Let’s play a game: Hack the Juice Shop
Security, a buzzword for some companies and a priority for others. We hear of so many security breaches, but we still do not find the time and resources to give security the importance it needs. Sometimes knowing the basics can take you such a long way, that’s why OWASP developed the Juice shop — an insecure application which lists vulnerabilities in a scoreboard, to solve as ‘puzzles’. The more weaknesses you find on the website, the more points you get. Some vulnerabilities can be quickly discovered using tools like ZAP, but for this post, we’ll keep it simple using only manual checks.
Let’s get the juice shop up and running using Docker.
The people at OWASP were kind enough to provide us with many ways to install the juice shop. We’ll be using docker, but you can use any of the methods available on their GitHub page.
So just run:
docker pull bkimminich/juice-shopto download the image.
then run:
docker run --rm -p 3000:3000 bkimminich/juice-shopto get the juice-shop up and running on port 3000.
Go to http://localhost:3000 and voila we’re ready to hack.
The Scoreboard
Let’s check out the scoreboard. To find the scoreboard is in itself a task.
Hint: use chrome tools to have a look at the source code and/or network tab.
Found it? Awesome.
Go to: http://localhost:3000/#/score-board
The scoreboard lists the different type of ‘attacks’ it is expecting. Recent versions also have a level system, which categorizes attacks according to the difficulty.
Get to know the application
Use the juice shop as a regular user, and do not shy away from using dev tools. Do some Exploratory testing, try to invoke some error messages and see what you can find. It might also be useful to use OWASPs STRIDE methodology.
Things to look out for are:
- The technology stack used to build the website, including versions
- Sanitised text fields
- Authorization of the website, i.e. what are you allowed to do as a logged out user.
- Any API endpoints you can find in the network tab
Getting to know such information makes it easier to find any vulnerabilities and know what should be your first source of the attack.
From your research, you should have figured that the technology stack includes AngularJS version 1.6.10 and SQL. Outdated Angular versions may be the first source of an attack. Tools like Snyk & CVE Details help us pinpoint vulnerabilities of specific versions, yep it’s that easy!
SQL Injection
Let’s start gaining some points. If you did try trigger error messages like the following:
you would have noticed that the login text field is not sanitised, what does that mean? Yep, SQL injection time.
“SQL injection is the placement of malicious code in SQL statements, via web page input. SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id, the user gives you an SQL statement that you will unknowingly run on your database.”
In the login field just type in:
enter any random characters for the password field, and press on the login button, voila, we’re logged in as an admin user. Sweet.
So what did we just do?
‘OR 1=1 is a classic attempt to make a query succeed no matter what. We are retrieving the password from the table where ever 1=1 — which is always true. The final ‘-’ is used to comment out the rest of your query, so the rest of the query is ignored. Meaning no matter what credentials the user passes the query would return all userids in the system granting admin access since admin is the first user. Check out this cool cheat sheet to help you understand this a bit better.
Cross-Site Scripting
XSS is another common vulnerability on many websites on the web.
“Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.”- acunetix.com
In the search bar type in the following javascript code:
< script>alert("Hello world");</script >That’s another accomplished task.
Conclusion
The aim of this blog post was not intended to tackle all the items on the scoreboard, but just to introduce common vulnerabilities which are easily taken advantage of. Projects like the juice shop give us a platform to not only test our hacking skills but also keep on learning on new ways how our products on the web can be breached. If you would like to look at other blog posts/videos which tackle more security flaws, then I recommend looking at the following:
- https://github.com/bsqrl/juice-shop-walkthrough
- An Introductory video of the juice shop by Björn Kimminich
P.S. We are looking for guest authors, interested? Contact Us
