Web Exploit and Path
Objectives
In this project, you will gain hands-on experience (i) recognizing web vulnerabilities and (ii) modifying and creating web requests to exploit these vulnerabilities. A secondary objective of this project is to give you experience with ethical hacking and OWASP training resources.
Background
In this project you will be looking for vulnerabilities in a realistic website. You will also be learning how to address those vulnerabilities. These vulnerabilities will be from the following categories:
- Cross-site scripting (XSS)
- Reflected and stored
- Vulnerable web APIs
- SQL injection
The vulnerable website you will be attacking is provided by OWASP. OWASP (Open Worldwide Application Security Project) as an organization aims to promote knowledge about web vulnerabilities and mitigation’s. This website, the Juice Shop, is a teaching tool for gaining hands-on experience with a wide range of web vulnerabilities. In this project, you will only be completing a small fraction of the challenges available for this website, and after this class this will remain an excellent source to sharpen your web hacking skills.
Windows Users
You have three ways of doing this project:
-
We recommend installing Kali Linux on a VM. Kali should have all the tools you will need to find and execute your attacks.
-
You could instead use Ubuntu WSL2, though you will likely need to separately install some of the tools you may need.
-
You can use Powershell, but we don’t recommend it. If you run into issues doing it this way, you will be on your own.
WSL2 Docker setup
If you are going to use WSL2 and you did not install WSL2 before installing Docker Desktop, you will need to go through these steps before proceeding.
-
Navigate to Settings.
-
From the General tab, select Use WSL 2 based engine.. If you have installed Docker Desktop on a system that supports WSL 2, this option is turned on by default.
-
Select Apply & Restart.
Once you have finished the above steps, run the following commands in Powershell, to connect WSL2 to Docker Desktop.
Requirements
To start, visit the
Juice Shop information website. You should
read the preface and skim over Section 1. You will need to follow the
instructions in Part 1: Running OWASP Juice Shop
to get this project setup and
running. Personally, I recommend that you run Juice Shop using docker. This can
be done with a single command:
Now you are ready to start the project. Your first task will be to find the
scoreboard — see Part 2
of the website, Finding the Scoreboard
. After that,
you will complete the following challenges:
- DOM XSS
- Reflected XSS
- Forged Review
- Login Admin
- Admin Section
- Admin Registration
- API-Only XSS
For each of these challenges, you will be exploit a vulnerability in the Juice Shop website. After exploiting the vulnerability, you will then be able to see the vulnerable source code and identify a patch for that code.
I recommend that you complete these challenges in order. They increase in difficulty as you go. Additionally, some of the later challenges will be much easier if you have completed the previous challenges.
As described in the writeup, you should treat the OWASP Juice Shop server as a black box (i.e., don’t look at its server code, whether running locally or on GitHub). You are free to look at any client-side scripts or resources sent to the browser, just as an adversary would. Do not look for solutions online, as this is considered cheating.
Identifying Vulnerabilities
As you do not have access to the server’s source code, you will need to poke
around the website to find vulnerabilities. The website, in
Part 1: Walking the "happy path"
, has suggestions for parts of the website you
might explore to identify vulnerabilities. It is also worth looking at the
main.js
file. I recommend that you make liberal use of your browser’s
developer tools, particularly the network tab. The scoreboard may also have
hints at where you can start looking for issues.
Exploiting the Vulnerability
Next, you will need to identify how you will craft an exploit from the identified vulnerability. Leverage what you learned in class. You are also allowed to search the web for information about how to exploit web vulnerabilities. As long as you don’t lookup a walkthrough for the problem, you are not breaking the rules. If you get stuck, you can also see if the scoreboard provides a tutorial. If so, this is also not considered cheating.
Explaining how to patch the vulnerability
For each of the vulnerabilities, you will need to identify how you would patch the vulnerability. Use plain English. Be detailed! You need to be sure there is enough detail that someone could follow your directions to fix the flaw.
Patching the vulnerability (extra credit)
All but one challenge also has a coding challenge attached to the main challenge. The coding challenge is available after completing the main challenge, and is found by clicking the farthest right button on the challenge row on the scoreboard.
For extra credit, complete the coding challenge, then copy the correct patch code into your submission.
Hints
- Start by getting familiarized with the application. Create a user account and maybe make an order or two.
- If you need to enter information, such as a credit card number or an address, remember that Juice Shop only has very basic data validation. As long as the data looks right, that is good enough. No need to use real values.
- A good place to start looking is in
main.js
. - API-Only XSS
- What is a bearer token?
- How are HTTP methods used by default for a REST API?
Writeup
I have provided a submission.md file that you will use to write up your results. This is the file you will submit and be graded on.
For each problem, this file has a place for you to list the following information:
- The list the steps necessary to execute the exploit.
- An explanation of what the vulnerability was.
- An explanation of how you would patch the vulnerability.
- (Extra Credit) Your patch from the coding challenge.
Recommended Resources
I recommend choosing one of the following ways to find and exploit vulnerabilities:
- Using Burp Suite is the easiest way to do it. This program will let you see and modify traffic between the browser and the server.
- Using the browser’s developer console, if you prefer to learn the details of the developer console instead of relying on a separate tool. An example of how to do so can be seen in this Stack Overflow thread.
These tools are also available as an alternative to Burp Suite:
In this project, you are also free to search the web for additional details about the attacks you will need to conduct. Don’t search for solutions, but you are otherwise free to use online resources. This is how real hacking works and is an important skill to build. Some websites that might be helpful include,
- Cross-site scripting
- SQL injection
- REST APIs
- React. This is the technology used to built Juice Shop. Don’t feel the need to read this all, but could be a helpful resource to search for specific questions.
We are also providing pentesting.pdf that you may find useful.
Grading Rubric
For most problems, you can receive 30 points:
- 10 points for listing the steps needed to execute your exploit
- 10 points for explaining what the vulnerability is
- 10 points for explaining how to patch the vulnerability (in a general sense)
- Plus 10 points extra credit for a patch
Several problems slightly deviate from this grading rubric:
- You will not receive any points for finding the scoreboard. However, you will lose 20 points if you do not describe how you found it.
- The API-Only XSS is worth double points (60 points). This challenges incorporates what you have learned from previous steps and is significantly harder.
In total, 240 points are available for this project, plus 60 points extra credit for patches.
Submission
Submit your submission.md
file on Canvas.