Part II - Challenge hunting
This part of the book can be read from end to end as a hacking guide. Used in that way you will be walked through various types of web vulnerabilities and learn how to exploit their occurrences in the Juice Shop application. Alternatively you can start hacking the Juice Shop on your own and use this part simply as a reference and source of hints in case you get stuck at a particular challenge.
In case you want to look up hints for a particular challenge, the following tables lists all challenges of the OWASP Juice Shop grouped by their difficulty and in the same order as they appear on the Score Board.
The challenge hints found in this release of the companion guide are compatible with v15.0.0 of OWASP Juice Shop.
| Name | Description | Hints | Solution |
|---|---|---|---|
| API-only XSS | Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> without using the frontend application at all. |
💡 | 📕 |
| Access Log | Gain access to any access log file of the server. | 💡 | 📕 |
| Admin Registration | Register as a user with administrator privileges. | 💡 | 📕 |
| Admin Section | Access the administration section of the store. | 💡 | 📕 |
| Allowlist Bypass | Enforce a redirect to a page you are not supposed to redirect to. | 💡 | 📕 |
| Arbitrary File Write | Overwrite the Legal Information file. | 💡 | 📕 |
| Bjoern's Favorite Pet | Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the truthful answer to his security question. | 💡 | 📕 |
| Blockchain Hype | Learn about the Token Sale before its official announcement. | 💡 | 📕 |
| Blocked RCE DoS | Perform a Remote Code Execution that would keep a less hardened application busy forever. | 💡 | 📕 |
| Bonus Payload | Use the bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> in the DOM XSS challenge. |
💡 | 📕 |
| Bully Chatbot | Receive a coupon code from the support chatbot. | 💡 | 📕 |
| CAPTCHA Bypass | Submit 10 or more customer feedbacks within 10 seconds. | 💡 | 📕 |
| Change Bender's Password | Change Bender's password into slurmCl4ssic without using SQL Injection or Forgot Password. | 💡 | 📕 |
| Christmas Special | Order the Christmas special offer of 2014. | 💡 | 📕 |
| CSP Bypass | Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script> on a legacy page within the application. |
💡 | 📕 |
| Client-side XSS Protection | Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a client-side security mechanism. |
💡 | 📕 |
| Confidential Document | Access a confidential document. | 💡 | 📕 |
| Cross-Site Imaging | Stick cute cross-domain kittens all over our delivery boxes. | 💡 | 📕 |
| CSRF | Change the name of a user by performing Cross-Site Request Forgery from another origin. | 💡 | 📕 |
| DOM XSS | Perform a DOM XSS attack with <iframe src="javascript:alert(`xss`)">. |
💡 | 📕 |
| Database Schema | Exfiltrate the entire DB schema definition via SQL Injection. | 💡 | 📕 |
| Deluxe Fraud | Obtain a Deluxe Membership without paying for it. | 💡 | 📕 |
| Deprecated Interface | Use a deprecated B2B interface that was not properly shut down. | 💡 | 📕 |
| Easter Egg | Find the hidden easter egg. | 💡 | 📕 |
| Email Leak | Perform an unwanted information disclosure by accessing data cross-domain. | 💡 | 📕 |
| Empty User Registration | Register a user with an empty email and password. | 💡 | 📕 |
| Ephemeral Accountant | Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user. | 💡 | 📕 |
| Error Handling | Provoke an error that is neither very gracefully nor consistently handled. | 💡 | 📕 |
| Expired Coupon | Successfully redeem an expired campaign coupon code. | 💡 | 📕 |
| Exposed Metrics | Find the endpoint that serves usage data to be scraped by a popular monitoring system. | 💡 | 📕 |
| Extra Language | Retrieve the language file that never made it into production. | 💡 | 📕 |
| Five-Star Feedback | Get rid of all 5-star customer feedback. | 💡 | 📕 |
| Forged Coupon | Forge a coupon code that gives you a discount of at least 80%. | 💡 | 📕 |
| Forged Feedback | Post some feedback in another user's name. | 💡 | 📕 |
| Forged Review | Post a product review as another user or edit any user's existing review. | 💡 | 📕 |
| Forged Signed JWT | Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op. | 💡 | 📕 |
| Forgotten Developer Backup | Access a developer's forgotten backup file. | 💡 | 📕 |
| Forgotten Sales Backup | Access a salesman's forgotten backup file. | 💡 | 📕 |
| Frontend Typosquatting | Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit) | 💡 | 📕 |
| GDPR Data Erasure | Log in with Chris' erased user account. | 💡 | 📕 |
| GDPR Data Theft | Steal someone else's personal data without using Injection. | 💡 | 📕 |
| HTTP-Header XSS | Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> through an HTTP header. |
💡 | 📕 |
| Imaginary Challenge | Solve challenge #999. Unfortunately, this challenge does not exist. | 💡 | 📕 |
| Kill Chatbot | Permanently disable the support chatbot so that it can no longer answer customer queries. | 💡 | 📕 |
| Leaked Access Logs | Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.) | 💡 | 📕 |
| Leaked Unsafe Product | Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous. | 💡 | 📕 |
| Legacy Typosquatting | Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit) | 💡 | 📕 |
| Local File Read | Gain read access to an arbitrary local file on the web server. | 💡 | 📕 |
| Login Admin | Log in with the administrator's user account. | 💡 | 📕 |
| Login Amy | Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note") | 💡 | 📕 |
| Login Bender | Log in with Bender's user account. | 💡 | 📕 |
| Login Bjoern | Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account. | 💡 | 📕 |
| Login Jim | Log in with Jim's user account. | 💡 | 📕 |
| Login MC SafeSearch | Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass. | 💡 | 📕 |
| Login Support Team | Log in with the support team's original user credentials without applying SQL Injection or any other bypass. | 💡 | 📕 |
| Manipulate Basket | Put an additional product into another user's shopping basket. | 💡 | 📕 |
| Mass Dispel | Close multiple "Challenge solved"-notifications in one go. | 💡 | 📕 |
| Meta Geo Stalking | Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism. | 💡 | 📕 |
| Misplaced Signature File | Access a misplaced SIEM signature file. | 💡 | 📕 |
| Missing Encoding | Retrieve the photo of Bjoern's cat in "melee combat-mode". | 💡 | 📕 |
| Multiple Likes | Like any review at least three times as the same user. | 💡 | 📕 |
| Nested Easter Egg | Apply some advanced cryptanalysis to find the real easter egg. | 💡 | 📕 |
| NoSQL DoS | Let the server sleep for some time. (It has done more than enough hard work for you) | 💡 | 📕 |
| NoSQL Exfiltration | All your orders are belong to us! Even the ones which don't! | 💡 | 📕 |
| NoSQL Manipulation | Update multiple product reviews at the same time. | 💡 | 📕 |
| Outdated Allowlist | Let us redirect you to one of our crypto currency addresses which are not promoted any longer. | 💡 | 📕 |
| Password Strength | Log in with the administrator's user credentials without previously changing them or applying SQL Injection. | 💡 | 📕 |
| Payback Time | Place an order that makes you rich. | 💡 | 📕 |
| Poison Null Byte | Bypass a security control with a Poison Null Byte to access a file not meant for your eyes. | 💡 | 📕 |
| Premium Paywall | Unlock Premium Challenge to access exclusive content. | 💡 | 📕 |
| Privacy Policy | Read our privacy policy. | 💡 | 📕 |
| Privacy Policy Inspection | Prove that you actually read our privacy policy. | 💡 | 📕 |
| Product Tampering | Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com. |
💡 | 📕 |
| Reflected XSS | Perform a reflected XSS attack with <iframe src="javascript:alert(`xss`)">. |
💡 | 📕 |
| Repetitive Registration | Follow the DRY principle while registering a user. | 💡 | 📕 |
| Reset Bender's Password | Reset Bender's password via the Forgot Password mechanism with the truthful answer to his security question. | 💡 | 📕 |
| Reset Bjoern's Password | Reset the password of Bjoern's internal account via the Forgot Password mechanism with the truthful answer to his security question. | 💡 | 📕 |
| Reset Jim's Password | Reset Jim's password via the Forgot Password mechanism with the truthful answer to his security question. | 💡 | 📕 |
| Reset Morty's Password | Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question. | 💡 | 📕 |
| Reset Uvogin's Password | Reset Uvogin's password via the Forgot Password mechanism with the original answer to his security question. | 💡 | 📕 |
| Retrieve Blueprint | Deprive the shop of earnings by downloading the blueprint for one of its products | 💡 | 📕 |
| SSRF | Request a hidden resource on server through server. | 💡 | 📕 |
| SSTi | Infect the server with juicy malware by abusing arbitrary command execution. | 💡 | 📕 |
| Score Board | Find the carefully hidden 'Score Board' page. | 💡 | 📕 |
| Security Policy | Behave like any "white hat" should before getting into the action. | 💡 | 📕 |
| Server-side XSS Protection | Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a server-side security mechanism. |
💡 | 📕 |
| Steganography | Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character) | 💡 | 📕 |
| Successful RCE DoS | Perform a Remote Code Execution that occupies the server for a while without using infinite loops. | 💡 | 📕 |
| Supply Chain Attack | Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability) | 💡 | 📕 |
| Two Factor Authentication | Solve the 2FA challenge for user "wurstbrot". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution) | 💡 | 📕 |
| Unsigned JWT | Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op. | 💡 | 📕 |
| Upload Size | Upload a file larger than 100 kB. | 💡 | 📕 |
| Upload Type | Upload a file that has no .pdf or .zip extension. | 💡 | 📕 |
| User Credentials | Retrieve a list of all user credentials via SQL Injection | 💡 | 📕 |
| Video XSS | Embed an XSS payload </script><script>alert(`xss`)</script> into our promo video. |
💡 | 📕 |
| View Basket | View another user's shopping basket. | 💡 | 📕 |
| Visual Geo Stalking | Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism. | 💡 | 📕 |
| Vulnerable Library | Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment) | 💡 | 📕 |
| Weird Crypto | Inform the shop about an algorithm or library it should definitely not use the way it does. | 💡 | 📕 |
| XXE Data Access | Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server. |
💡 | 📕 |
| XXE DoS | Give the server something to chew on for quite a while. | 💡 | 📕 |
| Zero Stars | Give a devastating zero-star feedback to the store. | 💡 | 📕 |
Challenge Solutions
In case you are getting frustrated with a particular challenge, you can refer to the Challenge solutions appendix where you find explicit instructions how to successfully exploit each vulnerability. It is highly recommended to use this option only as a last resort. You will learn a lot more from hacking entirely on your own or relying only on the hints in this part of the book.