OWASP Juice Shop — XSS Tier 0 and XSS Tier 1 Challenge Solutions

Solving OWASP Juice Shop challenge with XSS attacks

Welcome back to the third OWASP Juice Shop tutorial. In our previous tutorials, you learned how to solve the Login Admin challenge and how to access the Scoreboard and Admin Section in Juice Shop.

Today, I am planning to solve XSS Tier 0 challenge by performing a reflected XSS attack and the XSS Tier 1 challenge by performing a DOM XSS attack. before solving the challenges, let’s understand what is an XSS (also known as Cross-site scripting) attack.

What is Cross-site scripting (XSS)?

Cross-site scripting is a common security vulnerability usually found in web applications. This vulnerability allows attackers to manipulate a vulnerable website so that web site returns malicious code to users. These malicious codes are written in client-side programming languages such as Javascript, HTML, Flash, etc. When this malicious code gets injected into the website, it becomes part of the website, so the attacker can fully compromise their interaction with the application.

There are three types of XSS.

1. Stored XSS
2. Reflected XSS
3. DOM Based XSS

In these challenges, we are using Reflected XSS and DOM-based XSS attacks. So let’s look into those types.

Reflected XSS

This is also known as a non-persistent XSS attack. This occurs when a malicious script appears on the web application. This script is activated through a link, which sends a request to a website with a vulnerability that enables the execution of malicious scripts[1].

DOM Based XSS

This attack uses malicious code to modify the DOM elements/environment in the client-side script. In this attack, the payload is placed on the server-side.

Now, let’s solve OWASP Juice shop challenges using XSS attacks.

The solution to XSS Tier 1 problem

First, you need to log in to the Juice shop as any user to solve this challenge. If you don’t know how to log in please follow the steps in my previous tutorial.

To solve this problem, we are going to use the search input field at the top of the page. when we search for something we can see the search term appears at top of the page as search results.

Now we are going to input below HTML code as a search input to see if we can inject HTML into the web page.

<h1>hello world</h1>

Now if you inspect the web page you can see <h1>hello world</h1> is embedded in the web page.

Next, let's try the below code

<iframe src="javascript:alert(`xss`)">

Copy this snippet and paste it into the search field and click on search button. You will get a pop-up like this.

XSS Tier 1 solution

Congratulations!!! You perform a DOM XSS attack and solve the XSS Tier 1 problem successfully. In this attack, your payload was handled and improperly embedded into the page by the application frontend code without ever sending it to the server.

The solution to XSS Tier 0 problem

Now let’s look into the XSS Tier 0 problem. In this problem, we are going to use the “Order ID” field in the “Track Orders” tab to trigger the XSS attack.

Remember to log in as any user

Do some shopping and visit the Track Orders tab. Use the same snippet, we used to solve the previous problem, as the input of Order Id.

<iframe src="javascript:alert(`xss`)">

Similar to the above solution you will get the pop-up.

CONGRATULATIONS!!! Today you solved two problems in OWASP Juice Shop using an XSS attack.

XSS attacks we tried here are relatively harmless because they only affect us. It would be more harmful if we get malicious code snippet inside the database of visible script results to the other users.

Before the end of this tutorial let’s see how to protect our applications against these types of attacks.

1. Always validate the input fields. Never accept code snippets from untrusted sources, use HTML escape and Javascript escape
2. Encode HTML attributes, Javascript data, URL parameters and CSS before inserting data into HTML elements.
3. Do not use Javascript URLs.
4. Use Javascript escape before inserting data into CSS attributes, use URL escape, and Javascript escape before inserting data into URL attributes.
5. Populate DOM using safe Javascript functions or properties.

References

[1] “Reflected XSS | How to Prevent a Non-Persistent Attack | Imperva.” Learning Center, 29 Dec. 2019, www.imperva.com/learn/application-security/reflected-xss-attacks/#:%7E:text=Reflected%20XSS%20attacks,%20also%20known,enables%20execution%20of%20malicious%20scripts.