Level 1 - Challenges
I will present the challenges either in the order of which I discovered the vulnerabilities or in the order that I believe makes the most sense.
Last updated
I will present the challenges either in the order of which I discovered the vulnerabilities or in the order that I believe makes the most sense.
Last updated
To get started, the first step was to locate the Score Board, which provides an overview of all the available challenges. After some exploration, I was able to find it by guessing the path.
However, afterwards I realized that this info can also be found by inspecting the main.js script.
At the login page, I simply tried to trigger an error by entering ' as Email and ' as password. This gives the error [object Object] which suggest that the application is vulnerable to injection attacks.
After creating an account, you can view the Privacy Policy by clicking Account -> Privacy & Security -> Privacy Policy
In the Privacy Policy we find the following email: donotreply@owasp-juice.shop
The Score Board provides us with the payload. <iframe src="javascript:alert(`xss`)">
We need to find some where to enter this. I tried to add the payload in product a review, but that did not work. After looking a bit around I found that entering the XXS in the search field trigger the alert.
Similar as the DOM XXS challenge but with the payload:
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
I ran a Gobuster directory enumeration just as good measure and found multiple sub-sites. One of which where /ftp.
Here I found multiple files which looked interesting. Upon downloading acquisitions.md this challenges was completed.
I am sure this one can be automated, but I just kept asking for coupon until I got one. The ChatBot can be access if you are logged in as e.g. admin.
I got the coupon: k#pDmgC7sn
This one is weird, but holding shift + x while clicking the close button will do the trick.
When navigating to the Photo Wall, we see a picture that is not loaded correctly. When looking at the source code, it shows that an emoji is used in the URL. I tried encoding the emoji, which did not help. Then I realized that it is the #'s that needs encoding. The URL encoding for a # is %23.
A nice trick for this challenges is the option in the Debugger “Pretty print source”. This will make the code easier to read.
Anyway, the challenges states "Let us redirect you to one of our crypto currency addresses which are not promoted any longer." and it has the tags Code Analysis, which gives us a hint on what to do. Let's look at the main.js script and search for redirect.
We can then find the following code snippet
Let's just access localhost:3000/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm to solve the challenges.
The challenge suggests creating a new user account, but attempting to do so with an email that already exists proved unsuccessful. To further investigate, the message sent to the server was intercepted using Burp Suite, revealing the following information.
The challenges said, follow the DRY principle (Don't Repeat Yourself), so I deleted the passwordRepeat content which solved the challenges.
This also indicates that the input validation is performed on the client-side instead of the server-side, which is generally not a secure practice.
By accessing the drop-down menu, we can provide feedback through the Customer Feedback option, where we rate our experience using stars on a scale of 1 to 5.
The task can be easily resolved by inspecting the server request in Burp Suite and modifying the rating value to 0.
In this challenges we get the hint that the popular monitoring system used is Prometheus. If we head over to the official documentation of this service, we find here: that Prometheus expects metrics to be available on targets on a path of /metrics.
Accessing will solve the challenges.
