Thứ Năm, 19 tháng 11, 2020

[Training] OWASP Juice Shop walkthrough

 Hello guys, hello windy day.

 Because of the training course for CTF team, I will participate in play with this  web application designed by OWASP.  Let's start!

11/12 solved


Find the source code in dev tab ( f12), find exactly path of Score Board and we complete this challenge


This challenge is about DOM XSS with <iframe> tag (An inline frame is used to embed another document within the current HTML document). Simple copy this payload and paste to search field. We make the api of sound cloud appeared. 


Similar to the previous challenge we have solved


Scan all directory with dirbuster or ZAP, we found /ftp path. Browse to it, view all file .md and we got the point.


Browse to login page, input abitrary character and make the error appeared


Guessing or scanning the directory and browse to /metrics to get point.


Go to this page and pass the challenge!


Move to Photo Wall

Inspect the error image

The "#" symbol make this image coudn't load in the right way that it supposed to be. Fix it by encode to "%23". Reload page and get the full picture appears, complete this challenge


Move to Feedback page, vote 1* and open ZAP and intercept the request from browser

Change rating value to "0" and forward request!



Move to support chat and ask for coupon over and over again as a kid, so the bot will give you coupon and you pass this challenge!


You should read about DRY (Don't repeat yourself) principle

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system
So, we move to register form and let's make new one. In password field, you can type any thing you want follow to the password creation rules. Then, in repeat password field, type exactly the same password. After that, you can change the your main field password to another value, and realize that the UI accept it with no error. Click register and you pass this challenge!


Retrive the source code via develop mode

Find admin section

Browse to this path and pass this challenge!


We already saw in admin section that we can delete all 5-star feedback

Delete it and pass this chall!

Note: This chall requires you to logged in as admin to delete vote


Simple use a SQLi query
admin' or 1=1 --
and pass the challenge


View the cookie "token" by Cookie extension or another tool

Familiar to me, this is JWT token, decode it by

We can see the password in md5 hash type, decrypt it via John or any tools which support this type. With admin email and password, we can successfully login to and pass this challenger.


Create another user, add item in its basket and view the bid (basket id). Logout this account and login with admin account, move to admin's basket and change the bid value to new user's bid value. We can view the new user's basket.


OSINT and SafeSearch sound like an antivirus program or something "techy" to me. So, I google it

Just view video and claim the password


Upload a pdf file, intercept with ZAP and change the extension, then forward it 


null' union select tbl_name,2,3,4,5,6,7,8,9,10,11,12,13 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--

null' union select tbl_name,2,3,4,5,6,7,8,9,10,11,12,13 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%' limit 1,2--


using Fuzz feature to bruteforce captcha value. If you knew, captcha value would run random from 1 → 100. With 10 requests, you have fuzz 100 numbers for 10 times.

Continue ...
Happy Training!

Không có nhận xét nào:

Đăng nhận xét

Phổ Biến