Note that the browser of choice here is Google Chrome. Here are my solutions to some of the 1-star challenges in OWASP Juice Box:
Challenge: Find the carefully hidden 'Score Board' page.
Open up the developer tools on you browser and find the Source tab. If we look at the file main-es2015.js, we can see that it contains code for the routing paths in the app. Use Ctrl-F to search for keywords , in our case "Score". We can see in the code that there exist a path called "score-board".
Challenge: Give a devastating zero-star feedback to the store
Open up the developer tools on your browser and find the Network tab equivalent on your browser. Lets first investigate the request that is being made when submitting a review.
Notice how the rating is sent to the app. What this means is that we can send a zero star rating if we set the value of rating to zero. We will go about this by intercepting the request with burpsuite and modifying it before it gets sent to the app.
Challenge: Follow the DRY principle while registering a user.
This is very similar to the above one in which you intercept and modified the request, thus bypassing any validation done on the client side. Again, lets first investigate the request:
Challenge: Retrieve the photo of Bjoern's cat in "melee combat-mode".
If we go the "Photo Wall" Page, we can see that one of the photos hasn't load properly.
To fix it, first find the encoding characters for the 😼 symbol (
%F0%9F%98%BC), then take the rest of the url and url encode it. You can do this by going here. Now put the two parts together and you should have an url that has been properly encoded, and we should be able to see the cat photo now.
That's it for the 1 star challenges. I hope this has help you in any way. Thank you for reading. Till next time!