قالب وردپرس درنا توس
Home / Tips and Tricks / Beginners Guide to OWASP Juice Shop, Your Practice Hacking Reasons for Top 10 Web App Vulnerabilities «Null Byte :: WonderHowTo

Beginners Guide to OWASP Juice Shop, Your Practice Hacking Reasons for Top 10 Web App Vulnerabilities «Null Byte :: WonderHowTo



Vulnerabilities in Web applications are one of the key issues to consider in a penetration test or security assessment. While some security areas require a home network or a computer for testing, creating a test website to learn about web application security requires a slightly different approach. To get a secure environment for hacking web applications, the OWASP Juice Shop can help.

The depth and variety of web technologies provide a large and complex attack surface. There are a variety of markup languages ​​that make up graphical components of Web sites, scripting languages ​​for interacting with front-end Web sites, back-end languages ​​that manipulate data, database management systems that manage those data, and server technologies that keep the Web sites online. Each of these vulnerabilities has its own vulnerabilities, and each of these vulnerabilities can be exploited.

OWASP Juice Shop is a deliberately compromised security training web application written in JavaScript. It's full of hacking challenges of all levels of difficulty that the user can take advantage of and is a fantastic way to learn about the security of web applications.

Reference to the OWASP Top 1
0

The OWASP Top 10 Project is a document from the Open Web Application Security Project. It aims to list and archive the most common errors in web applications. As of version 2017, the list items are as follows:

  • injection
  • broken authentication
  • sensitive data exposure
  • external XML entities (XXE)
  • access control violated
  • security misconfiguration [19659007] cross-site Scripting (XSS)
  • Unsafe deserialization
  • Use of components with known vulnerabilities
  • Insufficient logging and monitoring

Each of these vulnerabilities can be present on all kinds of websites and often leads to abuse such as phishing, database filtering, spam, Malware distribution and other privacy and security violations. As a web developer, it is important to recognize and understand these attacks in order to prevent them. For a penetration tester, understanding these vulnerability categories can improve your own web application hacking capabilities.

To begin these attacks, you can first install the OWASP Juice Shop, which contains vulnerabilities from all OWASP Top 10

Step 1: Install Docker

According to the project's website Docker offers " a way to run applications safely isolated in a container packed with all its dependencies and libraries. " This means that for a tool like the OWASP Juice Shop, a whole artificial server-like stack can be easily packaged and distributed.

While OWASP Juice Shop offers some installation options, including Node.js and Vagrant, I found that under Linux and Mac OS Docker is the easiest option.

If you have problems with the Docker installation or your operating system does not support Docker, you may find that Node.js is also a convenient option. The installation instructions for other platforms can also be found in the Juice Shop documentation.

Docker supports Windows, macOS, and Linux with downloads for packages available on the Docker installation page. Installation instructions vary by platform, but for this example, we will go through Docker installation on a Debian-based system such as Ubuntu or Kali.

To begin the installation, first install the packages required to allow apt-get to use a repository over HTTPS by running the following command in a terminal emulator.

  sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common 

Next Docker's GPG add key, which can be used to verify the integrity of packages.

  curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - 

Now you can add the Docker repository to your system. If the following command fails, you can also use the text editor of your choice to manually edit the /etc/apt/sources.list file. This file is the repository list on systems that use the APT Package Manager. Just add the component of the command enclosed in quotation marks to a new line in this file and replace "$ (lsb_release -cs)" with the output of the command lsb_release -cs if you click on Your running system. Otherwise, it is sufficient to run this command alone to update your repository list.

  sudo add-apt repository "deb [arch=amd64] https://download.docker.com/linux/debian $ (lsb_release -cs) stable" 

If this repository has been added, you can install Docker by You first update your repositories, and then use apt-get install to install the tool. This can be achieved by executing the following command.

  sudo apt-get update && sudo apt-get install docker-ce 

If you are using a Systemd-based system, you can now start the Docker service with the command

  sudo systemctl start docker [19659032] Step 2: Install the OWASP Juice Shop 

As soon as Docker is installed and running, we first create a copy of the OWASP Juice Shop files locally. To do this, run the following command.

  docker pull bkimminich / juice-shop 

Next we can start the Juice Shop by executing the following command and binding the service to Port 3000.

  docker run - rm -p 3000: 3000 bkimminich / juice-shop 

When the Docker command line prints "server horing on port 3000", the service should be ready for use.

  root @ navi ~ # systemctl start docker
root @ navi ~ # docker drag bkimminich / juice shop
Using the default tag: Current
currently: Pulling from bkimminich / juice-shop
Digest: sha256: 056aa33f600adb143a1128e2ae42f4021f15d726347155ae4bdd37fba4e0c486
Status: Picture is currently for bkimminich / juice-shop: current
root @ navi ~ # docker run --rm -p 3000: 3000 bkimminich / juice-shop

> saft-shop@7.2.1 start / juice-shop
> Node app

Server listens for port 3000 

After running, the Juice Shop, like any other website, can be opened in a web browser. Under Linux, the shop is located at http: // localhost: 3000 . On macOS and Windows, it may be located at http://192.168.99.100:3000 .

Step 3: Analyzing the Juice Shop HTML

One of the easiest ways to start analyzing a web application is to look at the HTML of a particular page - just use it the "View Source Code" feature of your Web browser, which is usually available under the "Developer Tools" section or a similarly named menu.

HTML, which stands for HyperText Markup Language, is not a programming language in the traditional sense, but a markup language such as Akr suggested onym. Unlike a programming language that defines behaviors as processes and statement sequences, simple HTML code is primarily used to encapsulate other elements of a web page and place them on a page. While HTML5 has expanded this relatively limited feature and added some of the capabilities traditionally handled by JavaScript and PHP, it remains widely used in compositing.

Because traditional HTML does not follow traditional programming processes, the syntax generally includes other parts of the site. There are tags to set text, images, links, menu bars, and other types of media content or embedded scripts. This means that HTML usually can not be exploited directly because of security vulnerabilities, but it can give us an indication of what the site is doing, visible to the user or otherwise.

An example of this type of Insight is shown below , While the HTML code itself does not provide an attacker, the list of JavaScript files that the page refers to within the "script" tags indicates some of the features behind the scenes on the site, some of which may prove to be a

Next in the code, you can also see some of the various pages linked by this page. Some of them are shown in the page's top menu, while others, such as the scoreboard page, are not.

The discovery of a link like this one may lead to a further understanding of the structure of the site and may find data that is considered private should.

Step 4: Using the Score Board System [19659005] If you follow the link found in the previous step, you will be directed to the Juice Shop Scoreboard page. Not just a static element of the website, this scoreboard is updated when various tasks are completed. In fact, just by discovering the site itself, the first challenge will be solved.

The page will alert you that you have been able to solve a challenge, and you may notice the warning also exists in the Juice Shop command line log.

> juice-shop@7.2.1 start / juice-shop
> Node app

Server monitors port 3000
Solved Challenges Score Board (Find the carefully hidden score board page.) 

Once you have access to the scoreboard, you can see some of the other goals for each section. In the right column, you can also hover over the "unresolved" status indicator to get a hint, or click the icon to get more documentation about the challenge.

This format will be consistent throughout the attack on the Juice Shop. The various challenges are broken down into levels of difficulty, and the display page provides an ideal guide to completing them in a logical order.

Step 5: Use the JavaScript Console to Analyze the Site

Another Way To understand the structure and function of the site, use the developer console of your web browser to see which scripts be executed. The debugger can also alert you to possible errors, some of which may also prove to be security vulnerabilities. Sometimes, as in the following case, JavaScript may also result in discovering items that should be private, such as the link to "Administration.html" in the javascript file "juice-shop.min.js".

If you follow this link to the Administration page, you've already solved the next challenge!

If you pay attention to the JavaScript functionality in the Juice Shop, the challenges will become more and more difficult, so maybe yours Exit Web Browser Console Open

Step 6: Provoke a Website Error

One of the goals on the scoreboard is to provoke a bug that is not handled properly. This type of error is generally the result of poor handling of non-standard inputs. While there are several ways to create these types of errors in the Juice Shop, you can do so by using the sign-in page.

First, click on the "Sign in" link in the site header. Next, log in with the form, but instead of using a regular username, just insert an apostrophe. You can use whatever you choose for a password. Once the form is completed, click on the login button.

You'll see that this bug is far from legible. But there are some insights into the backend of the website. After this error is displayed, another challenge - "provoke an error that is not handled very elegantly" - is completed and displayed on the scoreboard.

Step 7: Use Basic XSS

The Last Hack We Will Try The Juice Shop is a simple reflective XSS attack. Similar to the error previously caused by non-standard inputs, sometimes even code can be entered and executed if forms are not validated. To test this, we use the following JavaScript string:

This short script simply opens a small alarm box with the text "XSS" if it is running. Unlike the login page, however, we are looking for a different kind of form. In particular, it may be ideal to search for a form that either returns content to a user or submits content directly to the site.

A simple form that we can use to test this attack is the search form. Just type the short JavaScript string in the text box and click Search to see what happens.

If the script is successful, you've completed another flag!

We've just begun to touch the flags and challenges at the Juice Shop, but all the more challenging challenges follow roughly the same format. The OWASP Juice Shop is an ideal platform to learn penetration testing for web applications that pose no risk of actual damage. It takes time to master the challenge, but you'll be well on the way to becoming a Web application security expert!

Thank you for reading! If you have questions, you can leave a comment or on Twitter at @tahkion .

Do not miss: More Null-Byte Instructions for Hacking Web Apps

Cover Picture and Screenshots of Takhion / Null Byte




Source link