In this assignment you will install the OWASP Juice Shop in your virtual environment
and will solve some one-star challenges.
As usual we will keep Kali up-to-date by checking for updates and installing them.
Open a terminal window and issue these commands:
sudo apt update
sudo apt upgrade
In CherryTree create a document named juice_shop.ctb
and create two
top-level nodes named Installation, One-Star Challenges. Within the One-Star
Challenges node create the following subnodes: Score Board, Privacy Policy, Zero
Stars, Repetitive Registration.
Follow these rather cryptic instructions to get Juice Box installed on your Kali
box. As you perform steps, document your progress in the CherryTree. Your
documentation should provide more detail than these instructions. The goal is that
you could re-visit this CherryTree document in a year and reconstruct the
steps you went through.
- First we install docker (community edition), known in Kali as docker-ce.
Internet search: kali install docker-ce ... follow instructions for
install docker-ce.
- Once docker is installed do:
sudo docker pull bkimminich/juice-shop
- To run it:
sudo docker run --rm -p 3000:3000 bkimminich/juice-shop
- Browse to
http://localhost:3000
NOTE: You may find it helpful to watch this video which demonstrates some
basic navigation within the Juice Shop and in Burpsuite: https://youtu.be/TfOr6s5pYUE
Go ahead and start Burp Suite and then change your browser proxy settings to use
it. In Burpsuite, specify the Juice Shop app as within scope and then filter out
other discoveries.
Take a moment to visit the obvious links in the Juice Shop so Burpsuite can begin
to map the site.
Now visit: http://localhost:3000/#/score-board ... this is actually
one of the challenges, so record the “trick” to find the score board in the
“Score Board” subnode of your CherryTree document.
In the remainder of this assignment you will solve a few one-star challenges
so it might be convenient to filter the challenges list to show only one-star
entries.
Do the following one-star challenges. Feel free to get as much help as needed, but
first try to solve these on your own. A common starting point is to visit a
form of some kind, intercept the request in Burpsuite, send that request to the
repeater so you can try various tweaks on it.
For each challenge you complete document the steps you took in the appropriate
subnode of your CherryTree document.
These are the challenges you need to solve:
- Privacy Policy — the trick is to find the policy
- Repetitive Registration — the goal is to submit a user registration
request without sending a repeat password; the application is doing client
side validation, but not server side validation for this field. Burpsuite
will be helpful here.
- Confidential Document — poke around in the system; Burpsuite will be
helpful here. Alternatively you could use an http enumerator (like dirbuster
or gobuster) to give you some hints for where to look.
FYI: You will quite possibly trigger the error handling challenge as you go
through some of these steps. Not required, though.
Once the challenges are solved, revisit the score board. Modify the view to show
show one-star puzzles and include in the list the solved puzzles. Take a screenshot
of the list showing your solved puzzles and put the screenshot in the top-level
node called One-Star in the CherryTree document.
The Juice Shop app will attempt to save progress from previous work, but just to be
safe you should visit the score board and click the download button to save challenge
progress.
Turn in your work by uploading your completed CherryTree document to this
assignment in Canvas.