowing us to enter a coupon & a payment button. Let's try to buy this apple juice. Once we click checkout we get redirected to a PDF page with a receipt of our order(becuae this is not a real app we did not have to enter any CC info). I see a few things here, the path to this documents is /ftp/order_num-numnumnum.pdf the num string representing the order #, maybe a posibility to use Path Traversal here. I believe that is all I can see in the app right now. Now let's get started with the actual hacking.

Part 1

In the juice-shop.pdf which can be downloaded for free from leanpub, our first challenge is to find the Score Board here we can find more inforamtion about all the challenges inside the application, we can sort them through type and difficulty the board also provides us with clues just like in a CTF which the app can ran as. But we did not see any indication of where the Score Board could be located. We know is there because the PDF mentions it, so we can do 2 things here; we can guess the pathname, or we can see if the link exists somewhere in the application, sometimes the dev might just comment out important links - thinking that the user will not look, but I am not just any user, so let's take a look. I am using FireFox so I can right click on the page and click Inspect Element this will show us the HTML elements, this is sually used for debuggin web applictions but we will be searching for content that the developer might have forgotten about here. From the juice-shop pdf we know that it does exist, so let me try to guess: scoreboard : nothing, scores: nothing, board : nothing, leaderboard : nothin, points : nothing, score-board : 200. So I got it! after a few guesses we cam to a page with the path /score-board this page shows all the challenges that come included in the Juice Shop