Part II - Challenge hunting
This part of the book can be read from end to end as a hacking guide. Used in that way you will be walked through various types of web vulnerabilities and learn how to exploit their occurrences in the Juice Shop application. Alternatively you can start hacking the Juice Shop on your own and use this part simply as a reference and source of hints in case you get stuck at a particular challenge.
In case you want to look up hints for a particular challenge, the following tables lists all challenges of the OWASP Juice Shop grouped by their difficulty and in the same order as thery appear on the Score Board.
The challenge hints found in this release of the companion guide are compatible with v8.4.0 of OWASP Juice Shop.
Trivial Challenges ( 
)
| Challenge | Description | Hints | Solution |
|---|---|---|---|
| Confidental Document | Access a confidential document. |  |
 |
| Error Handling | Provoke an error that is not very gracefully handled. | |
|
| Redirects Tier 1 | Let us redirect you to a donation site that went out of business. | |
|
| Score Board | Find the carefully hidden 'Score Board' page. | |
|
| XSS Tier 0 | Perform a reflected XSS attack with <iframe src="javascript:alert(xss)">. |
|
|
| XSS Tier 1 | Perform a DOM XSS attack with <iframe src="javascript:alert(xss)">. |
|
|
| Zero Stars | Give a devastating zero-star feedback to the store. | |
|
Easy Challenges ( )
| Challenge | Description | Hints | Solution |
|---|---|---|---|
| Admin Section | Access the administration section of the store. | |
|
| Basket Access Tier 1 | View another user's shopping basket. | |
|
| Deprecated Interface | Use a deprecated B2B interface that was not properly shut down. | |
|
| Five-Star Feedback | Get rid of all 5-star customer feedback. | |
|
| Login Admin | Log in with the administrator's user account. | |
|
| Login MC SafeSearch | Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass. | |
|
| Password Strength | Log in with the administrator's user credentials without previously changing them or applying SQL Injection. | |
|
| Security Policy | Behave like any "white hat" should | |
|
| Weird Crypto | Inform the shop about an algorithm or library it should definitely not use the way it does. | |
|
| XSS Tier 1.5 | Perform an XSS attack with <script>alert(xss)</script> on a legacy page within the application. |
|
|
Medium Challenges ( )
| Challenge | Description | Hints | Solution |
|---|---|---|---|
| Admin Registration | Get registered as admin user. | |
|
| Basket Access Tier 2 | Put an additional product into another user's shopping basket. | |
|
| CAPTCHA Bypass Tier 1 | Submit 10 or more customer feedbacks within 10 seconds. | |
|
| Forged Feedback | Post some feedback in another users name. | |
|
| Forged Review | Post a product review as another user or edit any user's existing review. | |
|
| Forgotten Sales Backup | Access a salesman's forgotten backup file. | |
|
| Login Amy | Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note") | |
|
| Login Bender | Log in with Bender's user account. | |
|
| Login Jim | Log in with Jim's user account. | |
|
| Payback Time | Place an order that makes you rich. | |
|
| Product Tampering | Change the href of the link within the O-Saft product description into http://kimminich.de. |
|
|
| Reset Bjoern's Password Tier 1 | Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the truthful answer to his security question. | |
|
| Reset Jim's Password | Reset Jim's password via the Forgot Password mechanism with the truthful answer to his security question. | |
|
| Upload Size | Upload a file larger than 100 kB. | |
|
| Upload Type | Upload a file that has no .pdf extension. | |
|
| XSS Tier 2 | Perform a persisted XSS attack with <iframe src="javascript:alert(xss)"> bypassing a client-side security mechanism. |
|
|
| XSS Tier 3 | Perform a persisted XSS attack with <iframe src="javascript:alert(xss)"> without using the frontend application at all. |
|
|
| XXE Tier 1 | Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server. |
|
|
Hard Challenges ( )
| Challenge | Description | Hints | Solution |
|---|---|---|---|
| Access Log | Gain access to any access log file of the server. | |
|
| Christmas Special | Order the Christmas special offer of 2014. | |
|
| DLP Failure Tier 1 | Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous. | |
|
| Easter Egg Tier 1 | Find the hidden easter egg. | |
|
| Easter Egg Tier 2 | Apply some advanced cryptanalysis to find the real easter egg. | |
|
| Forgotten Developer Backup | Access a developer's forgotten backup file. | |
|
| Login Bjoern | Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account. | |
|
| Lost in Recycling | Find an old Recycle request and inform the shop about its unusual address. (Mention the entire delivery or pickup address in your comment) | |
|
| Misplaced Signature File | Access a misplaced SIEM signature file. | |
|
| NoSQL Injection Tier 1 | Let the server sleep for some time. (It has done more than enough hard work for you) | |
|
| NoSQL Injection Tier 2 | Update multiple product reviews at the same time. | |
|
| Redirects Tier 2 | Wherever you go, there you are. | |
|
| Reset Bender's Password | Reset Bender's password via the Forgot Password mechanism with the truthful answer to his security question. | |
|
| Steganography Tier 1 | Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character) | |
|
| Typosquatting Tier 1 | Inform the shop about a typosquatting trick it has become victim of. (Mention the exact name of the culprit) | |
|
| User Credentials | Retrieve a list of all user credentials via SQL Injection | |
|
| Vulnerable Library | Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment) | |
|
| XSS Tier 4 | Perform a persisted XSS attack with <iframe src="javascript:alert(xss)"> bypassing a server-side security mechanism. |
|
|
| XSS Tier 5 | Perform a persisted XSS attack with <iframe src="javascript:alert(xss)"> through an HTTP header. |
|
|
Dreadful Challenges ( )
| Challenge | Description | Hints | Solution |
|---|---|---|---|
| Blockchain Tier 1 | Learn about the Token Sale before its official announcement. | |
|
| CSRF | Change Bender's password into slurmCl4ssic without using SQL Injection. | |
|
| DLP Failure Tier 2 | Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.) | |
|
| Email Leak | Perform an unwanted information disclosure by accessing data cross-domain. | |
|
| Extra Language | Retrieve the language file that never made it into production. | |
|
| JWT Issues Tier 1 | Forge an essentially unsigned JWT token that impersonates the (non-existing) user [email protected]. | |
|
| Login CISO | Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account. | |
|
| NoSQL Injection Tier 3 | All your orders are belong to us! | |
|
| RCE Tier 1 | Perform a Remote Code Execution that would keep a less hardened application busy forever. | |
|
| Reset Bjoern's Password Tier 2 | Reset the password of Bjoern's internal account via the Forgot Password mechanism with the truthful answer to his security question. | |
|
| Reset Morty's Password | Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question. | |
|
| Retrieve Blueprint | Deprive the shop of earnings by downloading the blueprint for one of its products | |
|
| Supply Chain Attack | Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or the CVE of this vulnerability) | |
|
| Typosquatting Tier 2 | Inform the shop about a more sneaky instance of typosquatting it fell for. (Mention the exact name of the culprit) | |
|
| XXE Tier 2 | Give the server something to chew on for quite a while. | |
|
Diabolic Challenges ( )
| Challenge | Description | Hints | Solution |
|---|---|---|---|
| Arbitrary File Write | Overwrite the Legal Information file. | |
|
| Forged Coupon | Forge a coupon code that gives you a discount of at least 80%. | |
|
| Imaginary Challenge | Solve challenge #999. Unfortunately, this challenge does not exist. | |
|
| JWT Issues Tier 2 | Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user [email protected]. | |
|
| Multiple Likes | Like any review at least three times as the same user. | |
|
| Login Support Team | Log in with the support team's original user credentials without applying SQL Injection or any other bypass. | |
|
| Premium Paywall | Unlock Premium Challenge to access exclusive content. | |
|
| RCE Tier 2 | Perform a Remote Code Execution that occupies the server for a while without using infinite loops. | |
|
| SSRF | Request a hidden resource on server through server. | |
|
| SSTi | Infect the server with malware by abusing arbitrary command execution. | |
|
Challenge Solutions
In case you are getting frustrated with a particular challenge, you can refer to Appendix - Challenge solutions where you find explicit instructions how to successfully exploit each vulnerability. It is highly recommended to use this option only as a last resort. You will learn a lot more from hacking entirely on your own or relying only on the hints in this part of the book.