Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jun 22 18:12
    pull-request-size[bot] labeled #1636
  • Jun 22 18:12
    tinaismail synchronize #1636
  • Jun 20 14:13
    the-pro synchronize #1635
  • Jun 20 14:12
    the-pro synchronize #1635
  • Jun 20 14:05
    the-pro synchronize #1635
  • Jun 20 12:55
    bkimminich labeled #1640
  • Jun 20 12:13
    kierunb closed #1640
  • Jun 20 12:12
    pull-request-size[bot] labeled #1640
  • Jun 20 12:12
    kierunb opened #1640
  • Jun 20 11:18
    the-pro synchronize #1635
  • Jun 20 11:17
    the-pro synchronize #1635
  • Jun 19 10:06
    the-pro synchronize #1635
  • Jun 19 10:05
    the-pro synchronize #1635
  • Jun 18 16:34
    bkimminich labeled #1632
  • Jun 18 15:38
    bkimminich closed #1639
  • Jun 18 15:37
    bkimminich labeled #1639
  • Jun 18 14:01
    the-pro synchronize #1635
  • Jun 18 13:59
    kierunb synchronize #1639
  • Jun 18 13:58
    pull-request-size[bot] labeled #1639
  • Jun 18 13:58
    kierunb opened #1639
Björn Kimminich
@bkimminich

https://calltobattle.owasp.org - on April 9th, only limited seats available! Support OWASP by booking a ticket (member discount available) and have some exciting virtual escape room experience with a Juice Shop theme! Includes solving actual OWASP Juice Shop challenges but also general puzzle-solving skills to progress and unravel the mystery behind the incident/accident/??? at BUZZBEE Juice Shop!

Don't miss this first-of-its-kind event!

Jing Liu
@chinggg
Does any one has error with launching from git repo? I am trying to run Juice-Shop on my server but npm start failed with errors like internal/modules/cjs/loader.js:883 throw err;``Error: Cannot find module '/root/juice-shop/build/app'
I have tested in Ubuntu 20.04, Debian 10, and Kali with Node LTS v14.16, all of them failed. I have searched for many solutions, like deleting node_modules, reinstall nodejs. But they are of no use.
bkimminich
@bkimminich:matrix.org
[m]
Hm, if that was a general issue, our CI would fail from it, too.
Jing Liu
@chinggg
I ran npm install --unsafe-perm as https://pwning.owasp-juice.shop/appendix/troubleshooting.html said, and there is no errors. Thanks for that.
bkimminich
@bkimminich:matrix.org
[m]
https://github.com/bkimminich/juice-shop/releases/tag/v12.7.0 is out now to play with! #codingchallenges #node15 #hbs #typescripteverywhere
davehouser1
@davehouser1
Hello, is it even possible to complete CSRF challenge if you are running Juice Shop on a vm in your private network with no NAT?
Dont know how the Real-Time HTML editor would be able to access my VM's page, expected?
bkimminich
@bkimminich:matrix.org
[m]
Yeah, that one won't work unless you can somehow successfully fake the origin of the attack request to make it look like it came from that editor.
davehouser1
@davehouser1
@bkimminich:matrix.org thats what I thought. thanks.
davehouser1
@davehouser1
Hello, re: nosql manipulation, I keep getting a 400 Bad Request no matter how I try to adjust my request. Is this the place to post questions re: issues with a challenge? I have followed a couple guides. Running version 12.7.1, did something change?
bkimminich
@bkimminich:matrix.org
[m]
No intentional changes happened there and all e2e tests pass, so the exploit is probably still possible. Did you try the step by step instructions from https://pwning.owasp-juice.shop/appendix/solutions.html as well? Which step fails exactly?
davehouser1
@davehouser1
@bkimminich thanks for the link, I will go though this later today and report back.
romainv42
@romainv42
Hi all, and @bkimminich I thank you for this awesome "worst" website.
romainv42
@romainv42
I'm stuck with the challenge about rsa_lord... for several days. I understood the vulnerability, i followed the walkthrough in the documentation, forged the JWT using jwt.io, set up the localstorage, the cookie, the Bearer but the challenge is never validated. Is there a problem with this one or not?
bkimminich
@bkimminich:matrix.org
[m]
That is one which has caused trouble in the past, it should work if you get the token done right. I can't guarantee that it'll work with jwt.io, though.
bkimminich
@bkimminich:matrix.org
[m]
Did you try the non-Burp solution alternatively?
romainv42
@romainv42
Yes, I tested two solutions without using Burp Suite.
davehouser1
@davehouser1
@bkimminich Re: the nosql manipulation, it is working now. Not sure why I was getting 400 bad request, I did nothing different. The only change was my PC rebooted (which is where my vmware workstation lives too) for updates, and now its working.
Problem: I lost all my progress because of the reboot of the Juice shop vm :(, And I did not backup my progress. Is there anyway to recover my score board progress? or am I SOL?
bkimminich
@bkimminich:matrix.org
[m]
Progress is kept in a cookie, but if you ran everything in a VM then you probably can‘t get the cookie back... VM users should use the manual backup to JSON file option every now and then. Or you solve the „Challenge #999“ challenge next, and then you can make your own cookie with all the previous challenges easily... ;-)
andrei8055
@andrei8055
Hey guys, I'm trying to deploy the juice-shop docker to CTFd, but the problem is that is not running on CTF mode (when i solve a challenge it does not display the flag). I'm running sudo docker run --rm -d -e "CTF_KEY=NGM5N2E2Y2FlMTMyMjY0ZTQ2Zjc3N2Mz" -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop and then sudo docker tag bkimminich/juice-shop registry.ctfd.io/x/x and sudo docker push registry.ctfd.io/x/x
Any idea what could be the issue?
if I ssh into the local docker container i can see the CTF_KEY and NODE_ENV environment variables set, and i've tried to set the showFlagsInNotifications to true in both default.yml and ctf.yml before pushing the image
bkimminich
@bkimminich:matrix.org
[m]
On startup the server logs its many check results and also the config it's using. Does it say ctf or default there? Also if you request the config via API, like the frontend does, do you get the values you set or just default?
andrei8055
@andrei8055
Thank you @bkimminich:matrix.org i fixed the issue! It turned out that i had to run sudo docker commit <container_id> after i made the changes to the local docker container, and then I could tag it and push it to the CTFd platform. I think I was pushing the default juice-shop container all the time that's why I couldn't see the ctf flag reflected. Just another question: it seems that the challenges progress is shown globally to all users, so if someone solves a challenge everyone sees the challenge as solved :/ Is this something that can be changed in the config?
bkimminich
@bkimminich:matrix.org
[m]
Juice Shop is a "single player" application, every CTF participant needs their own instance and they post their flag codes to a single shared CTF score server, like CTFd for example.
andrei8055
@andrei8055
Thank you @bkimminich:matrix.org - makes sense
catmansoup
@catmansoup
hi, am i allowed to ask for help here??
bkimminich
@bkimminich:matrix.org
[m]
Hi @catmansoup ! Yes totally, ask away! 😆👍
Razor29
@Razor29
Quick question guys, does anyone have a full Swagger file for the websites entire API and not just the B2B swagger file.. if not can someone point to me to an article/tool or explanation how I can go about creating/generating one ?
Björn Kimminich
@bkimminich
Hi! The main Juice Shop API is not created by Swagger-file.
Razor29
@Razor29
i know
My question is it still possible to create one ?
Or generate one
Björn Kimminich
@bkimminich
Not automatically, or at least not with a useful outcome. Where is it supposed to take the documentation of payloads from and how is any tool supposed to know the endpoints to "reverse-engineer"?
I you knew all the endpoints of the API you could then of course make your own Swaggerfile from that knowledge.
Razor29
@Razor29
thats what I thought
Razor29
@Razor29
Thanx anyway for the Answer and for a great App (-:
andrei8055
@andrei8055
Hi, is it possible to run the JuiceShop from a sub-directory (ie: localhost:80/test)? I've set up a reverse proxy with nginx to redirect the requests to "/test" directory to port 3000 where JuiceShop is running. I can see that the server returns the JuiceShop index, but it fails to load the javascript files with 404 (looks for them in localhost/file.js instead of localhost/test/file.js). I've set up the basePath: /test in the config file and BASE_PATH=/test in the env but still 404
bkimminich
@bkimminich:matrix.org
[m]
That is possible, yes. We even have an e2e test for subdirectory deployments and that passes just fine.
Maybe you can check that test out for anything that might be misconfigured or missing?
andrei8055
@andrei8055
Can't see anything in the e2e test. I'm getting Loading module from “http://127.0.0.1/test/polyfills-es2018.js” was blocked because of a disallowed MIME type (“text/html”) - It seems that the path 127.0.0.1/test/polyfills-es2018.js can't find the file, but 127.0.0.1:3000/polyfills-es2018.js is okay and I can't see why that's the case
2 replies
riknykn
@riknykn
Any idea what might cause npm start to fail on Kali?
kali@kali:~/juice-shop_12.8.0$ npm start
npm ERR! Function.prototype.apply was called on false, which is a boolean and not a function
kali@kali:~/juice-shop_12.8.0$ npm -v; node -v
6.14.8
v12.21.0
bkimminich
@bkimminich:matrix.org
[m]
Kali is terrible at anything development related as it seens to come with outdated libs and dependencies all over the place. I never tried running it myself, but I've heard from many users that they eventually used Docker and were happier with that on Kali.
riknykn
@riknykn
I totally agree. :-) I have had version 12.0.2 running on this host fine, but updating was not success. I tested also previous version, but got same error
It seems that something has got broken in kali update
Silvano Biemans
@silvanob:matrix.org
[m]
Hey, is the loginCISO challenge test failing for everyone else?
1 reply
Silvano Biemans
@silvanob:matrix.org
[m]
I see. One more question: we are creating a ransomware challenge, but the server tests fail because of an invalid country mapping on the fbctf.yml, how can I find an, unused country mapping and is that necessary to add?
Silvano Biemans
@silvanob:matrix.org
[m]
Never mind. I used Finland :)
Nikola
@jokicnikola07
I don't know if you have noticed, but there is vuln in feedback section, having almost if not exactly similar filter used for username xss
Björn Kimminich
@bkimminich
I know, it's a different filter, though. And there's already a challenge to exploit it, so: Happy hacking! :-D