DEV Community

Cover image for OWASP Juice Box Challenges part 1

OWASP Juice Box Challenges part 1

Emily L
I have experience in both infosec and devops. Looking for more experience in offensive security such as: pentesting.
・3 min read

Note that the browser of choice here is Google Chrome. Here are my solutions to some of the 1-star challenges in OWASP Juice Box:

Finding the score board

Challenge: Find the carefully hidden 'Score Board' page.

Open up the developer tools on you browser and find the Source tab. If we look at the file main-es2015.js, we can see that it contains code for the routing paths in the app. Use Ctrl-F to search for keywords , in our case "Score". We can see in the code that there exist a path called "score-board".

Alt Text
Enter "score-board" after the /#/ and you get the scoreboard!

How to leave a zero-star rating

Challenge: Give a devastating zero-star feedback to the store

Open up the developer tools on your browser and find the Network tab equivalent on your browser. Lets first investigate the request that is being made when submitting a review.

Alt Text
Notice how the rating is sent to the app. What this means is that we can send a zero star rating if we set the value of rating to zero. We will go about this by intercepting the request with burpsuite and modifying it before it gets sent to the app.

Alt Text
Clicked "Forward" and the modified request will be sent to the app.

That's not how you register a user

Challenge: Follow the DRY principle while registering a user.

This is very similar to the above one in which you intercept and modified the request, thus bypassing any validation done on the client side. Again, lets first investigate the request:

Alt Text
We can modified the payload like the following:

Alt Text
Clicked "Forward" and the modified request will be sent to the app.

Where's the cat photo?

Challenge: Retrieve the photo of Bjoern's cat in "melee combat-mode".

If we go the "Photo Wall" Page, we can see that one of the photos hasn't load properly.

Alt Text
Lets find the url of where the photo is being pulled from:

Alt Text
If we go to to that url and investigate the request on the Network tab:

Alt Text
We can see that the browser didn't execute the full url. The same thing happens when we try to execute the associated twitter link:

Alt Text
It seems like there's an issue with encoding.

To fix it, first find the encoding characters for the 😼 symbol (%F0%9F%98%BC), then take the rest of the url and url encode it. You can do this by going here. Now put the two parts together and you should have an url that has been properly encoded, and we should be able to see the cat photo now.

Alt Text

That's it for the 1 star challenges. I hope this has help you in any way. Thank you for reading. Till next time!

Discussion (0)