Table Of Contents
- 1 Exploring and Exploiting the Owasp Juice Shop Vulnerabilities to Understand the Owasp Top 10
- 1.1 Injection – A01:2017
- 1.2 Broken Authentication – A02:2017
- 1.3 Sensitive Data Exposure – A3:2017
- 1.4 XML External Entities (XXE) – A4:2017
- 1.5 Broken Access Control – A05:2017
- 1.6 Security Misconfiguration A06:2017
- 1.7 Cross-Site Scripting (XSS) – A7:2017
- 1.8 Insecure Deserialization – A8:2017
- 1.9 Using Components with Known Vulnerabilities – A9:2017
- 1.10 Insufficient Logging & Monitoring – A10:2017
- 1.11 References
- 1.12 About The Author
Exploring and Exploiting the Owasp Juice Shop Vulnerabilities to Understand the Owasp Top 10
For this lab, we will use Owasp Juice Shop to learn how to exploit the Owasp Top 10 vulnerabilities. You can also use OWASP Mutillidae II.
What is Owasp Juice Shop?
OWASP Juice Shop is an open-source web application developed by the Open Web Application Security Project (OWASP). It is a deliberately insecure application for educational and training purposes. OWASP Juice Shop is an educational tool for developers, students, and security professionals to learn about common web application security vulnerabilities and how to mitigate them. By exploring and exploiting the vulnerabilities in Juice Shop, you gain hands-on experience in identifying, understanding, and mitigating security issues. It is designed to simulate a modern web application with various security vulnerabilities commonly found in real-world applications.
In our previous lab, we covered how to install Owasp Juice Shop in Kali Linux. Click here to learn.
What is the OWASP Top 10?
The OWASP Top 10 is a regularly updated list of the most critical web application security risks. It serves as a guide for developers, security professionals, and organizations to understand and address the vulnerabilities that attackers commonly exploit. The list is compiled based on data from various sources, including security companies, independent researchers, and real-world incidents.
The 2017 edition of the OWASP Top 10 includes the following vulnerabilities:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
The 2021 edition of the OWASP Top 10 includes the following vulnerabilities:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
Click here to learn more about the OWASP Top 10 2021 edition.
Injection – A01:2017
What is an injection vulnerability?
Injection vulnerability allows attackers to send malicious code through a web application to another system. These attacks include calls to the operating system via system calls, the use of external programs via shell commands, and calls to backend databases via SQL (i.e., SQL injection). Scripts written in Python, Perl, and other languages can be injected into poorly designed applications and executed. Any time an application uses an interpreter of any type, there is a danger of introducing an injection vulnerability.
Login Jim (Log in with Jim’s user account.)
Login into Jim’s account using SQL injection. Type in jim@juice-sh.op’– as the username and any password of your choice. Click the log-in button. We have successfully solved the challenge Login Jim (Log in with Jim’s user account.):
jim@juice-sh.op'--
Broken Authentication – A02:2017
What is Broken Authentication?
Broken Authentication happens when a poor authentication method is used for verification purposes. Such as setting publicly available information as a security question. For example, What is the name of your first child? People share a lot of personal information on social media, blogs, and websites. An attacker can easily find answers to your security question by performing Open Source Intelligent OSINT on the target. Many website registrations use security questions for both password retrieval/reset and sign-in verification. Some also ask the same security questions when users call on the phone. Security questions are one method to verify the user and stop unauthorized access. But there are problems with security questions. Websites may use poor security questions that may have negative results:
The user can’t accurately remember the answer or the answer changed, The question doesn’t work for the user, The question is not safe and could be discovered or guessed by others. It is essential that we use good questions. Good security questions meet five criteria. The answer to a good security question is:
Safe: cannot be guessed or researched
Stable: does not change over time
Memorable: can be easily remembered
Simple: is precise, easy, consistent
Many: There are many possible answers
It is difficult to find questions that meet all five criteria, which means that some questions are good, some fair, and most are poor. In reality, there are few, if any, GOOD security questions. People share so much personal information on social media, blogs, and websites, which makes it hard to find questions that meet the criteria above. In addition, many questions are not applicable to some people; for example, what is your oldest child’s nickname — but you don’t have a child?
Reset Bender’s password (Broken Authentication Challenge)
For this challenge, we are going to reset Bender’s password via the Forgot Password mechanism. On the Score Board, Click on Broken Authentication, then click on the hyperlink in the Reset Bender’s Password. This takes you to a password reset page.
Now, we need to find out what Bender’s email address is. Right-click and click Inspect(Q) or Press F12 on your keyboard to view the source code. Click on Deburger and { } main.js as shown below. Press ctrl f to enable search. We need to find out what Bender’s email address is. Type Bender in the search box and hit enter. Click on the up and down arrow in the search box to navigate through the source code. as shown below.
Next, we need to find out what the answer to Bender’s security question could be. To do this, we have to perform some Open Source Intelligence (OSINT) to learn more about Bender. Bender is from Futurama. Click here to read the Character Biography section. “Company you first work for as an adult?” is the security question. Bender Bio tells you that “Bender had a job at the metalworking factory, bending steel girders for the construction of suicide booths.”
Click here to read about “suicide booths.” This site says that their most important brand is Stop’n’Drop.
Type “Stop’n’Drop” as the answer to the security question. Set a new Password and confirm it. Click on the Change button to change the password.
We have successfully solved the challenge: Reset Bender’s password.
Sensitive Data Exposure – A3:2017
What is Sensitive Data Exposure?
This category refers to the vulnerabilities related to the exposure of sensitive data within web applications, posing significant risks to the confidentiality and privacy of user information. Sensitive data is any information that, if exposed or compromised, could lead to harm or damage to individuals or organizations. This includes personally identifiable information (PII) such as names, addresses, social security numbers, credit card numbers, health records, and other confidential data. Sensitive data exposure occurs when web applications fail to adequately protect this information, allowing unauthorized access or disclosure. This can happen due to various factors, including insecure storage, transmission, or processing of sensitive data within the application.
The following can lead to sensitive data exposure:
- Storing sensitive information in plaintext or using weak encryption makes it vulnerable to unauthorized access or interception.
- Failure to implement proper access controls or authentication mechanisms allows unauthorized users to access sensitive data through the application interface.
- Transmitting sensitive data over insecure channels without encryption, such as HTTP instead of HTTPS, allows attackers to eavesdrop on communications.
- Improperly configured databases, storage systems, or cloud services that expose sensitive data to unauthorized access or data breaches.
Access a confidential document (Sensitive Data Exposure Challenge)
Click About Us in the sidebar menu to visit the About Us page. Click on the link titled “Check out our boring terms of use if you are interested in such lame stuff” on the About Us page, as shown below.
This downloads a file to your system. Locate the file in your Downloads folder. This tells us the name of the file “legal.md”.
Now, Right-click and click Inspect(Q) or Press F12 on your keyboard to view the source code. Click on Deburger and { } main.js as shown below. Press ctrl f to enable search. Type “legal.md” in the search box and hit enter. Click on the up and down arrows in the search box to navigate through the source code. This shows us a path to the file.
Next, let’s browse the FTP path “http://127.0.0.1:42000//ftp/” to see what we can find. Click on acquisitions.md.
This downloads a file onto your system. Locate the file in your Downloads folder.
Open the “acquisitions.md” file as shown below.
Check your Score Board. We have successfully solved the challenge: Access a confidential document.
Cryptographic Failures
What is Cryptographic Failures?
Cryptographic failures refer to problems or mistakes associated with using encryption or other cryptographic methods to protect information such as Credit card information, social security numbers, and more. This error usually occurs due to the developers not following the best practices. Or when security is not implemented in the development process. Sometimes, there might be hidden ways to bypass the encryption altogether, either intentionally left by the developers for some reason or accidentally overlooked.
Weird Crypto (Cryptographic Failures Challenge)
Inform the shop about an algorithm or library it should not use the way it does. We have successfully solved the Weird Crypto challenge. As shown below
XML External Entities (XXE) – A4:2017
What is XML External Entities (XXE)?
XML External Entity attack (XXE) this type of attack is performed against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Broken Access Control – A05:2017
What is Broken access control?
Broken access control refers to vulnerabilities that allow attackers to bypass authorization mechanisms. And gain unauthorized access to sensitive data or privileged functionalities within web applications. To mitigate this risk, developers should implement proper access controls such as role-based access controls, enforce least privilege principles, and regularly test access control mechanisms.
Access the administration section of the store (Broken Access Control Challenge)
Let’s explore and exploit the Owasp Juice Shop’s broken Access Control vulnerabilities. Open Owasp Juice Shop with the IP address and port number obtained during the installation. As shown below, “http://127.0.0.1:42000/#/”
Right-click and click Inspect(Q) or Press F12 on your keyboard to view the source code. Click on Deburger and { } main.js as shown below. Press ctrl f to enable search. We need to find out if an administration path exists. Type admin in the search box and hit enter. Click on the up and down arrow in the search box to navigate through the source code.
We found an administration path. Let’s browse that path and see what we have access to. Hmmmm, it’s a valid path, but we were denied access, as shown below. Let’s keep searching through the source code using the up and down arrows in the search box to navigate through the source code and see if we can find the admin credentials.
We found the admin email address as shown below.
Now, change your search from admin to pass and use the up and down arrow in the search box to navigate through the source code. See if you can find the admin password in the source code.
Hint: You may need to try different passwords.
log in to an administrator’s account
Successfully logged in as an administrator. We have successfully solved the “log in to an administrator’s account” challenge. As shown below
Access the administration section of the store.
Now that we have figured out the admin credentials and are logged in as admin, let’s browse the administration path.
We have successfully solved the Access the administration section of the store challenge. As shown below
Get rid of all 5-star customer feedback challenge.
Delete all 5-star ratings from the Customers. We have successfully solved the Get rid of all 5-star customer feedback challenge. As shown below
Security Misconfiguration A06:2017
what is Security Misconfiguration?
Security Misconfiguration refers to vulnerabilities resulting from improper configuration or settings within web applications, servers, frameworks, or other components, leading to security weaknesses and potential exploitation by attackers. Security misconfiguration occurs when components of a web application or its environment are not properly configured to adhere to security best practices. This could include default settings, unnecessary services or features enabled, missing security patches, weak access controls, or improper permissions. Security misconfigurations can happen in web applications and their environments due to Default configurations, Weak access controls, Missing security patches, and more.
Bully Chatbot (Security Misconfiguration Challenge)
Bully Chatbot (Receive a coupon code from the support chatbot). To solve this challenge, log in as any user and Click Support Chat in the sidebar menu to visit the chatbot. Tell the chatbot your name, and you can start chatting with it. Ask the chatbot for a coupon, “Can I have a coupon code?” or “Please give me a discount!” and it will decline with some excuse.
Keep asking for discounts repeatedly until you finally receive a 10% coupon code for the month! As shown below
We have successfully solved the challenge: Bully Chatbot (Receive a coupon code from the support chatbot.)
Cross-Site Scripting (XSS) – A7:2017
refers to vulnerabilities arising from the improper handling of untrusted data in web applications, allowing attackers to inject and execute malicious scripts in the context of a victim’s browser.
What is Cross-Site Scripting (XSS)?
Cross-site scripting (XSS) is a type of security vulnerability that occurs when an attacker injects malicious scripts into web pages viewed by other users. These scripts are then executed within the context of the victim’s browser, allowing the attacker to steal sensitive information, hijack user sessions, deface websites, or launch further attacks. XSS attacks typically exploit web applications that dynamically generate web pages using untrusted data, such as user input, URL parameters, or data from external sources. Attackers can inject malicious scripts, usually in the form of HTML, JavaScript, or other client-side code, into vulnerable web pages. XSS vulnerabilities can have serious consequences for web applications and their users, including theft of sensitive information, Session hijacking, Defacement, and data manipulation.
Types of XSS:
Stored XSS: Also known as persistent XSS, occurs when the malicious script is permanently stored on the server and executed every time a user accesses the vulnerable page.
Reflected XSS: Involves the injection of malicious scripts that are reflected back to the user by the web application, often as part of a URL or input field. The script executes when the victim clicks on a crafted link or visits a specially crafted URL.
DOM-based XSS: Exploits vulnerabilities in client-side scripts that manipulate the Document Object Model (DOM) of a web page. The malicious script is executed directly within the victim’s browser without involving the server.
XSS vulnerability risk mitigation
To mitigate the risk of XSS vulnerabilities, web developers and organizations should
- Implement proper input validation and output encoding to sanitize user input and prevent the injection of malicious scripts.
- Utilize security mechanisms such as Content Security Policy (CSP) to mitigate the impact of XSS attacks by restricting the execution of scripts from unauthorized sources.
- Conduct regular security assessments, including vulnerability scanning and penetration testing, to identify and remediate XSS vulnerabilities in web applications.
Bonus Payload (DOM XSS challenge)
Copy and paste the payload below into the Owasp Juice Shop Search field and hit enter
<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
We have successfully solved the challenge: Bonus Payload (DOM XSS challenge)
DOM XSS attack challenge
Copy and paste the payload below into the Owasp Juice Shop Search field and hit enter
<iframe src="javascript:alert(`xss`)">
We received an XSS alert
We have successfully solved the challenge: DOM XSS challenge
Insecure Deserialization – A8:2017
Insecure Deserialization refers to vulnerabilities related to the insecure handling of serialized data within web applications, which can lead to remote code execution, denial of service, or other security exploits. Insecure deserialization occurs when web applications deserialize untrusted or manipulated data without proper validation or security controls. Attackers can exploit insecure deserialization vulnerabilities to execute arbitrary code, manipulate data, or perform other malicious actions on the server side.
Serialized data is data that has been converted into a format suitable for storage or transmission.
Deserialization is the process of converting serialized data back into its original form, typically as objects or data structures within a programming language. Serialization and deserialization are commonly used for tasks such as network communication, data storage, and session management in web applications.
Insecure deserialization vulnerabilities can happen due to various things within web applications, including the following:
Lack of integrity checks: Deserialization routines may fail to perform integrity checks on serialized data, allowing attackers to tamper with serialized objects or inject malicious payloads.
Accepting serialized data from untrusted sources: Web applications may accept serialized data from user inputs, network communication, or other external sources without adequate validation.
Lack of integrity checks:
Execution of arbitrary code: Attackers may craft malicious serialized payloads containing code or instructions that, when deserialized, execute arbitrary commands or functions on the server side.
Insecure deserialization vulnerabilities can have severe consequences for web applications and their users, including:
Remote code execution: Attackers can execute arbitrary code on the server side, leading to full compromise of the application, unauthorized access to sensitive data, or further exploitation of the underlying system.
Denial of service: Exploiting insecure deserialization vulnerabilities can result in denial of service conditions, disrupting the availability and functionality of the affected web application.
Data manipulation: Manipulating serialized data can lead to unauthorized modification or corruption of application data, compromising data integrity and confidentiality.
To mitigate the risk of insecure deserialization vulnerabilities, organizations should implement the following:
Strict input validation and integrity checks on serialized data to ensure its authenticity and integrity before deserialization.
Use secure deserialization libraries and frameworks that provide built-in protections against common deserialization vulnerabilities.
Restrict the deserialization of untrusted data to trusted environments or components with minimal privileges to reduce the potential impact of exploitation.
Monitoring and logging deserialization activities to detect and respond to anomalous behavior or potential security incidents.
Using Components with Known Vulnerabilities – A9:2017
what is Using Components with Known Vulnerabilities?
Components with Known Vulnerabilities refers to using older or components with known vulnerabilities, such as libraries, frameworks, and plugins, exposing web applications to known security risks. Attackers often target outdated or vulnerable components to exploit known security flaws. To prevent such attacks, it is crucial to keep software and libraries up to date, monitor for security advisories, and use vulnerability management tools.
Solve the Kill the Chatbot Challenge
Click here to review the Juice shop chatbot juicy-chat-bot source code from the GitHub repository. Looking through the juicy-chat-bot “factory.js“
Notice line 34 shows us where the user messages are stored. You can see here that the user messages are stored in a VM context using the process function.
function process (query, token) {
if (users.get(token)) {
return model.process(trainingSet.lang, query)
} else {
return { action: 'unrecognized', body: 'user does not exist' }
}
}
Next, let’s review another part of the code. Let’s take a look at the juicy-chat-bot “index.js.” Take a look at line 31 of the code. The statement in line 31 of the code is vulnerable to Code injection. Read more here.
addUser (token, name) {
this.factory.run(`users.addUser("${token}", "${name}")`)
}
Now, we are ready to exploit the vulnerability found to solve the challenge. Support Chat in the sidebar menu to start chatting with the juicy-chat-bot. Copy and paste the code below and press enter.
Super"); process=null; users.addUser("1247", "User
The bot executes the value below. The process function value is set to null, the chatbot memory is dead and will not be able to process any user request. Whenever the bot tries to to respond to a user’s message will result in an error.
users.addUser("token", "Super");
process = null;
users.addUser("1247", "User")
We have successfully solved the challenge: Kill Chatbot, as shown below.
Finding the Score Board (Miscellaneous Challenge)
Let’s find the hidden Score Board. To do this, Right-click and click Inspect(Q) or Press F12 on your keyboard to view the source code. Click on Deburger and { } main.js as shown below. Press ctrl f to enable search. Type score in the search box and hit enter. Click on the up and down arrows in the search box to navigate through the source code.
You will find the Score Board path ‘/score-board-preview’ in the source code, as shown below.
Now, Browse to that path. http://127.0.0.1:42000/#/score-board-preview
http://127.0.0.1:42000/#/score-board-preview
We have successfully solved the challenge: Score Board ( find the carefully hidden ‘Score Board’ page.)
Insufficient Logging & Monitoring – A10:2017
What is Insufficient Logging & Monitoring?
Insufficient Logging & Monitoring refers to the vulnerabilities related to the lack of effective logging and monitoring mechanisms within web applications, making it difficult to detect and respond to security incidents.
Logging is the practice of recording events, activities, and interactions within a web application or its environment. This includes logging user actions, system events, error messages, security-related events, and other relevant information to log files or centralized logging systems.
Monitoring involves actively observing and analyzing the logged data to detect anomalies, security incidents, or suspicious activities within the web application or its infrastructure. Monitoring systems may include intrusion detection systems (IDS), security information and event management (SIEM) platforms, and custom monitoring solutions.
Insufficient Logging: Insufficient logging occurs when web applications fail to adequately log critical events or activities, such as failed login attempts, unauthorized access attempts, security exceptions, or changes to sensitive data. This lack of logging makes it challenging to identify security incidents, investigate breaches, or trace the activities of malicious actors.
Insufficient logging and monitoring vulnerabilities can manifest in various scenarios within web applications, including:
- Failure to log security-relevant events: Web applications may lack proper logging mechanisms to record security-relevant events, such as authentication failures, access control violations, or changes to user privileges.
- Incomplete or inconsistent logging: Logging may be incomplete, inconsistent, or poorly implemented, leading to gaps in the recorded data or inconsistencies in log formats, making it difficult to analyze and correlate events.
- Lack of real-time monitoring: Monitoring systems may not provide real-time alerts or notifications for suspicious activities or security incidents, delaying detection and response to potential threats.
Consequences of Insufficient logging and monitoring for web applications and their users.
- Delayed detection of security incidents: Without adequate logging and monitoring, security incidents may go undetected for extended periods, allowing attackers to persist within the environment and escalate their activities.
- Ineffective incident response: Insufficient logging makes it challenging to investigate security incidents, identify the root cause of breaches, and take appropriate remedial actions to mitigate the impact.
- Compliance violations: Organizations may fail to comply with regulatory requirements or industry standards that mandate the implementation of effective logging and monitoring controls to protect sensitive data and systems.
Insufficient logging and monitoring Mitigation
To mitigate the risk of insufficient logging and monitoring vulnerabilities, organizations should perform the following:
- Implement comprehensive logging mechanisms to record security-relevant events, including user authentication, access control, data modifications, and application errors.
- Configure real-time alerting and notification mechanisms to promptly detect and respond to security incidents or suspicious activities within the web application environment.
- Establish centralized logging systems to aggregate, store, and analyze log data from multiple sources, enabling efficient monitoring and analysis of security events.
- Regularly review and analyze log data to identify security trends, anomalies, or indicators of compromise, enabling proactive threat detection and incident response.