OWASP Juice Shop — XSS Tier 0 and XSS Tier 1 Challenge Solutions

Solving OWASP Juice Shop challenge with XSS attacks

Anusha Ihalapathirana
Jan 5 · 4 min read

Welcome back to the third OWASP Juice Shop tutorial. In our previous tutorials, you learned how to solve the Login Admin challenge and how to access the Scoreboard and Admin Section in Juice Shop.

Today, I am planning to solve XSS Tier 0 challenge by performing a reflected XSS attack and the XSS Tier 1 challenge by performing a DOM XSS attack. before solving the challenges, let’s understand what is an XSS (also known as Cross-site scripting) attack.

What is Cross-site scripting (XSS)?

Cross-site scripting is a common security vulnerability usually found in web applications. This vulnerability allows attackers to manipulate a vulnerable website so that web site returns malicious code to users. These malicious codes are written in client-side programming languages such as Javascript, HTML, Flash, etc. When this malicious code gets injected into the website, it becomes part of the website, so the attacker can fully compromise their interaction with the application.

There are three types of XSS.

  1. Stored XSS
  2. Reflected XSS
  3. DOM Based XSS

In these challenges, we are using Reflected XSS and DOM-based XSS attacks. So let’s look into those types.

This is also known as a non-persistent XSS attack. This occurs when a malicious script appears on the web application. This script is activated through a link, which sends a request to a website with a vulnerability that enables the execution of malicious scripts[1].

This attack uses malicious code to modify the DOM elements/environment in the client-side script. In this attack, the payload is placed on the server-side.

Now, let’s solve OWASP Juice shop challenges using XSS attacks.

The solution to XSS Tier 1 problem

First, you need to log in to the Juice shop as any user to solve this challenge.

To solve this problem, we are going to use the search input field at the top of the page. when we search for something we can see the search term appears at top of the page as search results.

Now we are going to input below HTML code as a search input to see if we can inject HTML into the web page.

<h1>hello world</h1>
Image for post
Image for post

Now if you inspect the web page you can see is embedded in the web page.

Next, let's try the below code

<iframe src="javascript:alert(`xss`)">

Copy this snippet and paste it into the search field and click on search button. You will get a pop-up like this.

Image for post
Image for post
XSS Tier 1 solution

Congratulations!!! You perform a DOM XSS attack and solve the XSS Tier 1 problem successfully. In this attack, your payload was handled and improperly embedded into the page by the application frontend code without ever sending it to the server.

The solution to XSS Tier 0 problem

Now let’s look into the XSS Tier 0 problem. In this problem, we are going to use the “” field in the “” tab to trigger the XSS attack.

Do some shopping and visit the tab. Use the same snippet, we used to solve the previous problem, as the input of .

<iframe src="javascript:alert(`xss`)">

Similar to the above solution you will get the pop-up.

CONGRATULATIONS!!! Today you solved two problems in OWASP Juice Shop using an XSS attack.

XSS attacks we tried here are relatively harmless because they only affect us. It would be more harmful if we get malicious code snippet inside the database of visible script results to the other users.

Before the end of this tutorial let’s see how to protect our applications against these types of attacks.

  1. Always validate the input fields. Never accept code snippets from untrusted sources, use HTML escape and Javascript escape
  2. Encode HTML attributes, Javascript data, URL parameters and CSS before inserting data into HTML elements.
  3. Do not use Javascript URLs.
  4. Use Javascript escape before inserting data into CSS attributes, use URL escape, and Javascript escape before inserting data into URL attributes.
  5. Populate DOM using safe Javascript functions or properties.


[1] “Reflected XSS | How to Prevent a Non-Persistent Attack | Imperva.” , 29 Dec. 2019, www.imperva.com/learn/application-security/reflected-xss-attacks/#:%7E:text=Reflected%20XSS%20attacks,%20also%20known,enables%20execution%20of%20malicious%20scripts.

The Startup

Get smarter at building your thing. Join The Startup’s +776K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store