Cyber Security and Ethical Hacking
Certification Project
---Anirudh Poojary
Finding vulnerabilities in a juice shop machine. The list of
vulnerabilities I found in this machine are.













Improper input validation
Cross Site scripting
Security Misconfiguration
Improper input validation of links
Login page SQL injection
Broken access control
Broken authentication
View basket (Broken access control)
Admin registration to other users
Rate limiting flaws.
Stored XSS
SQL injection on search page
Upload size manipulation
Title:
Improper input validation
Description:
Input validation is a frequently-used technique for checking potentially dangerous inputs in order
to ensure that the inputs are safe for processing within the code, or when communicating with
other components. When software does not validate input properly, an attacker is able to craft the
input in a form that is not expected by the rest of the application.
Steps to reproduce:



First the captured the request of the customer feedback.
At first it shows without any rating no submission takes place.
But after changing in the burp suite and making the raking into 0, then the request was
successfully submitted.
Impact:
This vulnerability will lead to parts of the system receiving unintended input, which may result
in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Title:
Cross site scripting(XSS)
Description:
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to
compromise the interactions that users have with a vulnerable application. It allows an attacker
to circumvent the same origin policy, which is designed to segregate different websites from each
other.
Steps to reproduce:
 First I find a search in a machine.
 Then I try some xss scripts, then finally
<iframe src=javascript:alert(“hello”)> was succeeded.
 As a result a popup was display on the screen
Impacts:
It allow an attacker to masquerade as a victim user, to carry out any actions that the user is able
to perform, and to access any of the user's data. If the victim user has privileged access within
the application, then the attacker might be able to gain full control over all of the application's
functionality and data.
Title:
Security Misconfiguration
Description:
Security misconfiguration is any error or vulnerability present in the configuration of code
that allows attackers access to sensitive data. There are many types of security
misconfiguration, but most present the same danger: vulnerability to data breach and
attackers gaining unauthorized access to data.
Steps to reproduce:



First I captured the request of product 1 review
Then I captured the request and change the product id here, then I got then
information of the other products easily.
Just by changing the /rest/product/2/reviews id, I successfully look onto other
reviews.
Impacts:
These can lead to a data breach and even complete system compromise. Depending on the
value of the data compromised, this can have a significant negative impact on a business.
Attackers may be able to exploit or even modify parts of applications by taking advantage of
security misconfigurations. These security misconfiguration vulnerabilities leave a business
exposed to potential attack.
Title:
Improper input validation of links
Description:
Input validation is a frequently-used technique for checking potentially dangerous inputs in order
to ensure that the inputs are safe for processing within the code, or when communicating with
other components. When software does not validate input properly, an attacker is able to craft the
input in a form that is not expected by the rest of the application.
Steps to reproduce:


Here I go to http://192.168.29.104:3000/#/photo-wall link, then I found an image which
is not properly loaded.
So I inspect the code and I replaced the “#” in this link
http://assets/public/images/uploads/%F0%9F%98%BC-#zatschi-#whoneedsfourlegs1572600969477.jpg with %23 then I got a picture.
Impacts:
This vulnerability will lead to parts of the system receiving unintended input, which may result
in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Title:
Login page(SQL Injection)
Description:
SQL injection is a technique used to exploit user data through web page inputs by injecting SQL
commands as statements. Basically, these statements can be used to manipulate the application’s
web server by malicious users. The first account in a database is often an administrative user, we
can exploit this behavior to log in as the first user in the database.
Steps to reproduce:




First I got to the login page using link http://192.168.29.104:3000/#/login
Then in the username section I just inject a simple sql injection script as ' or 1=1 –
And used a random password.
Then I accessed into the admin account, as the admin account was stored in the database
as first, so I logged into as admin.
Impacts:
The flaw is easily detected, and easily exploited, and as such, any site or software package with
even a minimal user base is likely to be subject to an attempted attack of this kind.Essentially,
the attack is accomplished by placing a meta character into data input to then place SQL
commands in the control plane, which did not exist there before. This flaw depends on the fact
that SQL makes no real distinction between the control and data planes.
Title:
Broken access control
Description:
Access control enforces policy such that users cannot act outside of their intended permissions.
Failures typically lead to unauthorized information disclosure, modification, or destruction of all
data or performing a business function outside the user's limits.
Steps to reproduce:




Here after entering into admin user.
I found a hidden path related to administrator, at first I access it with a normal user, then
it restricted me.
After entering into as a admin privilege, I accessed the administration page.
And I found the all users and the reviews related to them.
Impacts:
Broken access control can lead to a number of serious security issues, including data breaches,
theft of sensitive information, and loss of system availability. In some cases, it can also enable an
attacker to gain elevated privileges that allow them to perform malicious actions on the systems
or data they have accessed.
Title:
Broken Authentication
Description:
Broken Authentication and Session Management is a security vulnerability that occurs when the
authentication and session management mechanisms of a web application are flawed or
improperly implemented.Authentication refers to the process of verifying the identity of users,
typically through usernames and passwords, while session management involves maintaining
and controlling the user's session after authentication.
Steps to reproduce:




By entering into admin user I found the username.
But meanwhile, I don’t know the password, so I captured the request of login page using
burp-suite.
And then I tried to intrude some password list on the admin user password.
Then I found that the password is ‘admin123’.
Impacts:
The impact of broken authentication can be severe and far-reaching. When attackers successfully
exploit these vulnerabilities, they can gain unauthorized access to user accounts, leading to
various consequences. This may include unauthorized access to sensitive information, such as
personal data, financial details, or intellectual property.
Title:
View basket (Broken access control)
Description:
Access control enforces policy such that users cannot act outside of their intended permissions.
Failures typically lead to unauthorized information disclosure, modification, or destruction of all
data or performing a business function outside the user's limits.
Steps to reproduce:



First I capture the request of my my normal user using burp suite.
After that I try to change the request and using the repeater.
At the /rest/basket/2 link when we change the number, then we access the other users
access.
Impacts:
Broken access control can lead to a number of serious security issues, including data breaches,
theft of sensitive information, and loss of system availability. In some cases, it can also enable an
attacker to gain elevated privileges that allow them to perform malicious actions on the systems
or data they have accessed.
Title:
Admin registration
Description:
In this the attacker can change the normal user into the admin user and gain the
admin privileges by changes the role of the user easily.
Steps to reproduce:



Here I captured the request of the user registration using burp-suite.
Then I change the role of the user as “admin” from “customer”.
Then I send the request, and I gain the admin privileges for the normal user.
Impacts:
By this the attacker can just do register as a client and changes the permissions into admin
privileges and access all the internal files and attacks the machine with the malware files easily.
Title:
Rate Limiting flaw.
Description:
Rate limiting is a strategy leveraged to cap a traffic exchange, limiting the amount of incoming
and outgoing traffic from a particular network. Typically, it limits repeat actions within
specified timeframes by users, preventing systems/ networks/ applications from becoming
overloaded. For instance, the number of logins to an account within a specified timeframe or
the number of failed login attempts.
Steps to reproduce:



Here I used the feedback review page.
Then using the burp-suite intruder, I just generate a random null payloads on the feedback
page then I found that it has the rate limiting flaw.
Even it by passing the captcha by forwarding more requests at a time.
Impacts:
Rate-limiting flaws can impact the performance of the API servers and allow attackers to launch
DoS attacks. When a single client or multiple clients makes too many requests at once, requests
from those clients can overwhelm the server’s ability to process requests, and in turn, make the
service slow or unavailable for other users.Another issue is that a lack of rate-limiting can lead to
brute-forcing attacks on authentication endpoints and on endpoints with Broken Object Level
Authorization.
Title:
Stored Cross site scripting(XSS)
Description:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected
into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side script, to a different
end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a
web application uses input from a user within the output it generates without validating or
encoding it.
Steps to reproduce:




Here I try to register for a new user.
Then I captured the request of the registration and in the email field I replaced the xss
script as <iframe src=\”javascript:alert(‘hello’)\”>
Then after I forwarded the request, I got the user was successfully registered,
Then I got to the administration page using admin, then I found a pop-up showing hello.
When ever I open this page then I got the pop-up as hello
Impacts:
Stored XSS (also known as second-order XSS) is the most dangerous type of cross-site scripting
attack. The reason is that it does not require users to click a malicious link or perform any
activity, other than browsing to a legitimate web page. Once an attacker discovers a stored XSS
vulnerability and injects XSS code into the database, all visitors to affected pages are
compromised, until the exploit is discovered.
Stored XSS attacks are even more significant in websites that require authentication. When an
authenticated user visits a page with stored XSS, attackers are usually able to hijack their session
and perform actions on their behalf. On some websites, such as those of financial or medical
institutions, this can result in financial loss or exposure of highly sensitive data.
Title:
SQL injection to extract Database
Description:
SQL injection is a technique used to exploit user data through web page inputs by injecting SQL
commands as statements. Basically, these statements can be used to manipulate the application’s
web server by malicious users. The first account in a database is often an administrative user, we
can exploit this behavior to log in as the first user in the database.
Steps to reproduce:




First I try some SQL injection scripts to extract the total database using the URL given
below.
Then I captured the request of search using burp-suite.
After that I tried the SQL script
‘))union%20select%20sql,2,3,4,5,6,7,8,9%20from%20sqlite_master-- after the search
request.
Then I successfully extracted the database schema of that search data.
Impacts:
The flaw is easily detected, and easily exploited, and as such, any site or software package with
even a minimal user base is likely to be subject to an attempted attack of this kind.Essentially,
the attack is accomplished by placing a meta character into data input to then place SQL
commands in the control plane, which did not exist there before. This flaw depends on the fact
that SQL makes no real distinction between the control and data planes.
Title:
Upload size manipulation
Description:
File content manipulation: An attacker may upload a file with malicious code, such as a script
that executes arbitrary code on the server. File size manipulation: An attacker may upload a big
file that exceeds the web application’s file size restriction, causing a buffer overflow or other
vulnerabilities.
Steps to reproduce:






Here I take the url http://192.168.29.104:3000/#/complain
In this there is an option to upload a file, but it is only pdf or zip type and upto 100kb
size.
So I try to manipulate the size using the burpsuite, by capturing and sending into repeater.
There I just clear the old file data and paste the new file data.
And send the request, then I file uploaded successfully.
Like this I just manipulated the file size.

After I sending the request, in the juice shop I got like this as you completed the
challenge.
Impacts:
The consequences of unrestricted file upload can vary, including complete system takeover, an
overloaded file system or database, forwarding attacks to back-end systems, client-side attacks,
or simple defacement. It depends on what the application does with the uploaded file and
especially where it is stored.