Gaurav Jagadeesh

13/7/23

FINAL PROJECT

Initial Steps performed:

● Installed and imported the sandboxed vulnerable site to my virtual box

● Opened the site and made network settings changes
● Noted down the IP address (the IP address here is 192.168.0.110)
● Opened Kali linux in the virtual box
● Ran nmap scan on the IP address of vulnerable site

nmap -A -p- -Pn 192.168.0.110 or nmap 192.168.0.110

● Found out that port 80 and 3000 is open

● Port 80 gives the details about the server (here Apache2 server)
● Opened the OWASP juice shop in the browser (192.168.0.110:3000)
● Logged into OWASP juice shop using a tempmail
Finding Vulnerabilities

1. Reflected cross site scripting (XSS)

● Use the search bar in the OWASP site

● Entered the Java payload: <iframe src=javascript:alert('xss')">
● An XSS prompt window shows up along with search results which is a vulnerability
2. Error handling

● Provoked an error when clicked on

192.168.0.0106:3000/profile
● This gives the error 500
3. Admin password

● When logged in with random user

● Open any one of the products ex. Apple Juice
● Under the review section, One of the email ID was found
● Logged in using the same mail ID with random guessed password (admin123) or
Bruteforce password
● Was successfully able to login with admin credentials

4. SQL Injection command in Login

● Login using 1’or’1’=’1’-- in the email ID space

● Enter the same in password
● Login was successful
5. Logged in as admin to OWASP using Bruteforce attack

● Changed the password of [email protected]

● Logged out of OWASP
● Open Burpsuite and turn ON the proxy in browser
● Turn ON the intercept
● Loggin in Owasp using a random password
● Capture the password using intercept in Burpsuite
● Send to Intruder
● Username and password will be displayed, copy the password
● Enter it into the password dictionary(Add) in payloads option
● The process and results will be shown in Intruder attack window which will scan for
around 3000+ passwords
● Once after the results are shown, if it gives 200 under status column and the length is
around 1192, it’s a go
● And if it shows 401 and the length is 385, the it’s a no go
● Try the password in browser

6. Finding the score-board

● Use http://192.168.0.102:3000/#/score-board
● This will access the score-board page
● If not view the page source and inspect using F12
● Select sources > main.js
● Then press ctrl + F to initiate the search
● Search for score-board

7. Finding FTP secret files

● Enter http://192.168.0.102:3000/ftp path

● This will give you ftp files
● Open acquisitions.md file to find the confidential document
8. Login with Bender’s account

● Copy one of the email address which is there under the reviews
● Go to account > Login > Enter copied email address ([email protected])
● Then enter random password
● Open Burpsuite, turn ON the intercept and capture the request
● Send it to repeater
● Modify the email address “[email protected]’#” > send
● We can see the SQLITE_ERROR, as the Burpsuite shows all the error
● Now change the # to -- i.e [email protected]’-- > send
● Authentication will be successful and the token will be shown in the response column
9. Accessing the privacy policy

● Login as a random user or register as a new customer

● Account > Privacy & security > privacy policy
● As the privacy policy reveals some of the secret information about the company
● Only the privacy statement has to be revealed and not the entire privacy policy
10. Providing the customer feedback using others email address

● Open the customer feedback page

● Fill the form, write comment and solve the captcha
● Open the Burpsuite, turn ON interceptor, capture the request
● Then submit the review
● Send it to the repeater
● In the repeater under request column, change the userID to 1 or 2 and then send
● Under response ‘success’ should be shown
● Go back to proxy, change the userID here too to 1 or 2 and then click forward multiple
times
● This solves the Forged feedback challenge
11. Submitting an malicious zipped file in the complaint section

● A malicious HTML zipped file might corrupt the software

● Create a simple HTML file and zip it
● Go to the complaint section in OWASP
● Choose the file and submit it
● Open the Burpsuite, turn ON interceptor, capture the request
● The file will not be accepted
● Send it to repeater
● Modify the value so that the website accepts the zipped file
● Then Send it and make changes in proxy as well and forward
● The malicious file will be accepted by the OWASP site

12. Found the sensitive data exposed when searched for metrics

● Searched for http://192.168.0.108:3000/metrics

● This gives sensitive information
● This is also a 1 star challenge vulnerability
13. Photo wall Inspection

● Go to Photo wall
● The image is not shown but only the hashtags for image reference is shown
● Here is a improper input Validation
● Inspect the page (F12)
● Here the path is specified for the image, but the image is not loaded

● To decode this image path, go to icyberchef.com

● Icyberchef.com > search for URL encode > this encodes characters into
percent-encoding or
● Since the two hashtags are shown, you will need to encode the hashs
● Open the image path in a new tab
● You will find the image of a cat where in URL the # will be replaced by %23
● Replace # with %23 in the image path in the page source
● Here the cat image is shown
● This solves the challenge
14. Accessed the administration section of the store

● Logged in as [email protected] using step 3

● Now inspect the page F12
● Go to sources > main.js
● And initiate the search using ctrl + F
● Now search for administration and you get the result as path
● Enter in the URL 192.168.0.108:3000/#/administration
● You get access to the administration section of the store
 Simple Vulnerability Report

Title: Broken Access Control (Admin Access) Vulnerability

Description:

The OWASP Juice Shop web application is vulnerable to Broken Access Control, which allows
unauthorized users to gain administrative privileges. This can lead to unauthorized access, data
manipulation, information disclosure, and privilege escalation.

Steps to Reproduce:

● Access the OWASP Juice Shop application and go to the login page.
● Use Burp Suite to intercept the login request.
● Modify the request by changing the "isAdmin" parameter to "true" or "1".
● Forward the modified request to the server.
● Notice that the user is granted administrative privileges, providing access to restricted
administrative functionality.

Impact:

Exploiting this vulnerability allows unauthorized users to gain administrative access, leading to
unauthorized actions, data manipulation, information disclosure, and privilege escalation.
Immediate attention is required to implement proper access control mechanisms and strict
authorization checks throughout the application's functionality.