This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.
Hi. Within this lecture, we're going to start working on our OWASP Juice Shop. So, make sure you open your link, we don't even need that. Just make sure you open this link and we're good to go. First of all, I'm going to do what I'm always doing when I'm web pentesting. I'm going to open Burp Suite, okay? Because we're going to use this a lot during this section as well, as usual. So, I'm going to create a temporary project over here. Yeah, it says that there is an update. If we update it now, it will lead us to the new website to download a new version and I've done this update on other computer. It's not very important. So, I'm going to just continue using this. So, as you can see this is running right now. So, let me see if the intercept is On, turn this Off. We don't need any intercept right now. We just want it to be tagged and we just want Burp Suite to gather information about the things that we're just going to browse right now. So, make sure you refresh this and make sure everything works smoothly because we turned the proxy On, we turned the FoxyProxy On as well. Here you go, now it's getting the information. As you can see it's getting everything, the requests and responses. So, we can see them later on. So, here you go. Let's see, as you can see, this is a E-commerce website and we have some products over here like apple juice, okay? So, we can see the price, we can see the reviews of this product, we can see the other details about the other products as well. So, I believe if we want we can order something, we can add it to our basket and we can just order the products as well. So, if we click over here, there's a search thing going on. Let me search for Apple for example, to see if it brings up the apple juice, yep. Here you go. Now, we see the details about Apple. Now, search is working fine and let's go to account. I'm not doing any hacking or something like that. I'm just browsing here to see what this is about. As you can see there's a logging section, we can give an email and password to log in or create an account. We're going to do that later on. Let's see if we have another menu over here. Yeah, here we go. We have a menu. We have a customer feedback about us, photo wall. Let's go each of them. So, we can create a feedback. We can give a feedback to the administrator of this website I believe, we can choose a rating, we can do a capture. So, these are all part of challenges I believe, okay? And we can write a comment or something like that. And there is some sort of protection. If you don't write anything, as you can see, it gives an error message. So, it's a good security measure as well. And we're going to see how to break all of those things later on. If we go to about us, I believe there is a simple about us section. There is not so much things going on in here I believe. There are some social media buttons over there. If we click one of them, I believe it leads us to the OWASP webpage or something like that, okay? There is not so much over here. So, let's go to the photo wall. I believe users can share something over here like photos and stuff. Let's come back to help getting started. So, I believe this gives us some kind of a hint. And here you go, we have a first hint. It says that your progress exploiting this is tracked on the scoreboard. So, here you go. There are some vulnerabilities over here in this website and they want us to find these vulnerabilities and apparently, there is some sort of a scoreboard that will keep our score when we find these vulnerabilities, it will just say it on that scoreboard. So, I believe, okay? And we don't need any clues, we don't need any things to help us over there. We want to find the scoreboard and then we will make our way up from there. So, here we go. I believe we have clicked on everything on that website right now. Of course, there are a lot of things that we're going to discover later on. So, what we can do over here, we can just come over here and see if there is something funny going on in the requests and responses. We can see all the things that have been gathered for us, okay? We can try to see this JavaScript files for example, and we can try to analyze this as well. And by the way, if I had been doing this for another website and the website that I didn't know or website, I actually working on a CTF for example, then I would run the DirBuster, okay? Rather than coming over here and trying to find the script sources or something like that, I would have run Dirbuster but I'm not going to do that. I believe we can find the scoreboard page or any other page that we are looking for without Dirbuster, okay? As you can see in the source, there is not so much. So, rather than source, I'm going to go into the view inspect element thing in which I can see the HTML source. But also if I go to debugger, ' I can see some of the JavaScript files and maybe even PHP files as well, okay? So, later on we're going to come back to HTML I believe. But this time I'm going to go for debugger and I want to see the source code of this JavaScript. So, if you choose any JavaScript code that is being executed on this page, that it will show up on here like main, JavaScript polyfills, runtime. I don't know what are those, we're going to see, okay? And you can try to click on this index and every other stuff as well but in index I believe, we only have some kind of HTML thing going on. So, let me go to one of those things, okay? And hit on this as you can see, it's not very readable right now. It's not pretty. So, if we want to make this pretty, we can always do that by clicking on this button over here, pretty print source, okay? It will try to make it much more readable, like a real script editor and it would be much more better for us to read like that, okay? So, this may have some clues about scoreboard because if there is a link about scoreboard, we're going to see it over there or in the HTML as well but I couldn't find anything in the HTML. So, I'm going to hit control F to find something, I'm going to search for a score or scoreboard, okay? And see if I can get a scoreboard path. So, there is nothing in the index. Let me go to main JavaScript, okay? Let's search for a score over here. So, there is some sort of a scoreboard but I don't believe it gives us any path. So, here you go, we have a path over here, it says that score-dashboard. So, it means that if we add the score-dashboard to end of the URL, then we're going to get a path and maybe this will lead us to the scoreboard. So, let me copy this and paste something over there. Of course, this was an easy challenge because it instructed us to find the scoreboard first. It's not any vulnerability or something like that, it's part of a game. But again, this is how you find some hidden paths on real websites as well. So, let me try to copy and paste this but by mistake I believe I pasted everything in that thing. So, I'm going to just write it score-dashboard, okay? And here we go. We are inside of our dashboard scoreboard. So, as you can see, once I saw a challenge, it shows me that I have solved that challenge. You successfully solved the challenge scoreboard, find carefully hidden scoreboard page, okay? So, this was our first challenge in this website. Now, we know what kind of vulnerabilities, what kind of flaws of our security misconfigurations in this page right now. Of course, it's not given to us like on a plate, we're going to have to find all of those things but at least, we know what we are after, okay? For example, if you look over here, there is an exercise vulnerability, security misconfiguration, and other unvalidated redirects or something like that. There are tons of vulnerabilities over here. So, as you can see, there are some stars. If you click on the stars, other vulnerabilities will start to show up as well. So, there are six stars and of course, depending on the difficulty, it gets stars. So, if you're looking for a six-star difficulty, then it would be very difficult. You can just see the tutorials over here. There are some tutorials on some of the vulnerabilities, not every one of them but if you cannot solve it then you can just hit on the show me the story and it will lead you to that vulnerability and it will show you how to solve that vulnerability, okay? And after you're done, you can just click on these buttons to unselect or select the things that you want. Okay? And anytime you want, you can just refresh this and come back here to scoreboard. So, what we're going to do during this section is to try and follow these 1, 2, 3, 4, 5 star things and try to solve problems from this scoreboard, okay? We don't have to follow this, not necessarily, but again, this is a good guide and this is a good CTF. So, I believe the ordering of our vulnerabilities got some sort of confused over here. So, let me try to just hit on this button to... I'm trying to make it the show like 1 star, 2 star, 3 star in order but I'm not getting that look for some reason. So, I'm going to try and see if we can make it. As you can see they're all showing as unsolved. Once we solve them, they're going to show us solved, so that we can keep track of this. And let's see if I hit on show solved, here we go now. We see the solved ones as well. So, the solved one is only the find carefully hidden scoreboard page right now. So, this is the only challenge that we have solved right now. But there has to be some way to show all them in order, like 1 star, 2 star, 3 star, 4 star. If I hit one of those, it will just display or filter out those things for me, okay? I don't want to filter out things according to their category but I want to filter out things according to their stars, okay? Just hit on 1 stars for example, it hides the 1 stars. So, I get it. If I hit on something, it will hide the thing. So, what I'm going to do, I'm going to hit on everything over here, okay? Let's see. Let's close everything over here like that. Yeah, here you go. Now, we can see only the 1 star challenges. So, that's how you filter. Great. Now, we have the 1 star things. We're going to start with those. And as you can see, I did not do all of those things before. I'm going to just make it in real-time so that it would be a good experience for me as well, and good experience for you as well. And of course, I saw a couple of those before but I just didn't go to the end of it. We're going to do it in real time most of the time and it would be much more better for us. So, let's start in the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.