In this episode I am going to be taking a first look at the OWASP Juice Shop.
Hello and welcome to episode 3 of the Sudo Social Club. I’m Edward Miro and in this episode I am going to be taking a look at the OWASP Juice Shop.
The Sudo Social Club is a podcast and YouTube channel centered around hacking capture the flags, wargames, crypto-challenges and vulnerable VM’s. I will be recording videos of me completing the challenges and also explaining in detail what I’m doing, why I’m doing what I’m doing and as much information as I can fit into each episode. Each week I’ll be picking a vulnerable VM, challenge or CTF to work through with you. Together we will learn about all the techniques, protocols and workflows to hack all the things. I’m also going to maintain a really good reference page on www.sudosocialclub.com with links, a workflow cheat sheet with all the commands I used and a feed of all my past episodes for you to use anytime you need it.
If anyone has any feedback or recommendations on how I can improve the channel please leave a comment or email me at email@example.com. Stay tuned after the main content for the Sudo Social Club crypto challenge of the week for a chance to get invited to our private Discord server!
Thanks for tuning in, now let’s begin:
This past Sunday I went to B-Sides San Francisco and had a great time. I went to a lot of good talks, had a blast doing the spymaster lock picking challenge, the escape room, and even tried my hand at the CTF.
It was a jeopardy style CTF which we haven’t shown on here yet, but it’s a little different than the vulnerable VM’s we’ve looked at so far. In a jeopardy style CTF there a multiple categories with multiple challenges worth a varying degree of points. There were even some challenges that required you to be onsite, such as a lock that was wired to a little printer than gave you a flag if you successfully opened it. It was really hard too and took me 3 tries and was very satisfying to finally get. I also got a few of the of the other challenges too, but started getting too lost in the CTF and wanted to spend my time there enjoying the con and seeing talks. I did look more at it once I got home and I learned I had neglected two very important skill sets, web app hacking and reverse engineering.
So I want to do something about that and here we are this week taking a look at the OWASP Juice Shop.
OWASP for those who aren’t already familiar is the Open Web Application Security Project. They’re an online community dedicated to the field of web application security. They’re also responsible for one of the most popular tools in this arena, Zed Attack Proxy or ZAP. ZAP and Burp are the go to tools for web app hacking. In the next series of episodes of the Sudo Social Club, I’m going to work my way through the OWASP Juice Shop.
Like many of the resources we check out on this channel, the Juice Shop is an intentionally vulnerable web app and it’s got a lot of great write-ups and guides available to teach us. This week I’m going to show how I setup the Juice Shop, and we’ll work through all the 1 star challenges, then next week start on the 2 star, and so on.
The easiest way to get up and running is by going to this GitHub page, links to everything I mentioned will be in the show notes by the way. Then just scroll down to the Setup section and click this ‘Deploy to Heroku’ button. This will take you to Heroku, which is a cloud platform as a service provider for web apps that supports many programming languages. And it builds and deploys automatically, and is free. Once that’s done you’ll have a live page just like mine here.
So since I’m following Bjoern Kimminich’s book Pwning OWASP Juice Shop, I know that there’s a secret score board somewhere that is the first challenge. Once we find that we’ll have a better idea of what else to check for.
First however, we’ll click around and see how everything works, check out the naming convention for the other sections and see what’s going on.
To find the hidden score board, we can push F12 here in Firefox to bring up the developer tools and under Debugger > Sources > main.js, we can press CTRL-F and search for “score” and if we click through enough of these results eventually we find the path: entry for the score-board. Now we can just pop that into the url and that unlocks the score-board.
Now we can see our next challenges and I’m gonna leave this tab open so we can check our progress and open the index in another tab to work in.
Next is to find a confidential document. I remember when we were exploring that the About page has a link in this middle of this text block and if we hover over it, we can see that the linked document is coming from another directory that isn’t indexed on the main page “FTP”. Let’s check in there:
Acquisitions.md seems pretty confidential so we’ll check that one out. Going back to our score-board confirms we got the flag too.
Next up is error handling. Referring back to the book gives me a couple options here to get this flag. The first is requesting a non existent page and seeing how the app responds.
It really didn’t like that. We can also attempt to login with a username of just an apostrophe. Password doesn’t matter. There’s another error. Score-board confirms we’re good here and we have 3 out of 7.
On to redirects tier 1. Checking our shopping basket gives us various payment and merchandise buttons. If we hover over a few we notice that some are passed through the to parameter of the route /redirect. Pulling up our developer tools and searching main.js and we are able to find one that isn’t listed on the page. Appending our URL with this data takes us to this defunct site and checking the score-board confirms we found the next flag.
For the next two challenges, they we kind enough to give us the XSS payload we need to use. First place I’m gonna try is this search box and boom we got that one. We also have this track orders section and pasting the code in here gets us flag 6.
For the final flag we need to give them a zero star rating in the feedback form, but as you can see if I fill this out and try to submit without selecting any stars the submit button is disabled. We’ll pull out our good friend ‘inspect element’, delete this disabled text and now as you can see we can submit the form and are all done with the 1 star challenges. We can even check here in the About us page to verify we were successful.
Well that’s it for this week and our first installment in the OWASP Juice Shop series. I know this was a short one, but tune in next week for the 2-star challenges and we will learn more and get better at web app security!
Alright. If you want attempt this week’s challenge go to www.sudosocialclub.com and click on this week’s episode and scroll to the bottom for the cipher text. If you think you solved it send me an email at firstname.lastname@example.org and I’ll invite you to join our Discord server so you can chat with me and other listeners like yourself.
If you like this week’s episode and want to help support this channel please subscribe to the podcast through whatever podcatcher you found me through and please subscribe to the YouTube channel. Links to everything on www.sudosocialclub.com, including transcripts, and if you want to help the channel grow please share on your social media. Once again I’m Edward Miro and you can contact me at email@example.com with any comments, questions, corrections or feedback including ideas for future episodes. Thanks for checking out the Sudo Social Club. Have a great week!