Start course
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Hi. Within this lecture, we're going to solve another challenge from our OWASP Juice Shop and we're going to see different techniques that we can use when we do web pentesting. So, here you go. Let's see one of the fun things over here, like access a confidential document. It's not fun, right? So, if you come over here, let us redirect to you one of the cryptocurrency addresses which are not promoted any longer. It's not fun at all as well. So, these are all the websites that it needs to find us. They are hidden on the JavaScript or HTML. It's like a game, okay? And we wouldn't use that thing in real bug bounty. So, I'm not going to focus of them very much, but I'm just going to show you some examples, so that you wouldn't hang on to that and wonder why he didn't show us the solution for that one. For example, if you go to JavaScript from the debugger like we did before, okay? In the main JavaScript file, if we search for something like the things that it's expecting us to find, for example, in this case, I'm going to see 'Ctrl-F' and search for 'redirect,' okay? Because it's asking for us to find the 'redirect URL,' that is not being used anymore. So, I'm going to try and find a 'redirect URL.' We are seeing something, but I believe that's not the thing that we are looking for. So, for example, we're seeing a 'redirect URI' over here, but again, it's not what we're looking for. Here we go. We see a URL. And it says that, "Let us redirect you to the cryptocurrency thing." And I believe this is one of the things that it's talking about because it says that '' So, we found the thing, okay? It's not a big deal. So, let's try to copy this thing, okay? And let's try to select only the path over here and try to copy this. Let's see if we 'right-click,' if we say 'Copy Source URL,' let's see what happens. Let's try to paste this over there and... Nope, that's not what we are looking for. Let's do 'Copy to Clipboard' and let's see what happens. And if I paste this thing... It got sucked. I believe we have copied the whole thing one more time, the whole JavaScript code. That's not what we're looking for either. So, let me come back. We copied the whole thing. So, let me delete this. Let me learn this. Let me 'right-click' and say 'Copy Source Text'. I believe that's the thing that we are looking for. Here you go. We have to say 'Copy Source Text.' Now, we learned about this stuff. So, I'm going to, of course, put this after the website URL over here, okay? And I believe we have to delete this dot thing and let me run this. It didn't run. Maybe we need to get this hashtag out of our way. And here you go. It tries to redirect to us. And let's see if we can make it. Here you go. We got redirected. So, that was the solution. That was the thing it asks us to find. So, if we refresh this maybe... As you can see, it says sold right now, okay? So, it's not a big thing. It's not  a thing that we should actually learn and repeat in the real web pen testing. So, again, that's why I'm going to skip some of those things. Because it's not very practical. So, we solve those things. But let's solve something fun. I mean, much more informative, okay? If you come over here and look at the challenges, let's go back to there. Let's see if there is any fun challenges over here. It says, "Read our privacy policy," which is not fun at all. Perform an attack... Perform an error. We saw that already. "Give a devastating zero-star feedback to the store," which seems fun, right? So, giving a zero-star feedback, we know where to give feedback, right? We have seen the feedback form. So, let's see how it's done. As you can see, our author is Atil right now because we are logged in. So, I'm going to give it a test. And for giving zero-star we shouldn't choose anything here at all, right? We shouldn't choose anything at all. Let's do the CAPTCHA first. So, I believe it has to be 10. But even though we give the CAPTCHA without choosing any rating, it doesn't allow us to submit this because 'Submit' button is not enabled, as you can see. Once we choose rating, it will be enabled, but we can bypass this. Let's go to the 'Inspect Element,' okay? And try to find this 'Submit' button. So, we know how this works. Let me scroll down a little bit, okay? Until we find the 'Submit' button. I'm going to hover over this HTML code, and we know we have to open some divs over here, okay? It has to be inside of this div and inside of this thing. And let's see... Here you go. We have a button. We have a button and ID submit button. And let's see the attributes of this button. As you can see, it says "disabled true". So, disabled means it's not enabled, right? So, we have to change this attribute to make this enabled. It's very easy for us because we know about HTML right now, we know about attributes enough to change them. If we are not very certain how to change an attribute or what kind of value that we can give it to, we can always go to the and see it. So, I'm going to make it "disabled false." And I believe it didn't change the thing, okay? As you can see, even if I made it false it didn't work. I'm going to delete it and... I'm going to delete the whole thing actually. Maybe we can actually change this 'disabled' to 'enabled' and maybe that will work. Let's go and do this enabled, and here you go, now it's enabled. So, all we had to do: just change the 'disabled' to 'enabled.' Of course, I knew this because I knew about this attribute, and as you can see, we managed to solve this problem. If you didn't know about this attribute, of course, you can just google it and find it on the 'HTML 101' or and you can see how it's done, right? But we solved that problem. So, that's good. "Read our privacy policy," I'm not going to do that. It's very easy. You can just find the privacy policy  and read it to yourself. Let's see if we have anything worth to solve here like retrieve the photo,  or find the endpoint that serves as usage data. I believe we're done over here, okay? We have solved the XSS. We have solved the other fun stuff. I believe we can go to 2 stars right now, or if we find something interesting we can go back always if we want. There is some injections and broken access controls over here which looks so much more fun than what we have seen in the first section, okay? Like, weaving another user's shopping basket, which seems fine. So, we're going to stop here and continue within the next lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.