OWASP Juice Shop v9.3.1 - 1 Star Solutions
Access a confidential document.
Also, downloaded incident-support.kdbx for cracking.
$ keepass2john incident-support.kdbx | cut -d ":" -f 2 > keepass.hash
Perform a DOM XSS attack with
Run alert in search field.
Provoke an error that is not very gracefully handled.
Try to access a non-existent file in the ftp server like:
Retrieve the photo of Bjoern’s cat in “melee combat-mode”.
One image isn’t loading, so inspect it with dev tools. There is a failed request in the Network tab:
The hashtags are restricted characters (HTML anchors), so replace them with the URL encoding %23.
Let us redirect you to one of our crypto currency addresses which are not promoted any longer.
In “Your Basket” during checkout, we see the “Other payment options” for donations. Since bitcoins are most likely for donations, we inspect the donation and merchandise options still available. Several of them use the format:
Searching through the HTML there doesn’t appear to be any buttons commented out. However, in main-es2015.js, there are several redirects (thanks Ctrl-F) which we can view at
http://localhost:3000/main-es2015.js. I first searched for bitcoin which had a lot of results; then I checked “redirect?to” in the file.
Follow any link, but to get success to trigger you need to redirect through the site like so:
Perform a reflected XSS attack with
Submit the iframe to the Track Orders field.
Follow the DRY principle while registering a user.
While registering a user, once the Password and Repeat Password fields match change the initial password and register the account.
Find the carefully hidden ‘Score Board’ page.
Give a devastating zero-star feedback to the store.
Delete disabled field on Submit button.