Juice Shop
Last updated
Was this helpful?
Last updated
Was this helpful?
Admin - request:
{"email":"' or 1=1--","password":"aa"}
bender@juice-sh.op - request:
{"email":"bender@juice-sh.op'--","password":"a"}
Login request to Intruder (Burp Suite) - brute force password with /usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt
FTP public at /ftp
Find mc.safesearch@juice-sh.op password
listen - https://www.youtube.com/watch?v=v59CX2DiX0Y
URL Encoding and Null Bytes:
In URLs, the null byte (\x00) is encoded as %00.
Some web servers and applications improperly decode %00, interpreting it as a null byte, which can terminate strings prematurely.
Mismatch in Validation vs. Execution:
During validation, the application might check the entire string.
During execution, if the backend uses C-style string handling, the string stops at the null byte.
This mismatch can cause security checks to be bypassed.
The %2500 encoding is an extra layer of obfuscation:
%25 is the literal encoding of %, so %2500 decodes to %00.
This may be necessary when certain servers or filters block %00 directly, but fail to handle double-encoded payloads like %2500.
Go to http://10.10.212.2/main-es2015.js
F12 Dev Tools - Sources - main-es2015.js
Search for path: "administration"
go to http://10.10.212.2/#/administration
To view another user's shopping basket Go to http://10.10.212.2/#/basket
change to GET /rest/basket/2
Go to http://machine_ip/#/administration
Remove 5 stars reviews
Document Object Model-based Cross-site Scripting
Input the following in the search bar
XFS (Cross-Frame Scripting)
With admin, go to http://10.10.212.2/#/privacy-security/last-login-ip
turn Burp interceptor on, and logout
for the GET /rest/saveLoginIp request, got to Headers tab and add a new header
Forward the request
Upon signing back into the admin account and revisiting the "Last Login IP" page, the XSS alert will trigger!
The True-Client-IP header functions similarly to the X-Forwarded-For header, as both inform the server or proxy about the client's IP address. However, due to the lack of proper sanitization in the header, we can exploit it to execute an XSS attack
With admin, go to http://10.10.212.2/#/order-history
click truck icon - http://10.10.212.2/#/track-result?id=5267-8f615dcb73f36818
Use the following iframe XSS in the place of the 5267-8f615dcb73f36818
Submit the URL, refresh the page, and an alert displaying "XSS" will appear!
The server uses a lookup table or database (depending on its configuration) to manage each tracking ID. Since the id parameter is not sanitized before being processed by the server, this allows us to execute an XSS attack
Solve other chalenges by checking http://10.10.212.2/#/score-board
http://10.10.212.2/metrics
