Web Exploit and Path

Objectives

In this project, you will gain hands-on experience (i) recognizing cross-site scripting attacks and (ii) modifying and creating web request to attack backend web APIs, and (iii) conducting basic SQL injection attacks. You will also practice identify and patching vulnerabilities in web source code.

A secondary objective of this project is to give you experience with ethical hacking and OWASP training resources. Also, you will gain experience using the developer tools built into your browser, an important skill for web development.

Background

In this project you will be looking for vulnerabilities in a realistic website. You will also be learning how to address those vulnerabilities. These vulnerabilities will be from the following categories:

• Cross-site scripting (XSS)
  • Reflected and stored
• Vulnerable web APIs
• SQL injection

The vulnerable website you will be attacking is provided by OWASP. OWASP (Open Worldwide Application Security Project) as an organization aims to promote knowledge about web vulnerabilities and mitigation’s. This website, the Juice Shop, is a teaching tool for gaining hands-on experience with a wide range of web vulnerabilities. In this project, you will only be completing a small fraction of the challenges available for this website, and after this class this will remain an excellent source to sharpen your web hacking skills.

Windows Users

You have three ways of doing this project:

• We recommend installing Kali Linux on a VM. Kali should have all the tools you will need to find and execute your attacks.

• You could instead use Ubuntu WSL2, though you will likely need to separately install some of the tools you may need.

• You can use Powershell, but we don’t recommend it. If you run into issues doing it this way, you will be on your own.

WSL2 Docker setup

If you are going to use WSL2 and you did not install WSL2 before installing Docker Desktop, you will need to go through these steps before proceeding.

1. Navigate to Settings.

2. From the General tab, select Use WSL 2 based engine.. If you have installed Docker Desktop on a system that supports WSL 2, this option is turned on by default.

3. Select Apply & Restart.

Once you have finished the above steps, run the following commands in Powershell, to connect WSL2 to Docker Desktop.

# Checks the distro
wsl.exe -l -v
# upgrades distro to version2
wsl.exe --set-version (distro name) 2
# Sets version2 as the default
wsl.exe --set-default-version 2
# Enables the DOCKER-WSL integration
wsl --set-default <distro name>

Requirements

To start, visit the Juice Shop information website. You should read the preface and skim over Section 1. You will need to follow the instructions in running OWASP Juice Shop to get this project set up and running. Personally, I recommend that you run Juice Shop using docker. This can be done with a single command:

docker run --rm -p 3000:3000 -e NODE_ENV=unsafe bkimminich/juice-shop

Next, download and unzip the handout. It contains the submission.md file you will submit as well as a README.md file that has some hints for completing this project.

After you have downloaded these files, you are ready to start the project. Your first task will be to find the scoreboard — see Part 2 of the website, Finding the Scoreboard. After that, you will complete the following challenges:

1. DOM XSS
2. Reflected XSS
3. Forged Review
4. Login Admin
5. Admin Section
6. Admin Registration
7. API-Only XSS

For each of these challenges, you will be exploit a vulnerability in the Juice Shop website. After exploiting the vulnerability, you will then be able to see the vulnerable source code and identify a patch for that code.

I recommend that you complete these challenges in order. They increase in difficulty as you go. Additionally, some of the later challenges will be much easier if you have completed the previous challenges.

As described in the writeup, you should treat the OWASP Juice Shop server as a black box (i.e., don’t look at its server code, whether running locally or on GitHub). You are free to look at any client-side scripts or resources sent to the browser, just as an adversary would. Do not look for solutions online, as this is considered cheating.

Identifying Vulnerabilities

As you do not have access to the server’s source code, you will need to poke around the website to find vulnerabilities. The website, in Part 1: Walking the "happy path", has suggestions for parts of the website you might explore to identify vulnerabilities. It is also worth looking at the main.js file. I recommend that you make liberal use of your browser’s developer tools, particularly the network tab. The scoreboard may also have hints at where you can start looking for issues.

Exploiting the Vulnerability

Next, you will need to identify how you will craft an exploit from the identified vulnerability. Leverage what you learned in class. You are also allowed to search the web for information about how to exploit web vulnerabilities. As long as you don’t lookup a walkthrough for the problem, you are not breaking the rules. If you get stuck, you can also see if the scoreboard provides a tutorial. If so, this is also not considered cheating.

Patching the vulnerability

For each of the vulnerabilities, you will need to identify how you would patch the vulnerability. The Juice Shop scoreboard will help you do so as all but one challenge also has a coding challenge attached to the main challenge. The coding challenge is available after completing the main challenge, and is found by clicking the farthest right button on the challenge row on the scoreboard. After completing the coding challenge, you will copy the correct patch code into sumission.md.

Writeup

I have provided a submission.md file that you will use to writeup your results. This is the file you will submit and be graded on.

For each problem, this file has a place for you to list the following information:

1. The list the steps necessary to execute the exploit.
2. An explanation of what the vulnerability was.
3. An explanation of how you would patch the vulnerability.
4. The patch from the coding challenge.

Recommended Resources

I recommend choosing one of the following ways to find and exploit vulnerabilities:

• Using Burp Suite is the easiest way to do it. This program will let you see and modify traffic between the browser and the server.
• Using the browser’s developer console, if you prefer to learn the details of the developer console instead of relying on a separate tool. An example of how to do so can be seen in this Stack Overflow thread.

These tools are also available as an alternative to Burp Suite:

• Fiddler
• Tamper Dev

In this project, you are also free to search the web for additional details about the attacks you will need to conduct. Don’t search for solutions, but you are otherwise free to use online resources. This is how real hacking works and is an important skill to build. Some websites that might be helpful include,

• Cross-site scripting
• SQL injection
• REST APIs
• React. This is the technology used to built Juice Shop. Don’t feel the need to read this all, but could be a helpful resource to search for specific questions.

We have also included a pentesting.pdf in the handout that you may find useful.

Grading Rubric

For most problems, you can receive 40 points:

• 15 points for listing the steps needed to execute your exploit
• 10 points for explaining what the vulnerability is
• 10 points for explaining how to patch the vulnerability (in a general sense)
• 5 points for correctly copying the patch from the coding challenge

Several problems slightly deviate from this grading rubric:

• You will not receive any points for finding the scoreboard. However, you will lose 20 points if you do not describe how you found it.
• The Reflected XSS problem does not have a coding challenge. You will receive those five points for correctly describing how to patch the vulnerability (in a general sense).
• The API-Only XSS is worth double points (80 points). This challenges incorporates what you have learned from previous steps and is significantly harder.

In total, 320 points are available for this project.

Handout

Handout file

Submission

Submit your submission.md file on Canvas.