Try the SEARCH function in the main navigation to find something. If you are looking for chapter information, please see Chapters for the correct chapter. For information about OWASP projects see Projects. For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.
12 | 13 |If all else fails you can search our historical site.
15 || Category | 28 |# | 29 |Challenges | 30 |
|---|---|---|
| {{ category.name }} | 34 |{{ category.items.size }} | 35 |{{ category.items | group_by:"name" | sort: "name" | map: "name" | join: ", " }} | 36 |
| Total Σ | 40 |{{ site.data.challenges.size }} | 41 ||
| Tag | 56 |# | 57 |Challenges | 58 |
|---|---|---|
| {{ tag }} | 63 |64 | {{ taggedChallenges.size }} 65 | | 66 |67 | {{ taggedChallenges | sort | join: ", " }} 68 | | 69 |
](https://leanpub.com/juice-shop)
21 | [
](https://leanpub.com/juice-shop)
22 |
23 | The ebook is published under
24 | [CC BY-NC-ND 4.0](https://creativecommons.org/licenses/by-nc-nd/4.0/)
25 | and is online-readable **for free** at
26 | ](https://leanpub.com/juice-shop)
71 |
72 | $1,251.68 of royalties from
73 | [Björn Kimminich](https://kimminich.de)'s eBook have been donated to the
74 | project between 09/2017 and 07/2019.
75 |
76 | #### MultiJuicer Maintenance
77 |
78 | MultiJuicer was originally developed (and is still maintained primarily) by [iteratec](https://www.iteratec.com/en/). It became an official part of the OWASP Juice Shop project 05/2023.
79 |
80 | 
81 |
82 | ---
83 |
84 | _The OWASP Foundation is very grateful for the support by the
85 | individuals and organizations listed. However, please note, the OWASP
86 | Foundation is strictly vendor neutral and does not endorse any of its
87 | supporters._
88 |
--------------------------------------------------------------------------------
/tab_overview.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Overview
3 | layout: null
4 | altfooter: true
5 | tab: true
6 | order: 1
7 | tags: juiceshop
8 | ---
9 |
10 | ## Main Selling Points
11 |
12 | * **Free and Open source**: Licensed under the
13 | [MIT license](https://github.com/juice-shop/juice-shop/blob/master/LICENSE)
14 | with no hidden costs or caveats
15 | * **Easy-to-install**: Choose between
16 | [node.js](http://nodejs.org),
17 | [Docker](https://www.docker.com) and
18 | [Vagrant](https://www.vagrantup.com/downloads.html) to run on
19 | Windows/Mac/Linux as well as all major cloud providers
20 | * **Self-contained**: Additional dependencies are
21 | [pre-packaged](https://github.com/juice-shop/juice-shop/releases/latest)
22 | or will be resolved and downloaded automatically
23 | * **Beginner-friendly**:
24 | [Hacking Instructor](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_hacking_instructor)
25 | scripts with optional
26 | [tutorial mode](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_tutorial_mode)
27 | guide newcomers through several challenges while explaining the
28 | underlying vulnerabilities
29 | * **Gamification**: The application
30 | [notifies you on solved challenges](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_success_notifications)
31 | and keeps track of successfully exploited vulnerabilities on a
32 | [Score
33 | Board](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_the_score_board)
34 | * **Self-healing**:
35 | [Wiped clean and
36 | repopulated from scratch](https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html#_self_healing_feature)
37 | on every server startup while
38 | [automatically persisting progress in your browser](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_automatic_saving_and_restoring_hacking_progress)
39 | or via
40 | [manual local backup](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_manual_progress_and_settings_backup)
41 | * **Re-branding**:
42 | [Fully customizable](https://pwning.owasp-juice.shop/companion-guide/latest/part4/customization.html)
43 | in business context and look & feel to your own corporate or customer
44 | requirements
45 | * **CTF-support**: Challenge notifications optionally contain a flag
46 | code for your own
47 | [Capture-The-Flag events](https://pwning.owasp-juice.shop/companion-guide/latest/part4/ctf.html)
48 | * **Coding Challenges**: Over 20 hacking challenges come with an additional [Coding Challenge](https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_coding_challenges) where finding and fixing the responsible code flaw can be trained
49 | * **Interoperability**: Integrate with your own training systems via
50 | [WebHook](https://pwning.owasp-juice.shop/companion-guide/latest/part4/integration.html#_challenge_solution_webhook),
51 | monitor the
52 | [extensive metrics](https://pwning.owasp-juice.shop/companion-guide/latest/part4/monitoring.html)
53 | or consume challenge information directly via
54 | [API](https://pwning.owasp-juice.shop/companion-guide/latest/part4/integration.html#_challenges_api)
55 | or
56 | [file import](https://pwning.owasp-juice.shop/companion-guide/latest/part4/integration.html#_challenge_declaration_file)
57 |
58 | ## Screenshots
59 |
60 | 
61 | | Challenge | 30 |Category | 31 |Difficulty | 32 |
|---|---|---|
| {{ tutorial.name }} | 36 |{{ tutorial.category }} | 37 |38 | {% assign difficulty = tutorial.difficulty | to_integer %} 39 | {% for i in (1..difficulty) %}⭐{% endfor %} 40 | | 41 |
| Coding Challenges | 45 |n/a | 46 |n/a | 47 |
| Category | 63 |# | 64 |Challenges | 65 |
|---|---|---|
| {{ category.name }} | 69 |{{ category.items.size }} | 70 |{{ category.items | group_by:"name" | sort: "name" | map: "name" | join: ", " }} | 71 |
| Total Σ | 75 |{{ site.data.snippets.challenges.size }} | 76 ||
<iframe src="javascript:alert(`xss`)"> without using the frontend application at all.'
7 | difficulty: 3
8 | hints:
9 | - 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.'
10 | - 'A matrix of known data entities and their supported HTTP verbs through the API can help you here.'
11 | - 'Careless developers might have exposed API methods that the client does not even need.'
12 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
13 | key: restfulXssChallenge
14 | disabledEnv:
15 | - Docker
16 | - Heroku
17 | - Gitpod
18 | -
19 | name: 'Access Log'
20 | category: 'Observability Failures'
21 | description: 'Gain access to any access log file of the server.'
22 | difficulty: 4
23 | hints:
24 | - 'Who would want a server access log to be accessible through a web application?'
25 | - 'Normally, server log files are written to disk on server side and are not accessible from the outside.'
26 | - 'Which raises the question: Who would want a server access log to be accessible through a web application?'
27 | - 'One particular file found in the folder you might already have found during the "Access a confidential document" challenge might give you an idea who is interested in such a public exposure.'
28 | - 'Drilling down one level into the file system might not be sufficient.'
29 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html'
30 | key: accessLogDisclosureChallenge
31 | -
32 | name: 'Admin Registration'
33 | category: 'Improper Input Validation'
34 | description: 'Register as a user with administrator privileges.'
35 | difficulty: 3
36 | hints:
37 | - 'You have to assign the unassignable.'
38 | - 'Register as an ordinary user to learn what API endpoints are involved in this use case.'
39 | - 'Think of the simplest possible implementations of a distinction between regular users and administrators.'
40 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html'
41 | key: registerAdminChallenge
42 | -
43 | name: 'Admin Section'
44 | category: 'Broken Access Control'
45 | tags:
46 | - Good for Demos
47 | description: 'Access the administration section of the store.'
48 | difficulty: 2
49 | hints:
50 | - 'It is just slightly harder to find than the score board link.'
51 | - 'Knowing it exists, you can simply guess what URL the admin section might have.'
52 | - 'Alternatively, you can try to find a reference or clue within the parts of the application that are not usually visible in the browser.'
53 | - 'It is probably just slightly harder to find and gain access to than the score board link.'
54 | - 'There is some access control in place, but there are at least three ways to bypass it.'
55 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html'
56 | key: adminSectionChallenge
57 | tutorial:
58 | order: 8
59 | -
60 | name: 'Arbitrary File Write'
61 | category: 'Vulnerable Components'
62 | tags:
63 | - Danger Zone
64 | - Prerequisite
65 | description: 'Overwrite the Legal Information file.'
66 | difficulty: 6
67 | hints:
68 | - 'Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.'
69 | - 'Find all places in the application where file uploads are possible.'
70 | - 'For at least one of these, the Juice Shop is depending on a library that suffers from an arbitrary file overwrite vulnerability.'
71 | - 'You can find a hint toward the underlying vulnerability in the @owasp_juiceshop Twitter timeline.'
72 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
73 | key: fileWriteChallenge
74 | disabledEnv:
75 | - Docker
76 | - Heroku
77 | - Gitpod
78 | -
79 | name: 'Bjoern''s Favorite Pet'
80 | category: 'Broken Authentication'
81 | tags:
82 | - OSINT
83 | description: 'Reset the password of Bjoern''s OWASP account via the Forgot Password mechanism with the original answer to his security question.'
84 | difficulty: 3
85 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
86 | hints:
87 | - 'Hints to the answer to Bjoern’s question can be found by looking him up on the Internet.'
88 | - 'More precisely, Bjoern might have accidentally (?) doxxed himself by mentioning his security answer on at least one occasion where a camera was running.'
89 | - 'Brute forcing the answer might be very well possible with a sufficiently extensive list of common pet names.'
90 | key: resetPasswordBjoernOwaspChallenge
91 | -
92 | name: 'Blockchain Hype'
93 | category: 'Security through Obscurity'
94 | tags:
95 | - Contraption
96 | - Code Analysis
97 | - Web3
98 | description: 'Learn about the Token Sale before its official announcement.'
99 | difficulty: 5
100 | hints:
101 | - 'The developers truly believe in "Security through Obscurity" over actual access restrictions.'
102 | - 'Guessing or brute forcing the URL of the token sale page is very unlikely to succeed.'
103 | - 'You should closely investigate the place where all paths within the application are defined.'
104 | - 'Beating the employed obfuscation mechanism manually will take some time. Maybe there is an easier way to undo it?'
105 | mitigationUrl: ~
106 | key: tokenSaleChallenge
107 | -
108 | name: 'NFT Takeover'
109 | category: 'Sensitive Data Exposure'
110 | tags:
111 | - Contraption
112 | - Good for Demos
113 | - Web3
114 | description: 'Take over the wallet containing our official Soul Bound Token (NFT).'
115 | difficulty: 2
116 | hints:
117 | - 'Find the seed phrase posted accidentally.'
118 | mitigationUrl: ~
119 | key: nftUnlockChallenge
120 | -
121 | name: 'Mint the Honey Pot'
122 | category: 'Improper Input Validation'
123 | tags:
124 | - Web3
125 | - Internet Traffic
126 | description: 'Mint the Honey Pot NFT by gathering BEEs from the bee haven.'
127 | difficulty: 3
128 | hints:
129 | - 'Discover NFT wonders among the captivating visual memories.'
130 | mitigationUrl: ~
131 | key: nftMintChallenge
132 | -
133 | name: 'Wallet Depletion'
134 | category: 'Miscellaneous'
135 | tags:
136 | - Web3
137 | - Internet Traffic
138 | description: 'Withdraw more ETH from the new wallet than you deposited.'
139 | difficulty: 6
140 | hints:
141 | - 'Try to exploit the contract of the wallet.'
142 | mitigationUrl: ~
143 | key: web3WalletChallenge
144 | -
145 | name: 'Web3 Sandbox'
146 | category: 'Broken Access Control'
147 | tags:
148 | - Web3
149 | description: 'Find an accidentally deployed code sandbox for writing smart contracts on the fly.'
150 | difficulty: 1
151 | hints:
152 | - 'It is just as easy as finding the Score Board.'
153 | mitigationUrl: ~
154 | key: web3SandboxChallenge
155 | -
156 | name: 'Blocked RCE DoS'
157 | category: 'Insecure Deserialization'
158 | tags:
159 | - Danger Zone
160 | description: 'Perform a Remote Code Execution that would keep a less hardened application busy forever.'
161 | difficulty: 5
162 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
163 | hints:
164 | - 'The feature you need to exploit for this challenge is not directly advertised anywhere.'
165 | - 'As the Juice Shop is written in pure Javascript, there is one data format that is most probably used for serialization.'
166 | - 'You should try to make the server busy for all eternity.'
167 | - 'The challenge will be solved if you manage to trigger the protection of the application against a very specific DoS attack vector.'
168 | - 'Similar to the "Let the server sleep for some time" challenge (which accepted nothing but NoSQL Injection as a solution) this challenge will only accept proper RCE as a solution. It cannot be solved by simply hammering the server with requests. That would probably just kill your server instance.'
169 | key: rceChallenge
170 | disabledEnv:
171 | - Docker
172 | - Heroku
173 | - Gitpod
174 | -
175 | name: 'CAPTCHA Bypass'
176 | category: 'Broken Anti Automation'
177 | tags:
178 | - Brute Force
179 | description: 'Submit 10 or more customer feedbacks within 20 seconds.'
180 | difficulty: 3
181 | hints:
182 | - 'After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.'
183 | - 'You could prepare 10 browser tabs, solving every CAPTCHA and filling out the each feedback form. Then you’d need to very quickly switch through the tabs and submit the forms in under 20 seconds total.'
184 | - 'Should the Juice Shop ever decide to change the challenge into "Submit 100 or more customer feedbacks within 60 seconds" or worse, you’d probably have a hard time keeping up with any tab-switching approach.'
185 | - 'Investigate closely how the CAPTCHA mechanism works and try to find either a bypass or some automated way of solving it dynamically.'
186 | - 'Wrap this into a script (in whatever programming language you prefer) that repeats this 10 times.'
187 | mitigationUrl: ~
188 | key: captchaBypassChallenge
189 | -
190 | name: 'Change Bender''s Password'
191 | category: 'Broken Authentication'
192 | description: 'Change Bender''s password into slurmCl4ssic without using SQL Injection or Forgot Password.'
193 | difficulty: 5
194 | hints:
195 | - 'In previous releases this challenge was wrongly accused of being based on CSRF.'
196 | - 'It might also have been put into the Improper Input Validation category.'
197 | - 'Bender’s current password is so strong that brute force, rainbow table or guessing attacks will probably not work.'
198 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
199 | key: changePasswordBenderChallenge
200 | -
201 | name: 'Christmas Special'
202 | category: 'Injection'
203 | description: 'Order the Christmas special offer of 2014.'
204 | difficulty: 4
205 | hints:
206 | - 'Find out how the application handles unavailable products and try to find a loophole.'
207 | - 'Find out how the application hides deleted products from its customers.'
208 | - 'Try to craft an attack string that makes deleted products visible again.'
209 | - 'You need to get the deleted product into your shopping cart and trigger the Checkout.'
210 | - 'Neither of the above can be achieved through the application frontend and it might even require (half-)Blind SQL Injection.'
211 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
212 | key: christmasSpecialChallenge
213 | -
214 | name: 'CSP Bypass'
215 | category: 'XSS'
216 | tags:
217 | - Danger Zone
218 | description: 'Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script> on a legacy page within the application.'
219 | difficulty: 4
220 | hints:
221 | - 'What is even "better" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!'
222 | - 'Find a screen in the application that looks subtly odd and dated compared with all other screens.'
223 | - 'Before trying any XSS attacks, you should understand how the page is setting its Content Security Policy.'
224 | - 'For the subsequent XSS, make good use of the flaws in the homegrown sanitization based on a RegEx!'
225 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
226 | key: usernameXssChallenge
227 | disabledEnv:
228 | - Docker
229 | - Heroku
230 | - Gitpod
231 | -
232 | name: 'Client-side XSS Protection'
233 | category: 'XSS'
234 | tags:
235 | - Danger Zone
236 | description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a client-side security mechanism.'
237 | difficulty: 3
238 | hints:
239 | - 'There are only some input fields in the Juice Shop forms that validate their input.'
240 | - 'Even less of these fields are persisted in a way where their content is shown on another screen.'
241 | - 'Bypassing client-side security can typically be done by either disabling it on the client (i.e. in the browser by manipulating the DOM tree) or by ignoring it completely and interacting with the backend instead.'
242 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
243 | key: persistedXssUserChallenge
244 | disabledEnv:
245 | - Docker
246 | - Heroku
247 | - Gitpod
248 | -
249 | name: 'Confidential Document'
250 | category: 'Sensitive Data Exposure'
251 | tags:
252 | - Good for Demos
253 | description: 'Access a confidential document.'
254 | difficulty: 1
255 | hints:
256 | - 'Analyze and tamper with links in the application that deliver a file directly.'
257 | - 'The file you are looking for is not protected in any way. Once you found it you can also access it.'
258 | mitigationUrl: ~
259 | key: directoryListingChallenge
260 | -
261 | name: 'DOM XSS'
262 | category: 'XSS'
263 | tags:
264 | - Tutorial
265 | - Good for Demos
266 | description: 'Perform a DOM XSS attack with <iframe src="javascript:alert(`xss`)">.'
267 | difficulty: 1
268 | hints:
269 | - 'Look for an input field where its content appears in the HTML when its form is submitted.'
270 | - 'This challenge is almost indistinguishable from "Perform a reflected XSS attack" if you do not look "under the hood" to find out what the application actually does with the user input.'
271 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html'
272 | key: localXssChallenge
273 | tutorial:
274 | order: 2
275 | -
276 | name: 'Database Schema'
277 | category: 'Injection'
278 | description: 'Exfiltrate the entire DB schema definition via SQL Injection.'
279 | difficulty: 3
280 | hints:
281 | - 'Find out where this information could come from. Then craft an attack string against an endpoint that offers an unnecessary way to filter data.'
282 | - 'Find out which database system is in use and where it would usually store its schema definitions.'
283 | - 'Craft a UNION SELECT attack string to join the relevant data from any such identified system table into the original result.'
284 | - 'You might have to tackle some query syntax issues step-by-step, basically hopping from one error to the next.'
285 | - 'As with "Order the Christmas special offer of 2014" this cannot be achieved through the application frontend.'
286 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
287 | key: dbSchemaChallenge
288 | -
289 | name: 'Deprecated Interface'
290 | category: 'Security Misconfiguration'
291 | tags:
292 | - Contraption
293 | - Prerequisite
294 | description: 'Use a deprecated B2B interface that was not properly shut down.'
295 | difficulty: 2
296 | hints:
297 | - 'The developers who disabled the interface think they could go invisible by just closing their eyes.'
298 | - 'The old B2B interface was replaced with a more modern version recently.'
299 | - 'When deprecating the old interface, not all of its parts were cleanly removed from the code base.'
300 | - 'Simply using the deprecated interface suffices to solve this challenge. No attack or exploit is necessary.'
301 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html'
302 | key: deprecatedInterfaceChallenge
303 | -
304 | name: 'Easter Egg'
305 | category: 'Broken Access Control'
306 | tags:
307 | - Shenanigans
308 | - Contraption
309 | - Good for Demos
310 | description: 'Find the hidden easter egg.'
311 | difficulty: 4
312 | hints:
313 | - 'If you solved one of the four file access challenges, you already know where to find the easter egg.'
314 | - 'Simply reuse the trick that already worked for the files above.'
315 | mitigationUrl: ~
316 | key: easterEggLevelOneChallenge
317 | -
318 | name: 'Email Leak'
319 | category: 'Sensitive Data Exposure'
320 | description: 'Perform an unwanted information disclosure by accessing data cross-domain.'
321 | difficulty: 5
322 | hints:
323 | - 'Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.'
324 | - 'What ways are there to access data from a web application cross-domain?'
325 | - 'This challenge uses an old way which is no longer recommended.'
326 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html'
327 | key: emailLeakChallenge
328 | -
329 | name: 'Empty User Registration'
330 | category: 'Improper Input Validation'
331 | description: 'Register a user with an empty email and password.'
332 | difficulty: 2
333 | hints:
334 | - 'Consider intercepting and playing with the request payload.'
335 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
336 | key: emptyUserRegistration
337 | -
338 | name: 'Ephemeral Accountant'
339 | category: 'Injection'
340 | description: 'Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.'
341 | difficulty: 4
342 | hints:
343 | - 'Try to create the needed user "out of thin air".'
344 | - 'The user literally needs to be ephemeral as in "lasting for only a short time".'
345 | - 'Registering normally with the user’s email address will then obviously not solve this challenge. The Juice Shop will not even let you register as acc0unt4nt@juice-sh.op, as this would make the challenge unsolvable for you.'
346 | - 'Getting the user into the database some other way will also fail to solve this challenge. In case you somehow managed to do so, you need to restart the Juice Shop application in order to wipe the database and make the challenge solvable again.'
347 | - 'The fact that this challenge is in the Injection category should already give away the intended approach.'
348 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
349 | key: ephemeralAccountantChallenge
350 | -
351 | name: 'Error Handling'
352 | category: 'Security Misconfiguration'
353 | tags:
354 | - Prerequisite
355 | description: 'Provoke an error that is neither very gracefully nor consistently handled.'
356 | difficulty: 1
357 | hints:
358 | - 'Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.'
359 | - 'This challenge actually triggers from various possible error conditions.'
360 | - 'You can try to submit bad input to forms to provoke an improper error handling.'
361 | - 'Tampering with URL paths or parameters might also trigger an unforeseen error.'
362 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html'
363 | key: errorHandlingChallenge
364 | -
365 | name: 'Expired Coupon'
366 | category: 'Improper Input Validation'
367 | description: 'Successfully redeem an expired campaign coupon code.'
368 | difficulty: 4
369 | hints:
370 | - 'Try to identify past special event or holiday campaigns of the shop first.'
371 | - 'Look for clues about the past campaign or holiday event somewhere in the application.'
372 | - 'Solving this challenge does not require actual time traveling.'
373 | mitigationUrl: ~
374 | key: manipulateClockChallenge
375 | -
376 | name: 'Extra Language'
377 | category: 'Broken Anti Automation'
378 | tags:
379 | - Brute Force
380 | description: 'First you should find out how the languages are technically changed in the user interface.'
381 | difficulty: 5
382 | hints:
383 | - 'First you should find out how the languages are technically changed in the user interface.'
384 | - 'Guessing will most definitely not work in this challenge.'
385 | - 'Brute force is not the only option for this challenge, but a perfectly viable one.'
386 | - 'Investigate online what languages are actually available.'
387 | mitigationUrl: ~
388 | key: extraLanguageChallenge
389 | -
390 | name: 'Five-Star Feedback'
391 | category: 'Broken Access Control'
392 | description: 'Get rid of all 5-star customer feedback.'
393 | difficulty: 2
394 | hints:
395 | - 'Once you found admin section of the application, this challenge is almost trivial.'
396 | - 'Nothing happens when you try to delete feedback entries? Check the JavaScript console for errors!'
397 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html'
398 | key: feedbackChallenge
399 | -
400 | name: 'Forged Coupon'
401 | category: 'Cryptographic Issues'
402 | tags:
403 | - Good for Demos
404 | - Code Analysis
405 | description: 'Forge a coupon code that gives you a discount of at least 80%.'
406 | difficulty: 6
407 | hints:
408 | - 'Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.'
409 | - 'One viable solution would be to reverse-engineer how coupon codes are generated and craft your own 80% coupon by using the same (or at least similar) implementation.'
410 | - 'Another possible solution might be harvesting as many previous coupon as possible and look for patterns that might give you a leverage for a brute force attack.'
411 | - 'If all else fails, you could still try to blindly brute force the coupon code field before checkout.'
412 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html'
413 | key: forgedCouponChallenge
414 | -
415 | name: 'Forged Feedback'
416 | category: 'Broken Access Control'
417 | tags:
418 | - Tutorial
419 | description: "Post some feedback in another user's name."
420 | difficulty: 3
421 | hints:
422 | - 'You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.'
423 | - 'To find the client-side leverage point, closely analyze the HTML form used for feedback submission.'
424 | - 'The backend-side leverage point is similar to some of the XSS challenges found in OWASP Juice Shop.'
425 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html'
426 | key: forgedFeedbackChallenge
427 | tutorial:
428 | order: 11
429 | -
430 | name: 'Forged Review'
431 | category: 'Broken Access Control'
432 | description: 'Post a product review as another user or edit any user''s existing review.'
433 | difficulty: 3
434 | hints:
435 | - 'Observe the flow of product review posting and editing and see if you can exploit it.'
436 | - 'This challenge can be solved by using developers tool of your browser or with tools like postman.'
437 | - 'Analyze the form used for review submission and try to find a leverage point.'
438 | - 'This challenge is pretty similar to "Post some feedback in another user’s name" challenge.'
439 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html'
440 | key: forgedReviewChallenge
441 | -
442 | name: 'Forged Signed JWT'
443 | category: 'Vulnerable Components'
444 | description: 'Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.'
445 | difficulty: 6
446 | hints:
447 | - 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.'
448 | - 'The three generic hints from Forge an essentially unsigned JWT token also help with this challenge.'
449 | - 'Instead of enforcing no encryption to be applied, try to apply a more sophisticated exploit against the JWT libraries used in the Juice Shop.'
450 | - 'Getting your hands on the public RSA key the application employs for its JWTs is mandatory for this challenge.'
451 | - 'Finding the corresponding private key should actually be impossible, but that obviously doesn’t make this challenge unsolvable.'
452 | - 'Make sure your JWT is URL safe!'
453 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html'
454 | key: jwtForgedChallenge
455 | disabledEnv:
456 | - Windows
457 | -
458 | name: 'Forgotten Developer Backup'
459 | category: 'Sensitive Data Exposure'
460 | tags:
461 | - Contraption
462 | - Good for Demos
463 | - Prerequisite
464 | description: 'Access a developer''s forgotten backup file.'
465 | difficulty: 4
466 | hints:
467 | - 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
468 | - 'Analyze and tamper with links in the application that deliver a file directly.'
469 | - 'The file is not directly accessible because a security mechanism prevents access to it.'
470 | - 'You need to trick the security mechanism into thinking that the file has a valid file type.'
471 | - 'For this challenge there is only one approach to pull this trick.'
472 | mitigationUrl: ~
473 | key: forgottenDevBackupChallenge
474 | -
475 | name: 'Forgotten Sales Backup'
476 | category: 'Sensitive Data Exposure'
477 | tags:
478 | - Contraption
479 | description: 'Access a salesman''s forgotten backup file.'
480 | difficulty: 4
481 | hints:
482 | - 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
483 | - 'Analyze and tamper with links in the application that deliver a file directly.'
484 | - 'The file is not directly accessible because a security mechanism prevents access to it.'
485 | - 'You need to trick the security mechanism into thinking that the file has a valid file type.'
486 | mitigationUrl: ~
487 | key: forgottenBackupChallenge
488 | -
489 | name: 'Frontend Typosquatting'
490 | category: 'Vulnerable Components'
491 | description: 'Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)'
492 | difficulty: 5
493 | hints:
494 | - 'This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?'
495 | - 'This challenge has nothing to do with URLs or domains.'
496 | - 'Other than for its legacy companion, combing through the package.json.bak does not help for this challenge.'
497 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
498 | key: typosquattingAngularChallenge
499 | -
500 | name: 'GDPR Data Erasure'
501 | category: 'Broken Authentication'
502 | description: 'Log in with Chris'' erased user account.'
503 | difficulty: 3
504 | hints:
505 | - 'Turns out that something is technically and legally wrong with the implementation of the "right to be forgotten" for users.'
506 | - 'Trying out the Request Data Erasure functionality might be interesting, but cannot help you solve this challenge in real time.'
507 | - 'If you have solved the challenge Retrieve a list of all user credentials via SQL Injection you might have already retrieved some information about how the Juice Shop "deletes" users upon their request.'
508 | - 'What the Juice Shop does here is totally incompliant with GDPR. Luckily a 4% fine on a gross income of 0$ is still 0$.'
509 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html'
510 | key: ghostLoginChallenge
511 | -
512 | name: 'GDPR Data Theft'
513 | category: 'Sensitive Data Exposure'
514 | description: 'Steal someone else''s personal data without using Injection.'
515 | difficulty: 4
516 | hints:
517 | - 'Trick the regular Data Export to give you more than actually belongs to you.'
518 | - 'You should not try to steal data from a "vanilla" user who never even ordered something at the shop.'
519 | - 'As everything about this data export functionality happens on the server-side, it won’t be possible to just tamper with some HTTP requests to solve this challenge.'
520 | - 'Inspecting various server responses which contain user-specific data might give you a clue about the mistake the developers made.'
521 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html'
522 | key: dataExportChallenge
523 | -
524 | name: 'HTTP-Header XSS'
525 | category: 'XSS'
526 | tags:
527 | - Danger Zone
528 | description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> through an HTTP header.'
529 | difficulty: 4
530 | hints:
531 | - 'Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.'
532 | - 'You might have to look into less common or even proprietary HTTP headers to find the leverage point.'
533 | - 'Adding insult to injury, the HTTP header you need will never be sent by the application on its own.'
534 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
535 | key: httpHeaderXssChallenge
536 | disabledEnv:
537 | - Docker
538 | - Heroku
539 | - Gitpod
540 | -
541 | name: 'Imaginary Challenge'
542 | category: 'Cryptographic Issues'
543 | tags:
544 | - Shenanigans
545 | - Code Analysis
546 | description: 'Solve challenge #999. Unfortunately, this challenge does not exist.'
547 | difficulty: 6
548 | hints:
549 | - 'You need to trick the hacking progress persistence feature into thinking you solved challenge #999.'
550 | - 'Find out how saving and restoring progress is done behind the scenes.'
551 | - 'Deduce from all available information (e.g. the package.json.bak) how the application encrypts and decrypts your hacking progress.'
552 | - 'Other than the user’s passwords, the hacking progress involves an additional secret during its encryption.'
553 | - 'What would be a really stupid mistake a developer might make when choosing such a secret?'
554 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html'
555 | key: continueCodeChallenge
556 | -
557 | name: 'Leaked Access Logs'
558 | category: 'Observability Failures'
559 | tags:
560 | - OSINT
561 | description: 'Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)'
562 | difficulty: 5
563 | hints:
564 | - 'As the challenge name implies, your task is to find some leaked access logs which happen to have a fairly common format.'
565 | - 'A very popular help platform for developers might contain breadcrumbs towards solving this challenge.'
566 | - 'The actual log file was copied & paste onto a platform often used to share data quickly with externals or even just internal peers.'
567 | - 'Once you found and harvested the important piece of information from the log, you could employ a technique called Password Spraying to solve this challenge.'
568 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html'
569 | key: dlpPasswordSprayingChallenge
570 | -
571 | name: 'Leaked Unsafe Product'
572 | category: 'Sensitive Data Exposure'
573 | tags:
574 | - Shenanigans
575 | - OSINT
576 | description: 'Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.'
577 | difficulty: 4
578 | hints:
579 | - 'Your own SQLi and someone else''s Ctrl-V will be your accomplices in this challenge!'
580 | - 'You must first identify the "unsafe product" which ist not available any more in the shop.'
581 | - 'Solving the "Order the Christmas special offer of 2014" challenge might give it to you as by-catch.'
582 | - 'The actual data you need to solve this challenge was leaked on the same platform that was involved in the "Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to" challenge.'
583 | - 'Google is a particularly good accomplice in this challenge.'
584 | mitigationUrl: ~
585 | key: dlpPastebinDataLeakChallenge
586 | -
587 | name: 'Legacy Typosquatting'
588 | category: 'Vulnerable Components'
589 | description: 'Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)'
590 | difficulty: 4
591 | hints:
592 | - 'This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer''s backup file instead.'
593 | - 'Investigating the forgotten developer’s backup file might bring some insight.'
594 | - '"Malicious packages in npm" is a worthwhile read on Ivan Akulov’s blog.'
595 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
596 | key: typosquattingNpmChallenge
597 | -
598 | name: 'Login Admin'
599 | category: 'Injection'
600 | tags:
601 | - Tutorial
602 | - Good for Demos
603 | description: 'Log in with the administrator''s user account.'
604 | difficulty: 2
605 | hints:
606 | - 'The challenge description probably gave away what form you should attack.'
607 | - 'If you happen to know the email address of the admin already, you can launch a targeted attack.'
608 | - 'You might be lucky with a dedicated attack pattern even if you have no clue about the admin email address.'
609 | - 'If you harvested the admin’s password hash, you can of course try to attack that instead of using SQL Injection.'
610 | - 'Alternatively you can solve this challenge as a combo with the Log in with the administrator’s user credentials without previously changing them or applying SQL Injection challenge.'
611 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
612 | key: loginAdminChallenge
613 | tutorial:
614 | order: 7
615 | -
616 | name: 'Login Amy'
617 | category: 'Sensitive Data Exposure'
618 | tags:
619 | - OSINT
620 | description: 'Log in with Amy''s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")'
621 | difficulty: 3
622 | hints:
623 | - 'This challenge will make you go after a needle in a haystack.'
624 | - 'As with so many other characters from Futurama this challenge is of course about logging in as Amy from that show.'
625 | - 'Did you know that Amy is married to an alien named Kif?'
626 | - 'The challenge description contains a few sentences which give away some information how Amy decided to strengthen her password.'
627 | - 'Obviously, Amy - being a little dimwitted - did not put nearly enough effort and creativity into the password selection process.'
628 | mitigationUrl: ~
629 | key: loginAmyChallenge
630 | -
631 | name: 'Login Bender'
632 | category: 'Injection'
633 | tags:
634 | - Tutorial
635 | description: 'Log in with Bender''s user account.'
636 | difficulty: 3
637 | hints:
638 | - 'The challenge description probably gave away what form you should attack.'
639 | - 'You need to know (or smart-guess) Bender’s email address so you can launch a targeted attack.'
640 | - 'Bender''s password hash might not help you very much.'
641 | - 'In case you try some other approach than SQL Injection, you will notice that Bender’s password hash is not very useful.'
642 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
643 | key: loginBenderChallenge
644 | tutorial:
645 | order: 13
646 | -
647 | name: 'Login Bjoern'
648 | category: 'Broken Authentication'
649 | tags:
650 | - Code Analysis
651 | description: 'Log in with Bjoern''s Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.'
652 | difficulty: 4
653 | hints:
654 | - 'The security flaw behind this challenge is 100% OWASP Juice Shop''s fault and 0% Google''s.'
655 | - 'One way to light up this challenge in green on the score board, is to be Bjoern Kimminich. In that case, just log in with your Google account to automatically solve this challenge! Congratulations!'
656 | - 'Most likely you are not Bjoern Kimminich, so instead you might want to take detailed look into how the OAuth login with Google is implemented.'
657 | - 'It could bring you some insight to register with your own Google account and analyze closely what happens behind the scenes.'
658 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
659 | key: oauthUserPasswordChallenge
660 | -
661 | name: 'Login Jim'
662 | category: 'Injection'
663 | tags:
664 | - Tutorial
665 | description: 'Log in with Jim''s user account.'
666 | difficulty: 3
667 | hints:
668 | - 'The challenge description probably gave away what form you should attack.'
669 | - 'You need to know (or smart-guess) Jim’s email address so you can launch a targeted attack.'
670 | - 'If you harvested Jim’s password hash, you can try to attack that instead of using SQL Injection.'
671 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
672 | key: loginJimChallenge
673 | tutorial:
674 | order: 12
675 | -
676 | name: 'Login MC SafeSearch'
677 | category: 'Sensitive Data Exposure'
678 | tags:
679 | - Shenanigans
680 | - OSINT
681 | description: 'Log in with MC SafeSearch''s original user credentials without applying SQL Injection or any other bypass.'
682 | difficulty: 2
683 | hints:
684 | - 'MC SafeSearch is a rapper who produced the song "Protect Ya'' Passwordz" which explains password & sensitive data protection very nicely.'
685 | - 'After watching the music video of this song, you should agree that even ⭐⭐ is a slightly exaggerated difficulty rating for this challenge.'
686 | mitigationUrl: ~
687 | key: loginRapperChallenge
688 | -
689 | name: 'Login Support Team'
690 | category: 'Security Misconfiguration'
691 | tags:
692 | - Brute Force
693 | - Code Analysis
694 | description: 'Log in with the support team''s original user credentials without applying SQL Injection or any other bypass.'
695 | difficulty: 6
696 | hints:
697 | - 'The underlying flaw of this challenge is a lot more human error than technical weakness.'
698 | - 'The support team is located in a low-cost country and the team structure fluctuates a lot due to people leaving for jobs with even just slightly better wages.'
699 | - 'To prevent abuse the password for the support team account itself is actually very strong.'
700 | - 'To allow easy access during an incident, the support team utilizes a 3rd party tool which every support engineer can access to get the current account password from.'
701 | - 'While it is also possible to use SQL Injection to log in as the support team, this will not solve the challenge.'
702 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
703 | key: loginSupportChallenge
704 | -
705 | name: 'Manipulate Basket'
706 | category: 'Broken Access Control'
707 | description: 'Put an additional product into another user''s shopping basket.'
708 | difficulty: 3
709 | hints:
710 | - 'Have an eye on the HTTP traffic while placing products in the shopping basket.'
711 | - 'Adding more instances of the same product to someone else’s basket does not qualify as a solution. The same goes for stealing from someone else’s basket.'
712 | - 'This challenge requires a bit more sophisticated tampering than others of the same ilk.'
713 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html'
714 | key: basketManipulateChallenge
715 | -
716 | name: 'Misplaced Signature File'
717 | category: 'Observability Failures'
718 | tags:
719 | - Good Practice
720 | - Contraption
721 | description: 'Access a misplaced SIEM signature file.'
722 | difficulty: 4
723 | hints:
724 | - 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
725 | - 'If you solved one of the other four file access challenges, you already know where the SIEM signature file is located.'
726 | - 'Simply reuse the trick that already worked for the files above.'
727 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html'
728 | key: misplacedSignatureFileChallenge
729 | -
730 | name: 'Multiple Likes'
731 | category: 'Broken Anti Automation'
732 | description: 'Like any review at least three times as the same user.'
733 | difficulty: 6
734 | hints:
735 | - 'Punctuality is the politeness of kings.'
736 | - 'Every user is (almost) immediately associated with the review they "liked" to prevent abuse of that functionality.'
737 | - 'Did you really think clicking the "like" button three times in a row really fast would be enough to solve a ⭐⭐⭐⭐⭐⭐ challenge?'
738 | - 'The underlying flaw of this challenge is a Race Condition.'
739 | mitigationUrl: ~
740 | key: timingAttackChallenge
741 | -
742 | name: 'Nested Easter Egg'
743 | category: 'Cryptographic Issues'
744 | tags:
745 | - Shenanigans
746 | - Good for Demos
747 | description: 'Apply some advanced cryptanalysis to find the real easter egg.'
748 | difficulty: 4
749 | hints:
750 | - 'You might have to peel through several layers of tough-as-nails encryption for this challenge.'
751 | - 'Make sure you solve Find the hidden easter egg first.'
752 | - 'You might have to peel through several layers of tough-as-nails encryption for this challenge.'
753 | mitigationUrl: ~
754 | key: easterEggLevelTwoChallenge
755 | -
756 | name: 'NoSQL DoS'
757 | category: 'Injection'
758 | tags:
759 | - Danger Zone
760 | description: 'Let the server sleep for some time. (It has done more than enough hard work for you)'
761 | difficulty: 4
762 | hints:
763 | - 'This challenge is essentially a stripped-down Denial of Service (DoS) attack.'
764 | - 'As stated in the Architecture overview, OWASP Juice Shop uses a MongoDB derivate as its NoSQL database.'
765 | - 'The categorization into the NoSQL Injection category totally gives away the expected attack vector for this challenge. Trying any others will not solve the challenge, even if they might yield the same result.'
766 | - 'In particular, flooding the application with requests will not solve this challenge. That would probably just kill your server instance.'
767 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
768 | key: noSqlCommandChallenge
769 | disabledEnv:
770 | - Docker
771 | - Heroku
772 | - Gitpod
773 | -
774 | name: 'NoSQL Exfiltration'
775 | category: 'Injection'
776 | tags:
777 | - Danger Zone
778 | description: 'All your orders are belong to us! Even the ones which don''t.'
779 | difficulty: 5
780 | hints:
781 | - 'Take a close look on how the $where query operator works in MongoDB.'
782 | - 'This challenge requires a classic Injection attack.'
783 | - 'Find an API endpoint with the intent of delivering a single order to the user and work with that.'
784 | - 'Reading up on how MongoDB queries work is really helpful here.'
785 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html'
786 | key: noSqlOrdersChallenge
787 | disabledEnv:
788 | - Docker
789 | - Heroku
790 | - Gitpod
791 | -
792 | name: 'NoSQL Manipulation'
793 | category: 'Injection'
794 | description: 'Update multiple product reviews at the same time.'
795 | difficulty: 4
796 | hints:
797 | - 'Take a close look on how the equivalent of UPDATE-statements in MongoDB work.'
798 | - 'This challenge requires another classic Injection attack.'
799 | - 'It is also worth looking into how Query Operators work in MongoDB.'
800 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html'
801 | key: noSqlReviewsChallenge
802 | -
803 | name: 'Outdated Allowlist'
804 | category: 'Unvalidated Redirects'
805 | tags:
806 | - Code Analysis
807 | description: 'Let us redirect you to one of our crypto currency addresses which are not promoted any longer.'
808 | difficulty: 1
809 | hints:
810 | - 'When removing references to those addresses from the code the developers have been a bit sloppy.'
811 | - 'More particular, they have been sloppy in a way that even the Angular Compiler was not able to clean up after them automatically.'
812 | - 'It is of course not sufficient to just visit any of the crypto currency links directly to solve the challenge.'
813 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html'
814 | key: redirectCryptoCurrencyChallenge
815 | -
816 | name: 'Password Strength'
817 | category: 'Broken Authentication'
818 | tags:
819 | - Brute Force
820 | - Tutorial
821 | description: 'Log in with the administrator''s user credentials without previously changing them or applying SQL Injection.'
822 | difficulty: 2
823 | hints:
824 | - 'This challenge can be solved with three different approaches.'
825 | - 'Guessing might work just fine.'
826 | - 'If you harvested the admin’s password hash, you can try to attack that.'
827 | - 'In case you use some hacker tool, you can also go for a brute force attack using a generic password list.'
828 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
829 | key: weakPasswordChallenge
830 | tutorial:
831 | order: 9
832 | -
833 | name: 'Payback Time'
834 | category: 'Improper Input Validation'
835 | description: 'Place an order that makes you rich.'
836 | difficulty: 3
837 | hints:
838 | - 'You literally need to make the shop owe you any amount of money.'
839 | - 'Investigate the shopping basket closely to understand how it prevents you from creating orders that would fulfil the challenge.'
840 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
841 | key: negativeOrderChallenge
842 | -
843 | name: 'Premium Paywall'
844 | category: 'Cryptographic Issues'
845 | tags:
846 | - Shenanigans
847 | description: ' Unlock Premium Challenge to access exclusive content.'
848 | difficulty: 6
849 | hints:
850 | - 'You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.'
851 | - 'There is no inappropriate, self-written or misconfigured cryptographic library to be exploited here.'
852 | - 'How much protection does a sturdy top-quality door lock add to your house if you put the key under the door mat? Or hide the key in the nearby plant pot? Or tape the key to the underside of the mailbox?'
853 | - 'Once more: You do not have to pay anything to unlock this challenge!'
854 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html'
855 | key: premiumPaywallChallenge
856 | -
857 | name: 'Privacy Policy'
858 | category: 'Miscellaneous'
859 | tags:
860 | - Good Practice
861 | - Tutorial
862 | - Good for Demos
863 | description: 'Read our privacy policy.'
864 | difficulty: 1
865 | hints:
866 | - 'We won''t even ask you to confirm that you did. Just read it. Please. Pretty please.'
867 | - 'When you work with the application you will most likely solve this challenge in the process.'
868 | - 'Any automated crawling or spidering tool you use might solve this challenge for you.'
869 | - 'There is no real hacking involved here.'
870 | mitigationUrl: ~
871 | key: privacyPolicyChallenge
872 | tutorial:
873 | order: 4
874 | -
875 | name: 'Privacy Policy Inspection'
876 | category: 'Security through Obscurity'
877 | tags:
878 | - Shenanigans
879 | - Good for Demos
880 | description: 'Prove that you actually read our privacy policy.'
881 | difficulty: 3
882 | hints:
883 | - 'Only by visiting a special URL you can confirm that you read it carefully.'
884 | - 'First you should obviously solve the "Read our privacy policy" challenge.'
885 | - 'It is fine to use the mouse cursor to not lose sight of the paragraph you are currently reading.'
886 | - 'If you find some particularly hot sections in the policy you might want to melt them together similar to what you might have already uncovered in Apply some advanced cryptanalysis to find the real easter egg.'
887 | mitigationUrl: ~
888 | key: privacyPolicyProofChallenge
889 | -
890 | name: 'Product Tampering'
891 | category: 'Broken Access Control'
892 | description: 'Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.'
893 | difficulty: 3
894 | hints:
895 | - 'Theoretically there are three possible ways to beat this challenge: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.'
896 | - 'In practice two of these three ways should turn out to be dead ends.'
897 | mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html'
898 | key: changeProductChallenge
899 | -
900 | name: 'Reflected XSS'
901 | category: 'XSS'
902 | tags:
903 | - Tutorial
904 | - Danger Zone
905 | - Good for Demos
906 | description: 'Perform a reflected XSS attack with <iframe src="javascript:alert(`xss`)">.'
907 | difficulty: 2
908 | hints:
909 | - 'Look for a url parameter where its value appears in the page it is leading to.'
910 | - 'Try probing for XSS vulnerabilities by submitting text wrapped in an HTML tag which is easy to spot on screen, e.g. <iframe src="javascript:alert(`xss`)"> bypassing a server-side security mechanism.'
1067 | difficulty: 4
1068 | hints:
1069 | - 'The "Comment" field in the "Customer Feedback" screen is where you want to put your focus on.'
1070 | - 'The Comment field in the Contact Us screen is where you want to put your focus on.'
1071 | - 'The attack payload