DEV Community

Cover image for OWASP Juice-Shop Walkthrough; Sensitive Data Exposure - Login Amy
haXarubiX
haXarubiX

Posted on

OWASP Juice-Shop Walkthrough; Sensitive Data Exposure - Login Amy

Sensitive Data Exposure - Login Amy

Objective

Log in with Amy's original user credentials by exploiting sensitive data exposure.

Steps to Complete the Challenge

Setting Up Burp Suite and FoxyProxy

  1. Install Burp Suite:

    • Burp Suite is usually pre-installed on Kali Linux. If not, you can install it using:

      sudo apt-get update
sudo apt-get install burpsuite

  2. Start Burp Suite:

    • Open a terminal and type burpsuite to start Burp Suite.
    • You may need to agree to the license agreement and select the "Temporary project" option.

  3. Configure Burp Suite Proxy:

    • In Burp Suite, go to the "Proxy" tab and then the "Options" sub-tab.
    • Ensure that the interface is set to 127.0.0.1 and port 8080.

  4. Install FoxyProxy:

    • Open Firefox and go to the Firefox Add-ons website.
    • Search for "FoxyProxy" and install it.

  5. Configure FoxyProxy:

    • Click on the FoxyProxy icon in the toolbar and select "Options".
    • Add a new proxy by clicking "Add".
      • Title: Burp Suite
      • Proxy Type: HTTP
      • Proxy IP: 127.0.0.1
      • Port: 8080
    • Save the configuration.

  6. Enable FoxyProxy:

    • Click on the FoxyProxy icon and select the "Burp Suite" proxy profile to enable it.
    • To disable it, select "Turn Off All Proxies".

Brief Tutorial on Burp Suite

  • Proxy: Intercepts and inspects HTTP/S traffic between your browser and the server.
  • Repeater: Allows you to modify and resend individual requests.
  • Intruder: Automates customized attacks by modifying request parameters.
  • Scanner: Scans for common vulnerabilities (available in Burp Suite Professional).
  • Decoder: Decodes or encodes data in various formats.
  • Comparer: Compares different responses to identify differences.

Detailed Walkthrough for "Login Amy"

  1. Log In to Juice Shop:
    • Open Firefox and navigate to http://localhost:3000.
    • Ensure FoxyProxy is enabled and Burp Suite is intercepting traffic.
  2. Identify Amy's User Account:
    • Typically, Juice Shop users are listed in the "Contact" or "About Us" sections. Look for any mentions of user accounts, especially Amy's.
    • Open the browser’s DevTools (by pressing F12), and go to the "Network" tab to inspect traffic.
  3. Intercept Login Request:
    • Attempt to log in with a dummy account to capture the login request in Burp Suite.
    • Enter any email and password, and submit the form.
    • Burp Suite will capture the request. Send this request to the Repeater tab by right-clicking and selecting "Send to Repeater".
  4. Analyze Sensitive Data Exposure:
    • In Burp Suite, go to the "HTTP history" tab and look for responses that may contain sensitive data.
    • Specifically, look for responses that might reveal Amy's password or hints. Juice Shop sometimes exposes sensitive data in unexpected places, such as comments in HTML or through API responses.
  5. Look for Password Hints:
    • Open the "Source" tab in the browser’s DevTools and search through JavaScript files and HTML for any comments or hints. Sometimes, developers leave comments or notes that can expose sensitive information.
    • Look for any clues related to passwords or user information.
  6. Exploit Sensitive Data Exposure:
    • If you find any hints or exposed credentials for Amy, use them to log in.
    • Commonly, sensitive data exposure can be found in /ftp or /logs directories within the application. Navigate to these paths in the browser or through captured traffic to look for clues.
  7. Log in with Amy's Credentials:
    • Once you have identified Amy’s credentials, go back to the login page at http://localhost:3000/#/login.
    • Enter Amy’s email and the password you have found.
    • Submit the form to log in.

Explanation

Why These Methods Work

  • Sensitive Data Exposure: Developers sometimes leave sensitive information exposed in comments, debug logs, or misconfigured endpoints. By inspecting network traffic and source code, these pieces of information can be uncovered.
  • Intercepting Requests: Burp Suite allows you to capture and analyze HTTP requests and responses, making it easier to identify and exploit vulnerabilities.

Importance of Protecting Sensitive Data

  • Ensuring sensitive data is not exposed through comments, logs, or API responses is crucial for maintaining application security.
  • Proper data handling and encryption practices should be implemented to protect user credentials and other sensitive information.

Top comments (0)

Read next

hamid_ghahremani profile image

what is long polling

hamid ghahremani -

mkleung profile image

Javascript with NextJs and Framer Notion

Mike L -

smart_contract_fbaa2e2c98 profile image

Why Should Startups Invest in a Smart Contract Development Agency?

Smart Contract -

hotel_vellara_57d2ca5cfb3 profile image

Best Hotel in Bangalore: Why Hotel Vellara Stands Out

Hotel Vellara -