Institute of Coding Skills Workshop

Cyber Security - Week 2: Web Application Security


The purpose of this task is to introduce you to a practical cyber security exercise. Often, organisations may ask for a “vulnerability assessment”, or a “penetration test” of their systems. A vulnerability assessment is a systematic approach to examining core assets and measuring whether they pose a threat to the organisation against a set of criteria. A penetration test is where an “attacker” will attempt to gain access to a system, and they will document their process for achieving this.

We will work through the OWASP Juice Shop example using the TryHackMe platform. OWASP (Open Web Application Security Project) publish their Top 10 Web vulnerabilities, and this exercise is designed to showcase these using a known vulnerable example. These vulnerabilities are all too commonly found in real-world web applications, and so these methods are highly relevant. In particular, we will focus on Injection, Broken Authentication, Sensitive Data Exposure, Broken Access Control and Cross-Site Scripting (XSS). More detail on the OWASP Top Ten is available on their webpage: https://owasp.org/www-project-top-ten/

Task

  1. To begin, please go to http://www.tryhackme.com and sign up for an account.
  2. Go to the room: https://tryhackme.com/room/owaspjuiceshop
  3. Click “Start AttackBox” to launch the web-based virtual machine that we will use.
  4. Click “Start Machine” to launch the vulnerable machine that we will attempt to access.
  5. In the AttackBox, launch Firefox and go to the IP address provided by TryHackMe. You should then see the OWASP Juice Shop home page.

Guide

Stage 1

  • Perform initial reconnaissance on the webpage to see if there is any information that may prove useful. Product reviews include email address – can you find the administrator’s email address? admin@juice-sh.op
  • Try using the search function. Do you notice anything about the resulting URL? What parameter in the URL is used to denote the search? q
  • Jim reviewed the Green Smoothie – but what TV show does his review make reference to? Star Trek

Stage 2: Injection

  • Launch Burp Suite and set this up as a proxy if you haven’t done so already. Incept traffic from your browser to examine the requests sent and received.
  • Try and log into the administrator account. You may start by trying any random username and password. (e.g., ‘user’ and ‘pass’). You should see the incepted request in Burp Suite as {“email”:”user”,”password”:”pass”}. You can modify the content of this to read as follows: {“email”:”’ or 1=1’’”,”password”:”pass”}.
  • This should give us the flag: 32a5e0f21372bcc1000a6088b93b458e41f0e02a
  • What if we wish to log into a particular user account? We can do a similar attack, but this time include the known valid email: {“email”:”bender@juice-sh.op’--”,”password”:”pass”}.
  • This should give us the flag: fb364762a3c102b2db932069c0e6b78e738d4066

Stage 3: Broken Authentication

  • Whilst we can access the administrator account as above using SQL injection, we do not yet know the password for this. Let’s use a brute force attack in Burp Suite. Attempt a login again as above using the known admin email, and right-click this in Burp to “Send to Intruder”.
  • Where we see the payload, first “Clear §” and then place two § symbols in the password quotes. {“email”:”admin@juice-sh.op’--”,”password”:”§§”}.
  • For the payload, we use the password list best1050.txt (install via apt-get install seclists), or find this in /usr/share/seclists/Passwords/Common-Credentials/best1050.txt.
  • Run the attack, and examine the request code – 401 unauthorized shows a failed attempt, whilst a successful attempt returns 200 OK.
  • This should give us the flag: c2110d06dc6f81c67cd8099ff0ba601241f1ac0e
  • Can we reset Jim’s password? We found before he likes Star Trek, and his security question is “Your eldest siblings middle name”. Dig around on Google and you’ll find George Samuel Kirk.
  • This should give us the flag: 094fbc9b48e525150ba97d05b942bbf114987257

Stage 4: Sensitive Data Exposure

  • Can you access a confidential document on the server?
  • On the About Us page, hover over the “Check out our terms of use” and you’ll find a link to legal.md on a FTP share. This share is actually exposed to the public.
  • Download the acquisitions.md file, and then navigate home to obtain the flag.
  • This should give us the flag: edf9281222395a1c5fee9b89e32175f1ccf50c5b
  • In the video at https://youtu.be/v59CX2DiX0Y we can find out details about mc.safesearch@juice-sh.op – he sais his password is “Mr. Noodles”, but he has replaced some “vowels into zeros”. This gives us “Mr. N00dles”.
  • This should give us the flag: 66bdcffad9e698fd534003fbb3cc7e2b7b55d7f0
  • Can we download the backup file? Try to download package.json.bak from the FTP directory. However we get a 403 error saying “only .md and .pdf files are allowed”. We can use a poison null byte %00 to get around this. It is a NULL terminator meaning that anything afterwards is ignored – however it’s enough to bypass the file extension check: package.json.bak%2500.md (we encode the poison null byte in a url encoded format to work with this file download).
  • This should give us the flag: bfc1e6b4a16579e85e06fee4c36ff8c02fb13795

Stage 5: Administration

  • Use the web inspector to search for the term “admin”. We may find this in the main-es2015.js file. There’s a path called “administrator”. We will want to be logged in as administrator to access this.
  • This should give us the flag: 946a799363226a24822008503f5d1324536629a0
  • Can you view another user’s basket as administrator? Click “Your basket” as admin and capture this in Burp Suite. You may see GET /rest/basket/1 – what happens if we change this number?
  • This should give us the flag: 41b997a36cc33fbe4f0ba018474e19ae5ce52121
  • As administrator – can you remove all the 5 star reviews using the admin panel?
  • This should give us the flag: 50c97bcce0b895e446d61c83a21df371ac2266ef

Stage 6: Cross Site Scripting

  • DOM XSS (Document Object Model-based Cross-site Scripting) – what happens if we enter Javascript in our search bar? Try the command: <iframe src="javascript:alert(xss)">
  • This should give us the flag: 9aaf4bbea5c30d00a1f5bbcfce4db6d4b0efe0bf
  • Persistent XSS needs to be logged somewhere – last IP address is logged in the admin account. Use Burp to intercept the new IP when we log out. We can then replace True-Client-IP with the above command again. When we sign back in as admin, the popup appears – showing that the attack is persistent.
  • This should give us the flag: 149aa8ce13d7a4a8a931472308e269c94dc5f156
  • Reflected XSS occurs in the URL – in the admin account find the truck icon to track orders. Where track-result?id= appears in the URL, replace the order number with our command above. Refresh the page and the server will perform the attack.
  • This should give us the flag: 23cefee1527bde039295b2616eeb29e1edc660a0

Stage 7: Keep going

  • Access the score-board section of the Juice shop to see your progress and for more challenges.
  • This should give us the flag: 7efd3174f9dd5baa03a7882027f2824d2f72d86e

Thanks to Cake (TryHackMe Member) for hosting the OWASP Juice Shop example room.

Version: 1.0
Author: Phil Legg
E-mail: Phil.Legg@uwe.ac.uk