Pentest Top 10 OWASP with Juice-Shop-OWASP

tags: vulnerable top10owasp exploits

The resource base on THM and OWASP

Juice Shop is a large application so we will not be covering every topic from the top 10.

We will, however, cover the following topics which we recommend you take a look at as you progress through this room.

Injection

Broken Authentication

Sensitive Data Exposure

Broken Access Control

Cross-Site Scripting XSS

Do Recon for website

Recon is the first step for pentesting purposes, it means try learning something about the website and considered about the processing on website and then we can attack it and get the best results for your work or my work.

Question #1: What's the Administrator's email address?

Answer: admin@juice-sh.op

Question #2: What parameter is used for searching?

So in session we will use the Arjun to discorver all of the parameter in this web ?

So with arjun we not find anything and it little bit hard so have easy work we can type something on searching form or bar and look uRL have change something else. And yet we got parameter:

​​​​https://juice-shop.herokuapp.com/#/search?q=ok

Question #3: What show does Jim reference in his review?

Jim did a review on the Green Smoothie product. We can see that he mentions a replicator.

If we google "replicator" we will get the results indicating that it is from a TV show called Star Trek

Injection

• On this session we will focus on exploiting injection vulnerabilities.
• Injection vulnerabilities are quite dangerous to a company as they can potentially cause downtime and/or loss of data.
• Identifying injection points within a web application is usually quite simple, as most of them will return an error. There are many types of injection attacks, some of them are:

Question #1: Log into the administrator account!

Access burp suite and try to login to admin account and go into proxy tag and click on for intercept button and login with random account.

We will now change the "a" next to the email to: ' or 1=1– and forward it to the server.

Why does this work?

• The character ' will close the brackets in the SQL query
• 'OR' in a SQL statement will return true if either side of it is true. As 1=1 is always true, the whole statement is true. Thus it will tell the server that the email is valid, and log us into user id 0, which happens to be the administrator account.
• The – character is used in SQL to comment out data, any restrictions on the login will no longer work as they are interpreted as a comment. This is like the # and // comment in python and javascript respectively.

Answer: 32a5e0f21372bcc1000a6088b93b458e41f0e02a

Question #2: Log into the Bender account!

Similar like question 1 but on situation we don need to use the payload 1=1 because we knew the mail is valid and we just find the method to bypass the login form and the payload suitable is '–.

Who broke my lock?!

In this task, we will look at exploiting authentication through different flaws. When talking about flaws within authentication, we include mechanisms that are vulnerable to manipulation. These mechanisms, listed below, are what we will be exploiting.

Question #1: Bruteforce the Administrator account's password!

• We have used SQL Injection to log into the Administrator account but we still don't know the password. Let's try a brute-force attack! We will once again capture a login request, but instead of sending it through the proxy, we will send it to Intruder.

• Go to Positions and then select the Clear § button. In the password field place two § inside the quotes. To clarify, the § § is not two sperate inputs but rather Burp's implementation of quotations e.g. "". The request should look like the image below.

For the payload, we will be using the best1050.txt from Seclists. (Which can be installed via: apt-get install seclists)

You can load the list from: /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt

Once the file is loaded into Burp, start the attack. You will want to filter for the request by status.

A failed request will receive a 401 Unauthorized.

Whereas a successful request will return a 200 OK.

Answer: c2110d06dc6f81c67cd8099ff0ba601241f1ac0e

Question #2: Reset Jim's password!

Believe it or not, the reset password mechanism can also be exploited! When inputted into the email field in the Forgot Password page, Jim's security question is set to "Your eldest siblings middle name?".

In Task 2, we found that Jim might have something to do with Star Trek. Googling "Jim Star Trek" gives us a wiki page for Jame T. Kirk from Star Trek.

Looks like his brother's middle name is Samuel
Inputting that into the Forgot Password page allows you to successfully change his password.
You can change it to anything you want!

Answer: 094fbc9b48e525150ba97d05b942bbf114987257

AH! Don't look!

A web application should store and transmit sensitive data safely and securely. But in some cases, the developer may not correctly protect their sensitive data, making it vulnerable.

Most of the time, data protection is not applied consistently across the web application making certain pages accessible to the public. Other times information is leaked to the public without the knowledge of the developer, making the web application vulnerable to an attack.

Question #1: Access the Confidential Document!

Navigate to the About Us page, and hover over the "Check out our terms of use".

You will see the url can access ftp. Go for it and download file interesting and got the answer of question. Navigating to that /ftp/ directory reveals that it is exposed to the public!

Answer: edf9281222395a1c5fee9b89e32175f1ccf50c5b

Question #2: Download the Backup file!

We will now go back to the http://10.10.235.219/ftp/ folder and try to download package.json.bak. But it seems we are met with a 403 which says that only .md and .pdf files can be downloaded.

To get around this, we will use a character bypass called "Poison Null Byte". A Poison Null Byte looks like this: %00.

Note: as we can download it using the url, we will need to encode this into a url encoded format.

The Poison Null Byte will now look like this: %2500. Adding this and then a .md to the end will bypass the 403 error!

Why does this work?

A Poison Null Byte is actually a NULL terminator. By placing a NULL character in the string at a certain byte, the string will tell the server to terminate at that point, nulling the rest of the string.

Answer: bfc1e6b4a16579e85e06fee4c36ff8c02fb13795

Who's flying this thing?

Modern-day systems will allow for multiple users to have access to different pages. Administrators most commonly use an administration page to edit, add and remove different elements of a website. You might use these when you are building a website with programs such as Weebly or Wix.

When Broken Access Control exploits or bugs are found, it will be categorised into one of two types:

We can simulate the idea like this

Question #1: Access the administration page!

First, we are going to open the Debugger on Firefox.

(Or Sources on Chrome.)

This can be done by navigating to it in the Web Developers menu.

We are then going to refresh the page and look for a javascript file for main-es2015.js

To get this into a format we can read, click the { } button at the bottom

You will come across a couple of different words containing "admin" but the one we are looking for is "path: administration"

This hints towards a page called "/#/administration" as can be seen by the about path a couple lines below, but going there while not logged in doesn't work.

As this is an Administrator page, it makes sense that we need to be in the Admin account in order to view it.

A good way to stop users from accessing this is to only load parts of the application that need to be used by them. This stops sensitive information such as an admin page from been leaked or viewed.

Answer: 946a799363226a24822008503f5d1324536629a0

Question #2: View another user's shopping basket!

Login to the Admin account and click on 'Your Basket'. Make sure Burp is running so you can capture the request!

Now, we are going to change the number 1 after /basket/ to 2

It will now show you the basket of UserID 2. You can do this for other UserIDs as well, provided that they have one!

Answer: 41b997a36cc33fbe4f0ba018474e19ae5ce52121

Question #3: Remove all 5-star reviews!

Navigate to the http://10.10.27.252/#/administration page again and click the bin icon next to the review with 5 stars!

Answer: 50c97bcce0b895e446d61c83a21df371ac2266ef

Where did that come from?

XSS or Cross-site scripting is a vulnerability that allows attackers to run javascript in web applications. These are one of the most found bugs in web applications. Their complexity ranges from easy to extremely hard, as each web application parses the queries in a different way.

There are three major types of XSS attacks:

Question #1: Perform a DOM XSS!

We will be using the iframe element with a javascript alert tag:

<iframe src="javascript:alert(`xss`)">

Inputting this into the search bar will trigger the alert.

Note that we are using iframe which is a common HTML element found in many web applications, there are others which also produce the same result.

This type of XSS is also called XFS (Cross-Frame Scripting), is one of the most common forms of detecting XSS within web applications.

Websites that allow the user to modify the iframe or other DOM elements will most likely be vulnerable to XSS.

**Why does this work?
**
It is common practice that the search bar will send a request to the server in which it will then send back the related information, but this is where the flaw lies. Without correct input sanitation, we are able to perform an XSS attack against the search bar.

Answer: 9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf

Question #2: Perform a persistent XSS!

First, login to the admin account.

We are going to navigate to the "Last Login IP" page for this attack.

It should say the last IP Address is 0.0.0.0 or 10.x.x.x

As it logs the 'last' login IP we will now logout so that it logs the 'new' IP.

Make sure that Burp intercept is on, so it will catch the logout request.

We will then head over to the Headers tab where we will add a new header:

Then forward the request to the server!
When signing back into the admin account and navigating to the Last Login IP page again, we will see the XSS alert!

Why do we have to send this Header?

The True-Client-IP header is similar to the X-Forwarded-For header, both tell the server or proxy what the IP of the client is. Due to there being no sanitation in the header we are able to perform an XSS attack.

Answer: 149aa8ce13d7a4a8a931472308e269c94dc5f156

Question #3: Perform a reflected XSS!

First, we are going to need to be on the right page to perform the reflected XSS!

Login into the admin account and navigate to the 'Order History' page.

From there you will see a "Truck" icon, clicking on that will bring you to the track result page. You will also see that there is an id paired with the order.

We will use the iframe XSS, <iframe src="javascript:alert(`xss`)">, in the place of the 5267-f73dcd000abcc353

After submitting the URL, refresh the page and you will then get an alert saying XSS!

Why does this work?

The server will have a lookup table or database (depending on the type of server) for each tracking ID. As the 'id' parameter is not sanitised before it is sent to the server, we are able to perform an XSS attack.

Answer: 23cefee1527bde039295b2616eeb29e1edc660a0

Next step: Build the juice-shop by Docker and Pentest to overview all the vul on this platforms