OWASP Juice Shop Vulnerability Review
OWASP Juice Shop Vulnerability Review
13/7/23
FINAL PROJECT
● Use http://192.168.0.102:3000/#/score-board
● This will access the score-board page
● If not view the page source and inspect using F12
● Select sources > main.js
● Then press ctrl + F to initiate the search
● Search for score-board
● Copy one of the email address which is there under the reviews
● Go to account > Login > Enter copied email address ([email protected])
● Then enter random password
● Open Burpsuite, turn ON the intercept and capture the request
● Send it to repeater
● Modify the email address “[email protected]’#” > send
● We can see the SQLITE_ERROR, as the Burpsuite shows all the error
● Now change the # to -- i.e [email protected]’-- > send
● Authentication will be successful and the token will be shown in the response column
9. Accessing the privacy policy
12. Found the sensitive data exposed when searched for metrics
● Go to Photo wall
● The image is not shown but only the hashtags for image reference is shown
● Here is a improper input Validation
● Inspect the page (F12)
● Here the path is specified for the image, but the image is not loaded
Description:
The OWASP Juice Shop web application is vulnerable to Broken Access Control, which allows
unauthorized users to gain administrative privileges. This can lead to unauthorized access, data
manipulation, information disclosure, and privilege escalation.
Steps to Reproduce:
● Access the OWASP Juice Shop application and go to the login page.
● Use Burp Suite to intercept the login request.
● Modify the request by changing the "isAdmin" parameter to "true" or "1".
● Forward the modified request to the server.
● Notice that the user is granted administrative privileges, providing access to restricted
administrative functionality.
Impact:
Exploiting this vulnerability allows unauthorized users to gain administrative access, leading to
unauthorized actions, data manipulation, information disclosure, and privilege escalation.
Immediate attention is required to implement proper access control mechanisms and strict
authorization checks throughout the application's functionality.