HW10: The Juice Shop due Mon 06 Nov 23:59
Overview
In this assignment you will install the OWASP Juice Shop in your virtual environment and will solve some one-star challenges.
Update Kali
As usual we will keep Kali up-to-date by checking for updates and installing them. Open a terminal window and issue these commands:sudo apt update sudo apt upgrade
CherryTree
In CherryTree create a document namedjuice_shop.ctb and create two
top-level nodes named Installation, One-Star Challenges. Within the One-Star
Challenges node create the following subnodes: Score Board, Privacy Policy, Zero
Stars, Repetitive Registration.
Installing/Running The Juice Shop
Follow these rather cryptic instructions to get Juice Box installed on your Kali box. As you perform steps, document your progress in the CherryTree. Your documentation should provide more detail than these instructions. The goal is that you could re-visit this CherryTree document in a year and reconstruct the steps you went through.- First we install docker (community edition), known in Kali as docker-ce. Internet search: kali install docker-ce ... follow instructions for install docker-ce.
- Once docker is installed do:
sudo docker pull bkimminich/juice-shop - To run it:
sudo docker run --rm -p 3000:3000 bkimminich/juice-shop - Browse to
http://localhost:3000
The Juice Shop Score Board
NOTE: You may find it helpful to watch this video which demonstrates some basic navigation within the Juice Shop and in Burpsuite: https://youtu.be/TfOr6s5pYUEGo ahead and start Burp Suite and then change your browser proxy settings to use it. In Burpsuite, specify the Juice Shop app as within scope and then filter out other discoveries.
Take a moment to visit the obvious links in the Juice Shop so Burpsuite can begin to map the site.
Now visit: http://localhost:3000/#/score-board ... this is actually one of the challenges, so record the “trick” to find the score board in the “Score Board” subnode of your CherryTree document.
In the remainder of this assignment you will solve a few one-star challenges so it might be convenient to filter the challenges list to show only one-star entries.
Some Challenges
Do the following one-star challenges. Feel free to get as much help as needed, but first try to solve these on your own. A common starting point is to visit a form of some kind, intercept the request in Burpsuite, send that request to the repeater so you can try various tweaks on it.For each challenge you complete document the steps you took in the appropriate subnode of your CherryTree document.
These are the challenges you need to solve:
- Privacy Policy — the trick is to find the policy
- Repetitive Registration — the goal is to submit a user registration request without sending a repeat password; the application is doing client side validation, but not server side validation for this field. Burpsuite will be helpful here.
- Confidential Document — poke around in the system; Burpsuite will be helpful here. Alternatively you could use an http enumerator (like dirbuster or gobuster) to give you some hints for where to look.
FYI: You will quite possibly trigger the error handling challenge as you go through some of these steps. Not required, though.
Screenshot and Save Progress
Once the challenges are solved, revisit the score board. Modify the view to show show one-star puzzles and include in the list the solved puzzles. Take a screenshot of the list showing your solved puzzles and put the screenshot in the top-level node called One-Star in the CherryTree document.The Juice Shop app will attempt to save progress from previous work, but just to be safe you should visit the score board and click the download button to save challenge progress.
Turn In Your Work
Turn in your work by uploading your completed CherryTree document to this assignment in Canvas.