Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Björn Kimminich
@bkimminich
This needs better documentation or validation of the original API response. Thanks for finding this!
@mironiec If you follow the ebook solution, it works or doesn't? Couldn't read that from your question.
The need for the algo change might be a thing from jwt.io, but I'm not sure right now.
Björn Kimminich
@bkimminich
@palkers, I fixed the issue with missing hints by adding a warning after export in the case you encountered. See bkimminich/juice-shop-ctf#79
Brian Hartling
@hartlin2
I'm pretty new to this but is there a way to reset scoreboard on https://juice-shop.herokuapp.com instance?
Jannik Hollenbach
@J12934
No that’s a shared instance, so you’ll have to share the scoreboard with the other users.
You can set up your own instance if you want.
Björn Kimminich
@bkimminich
Just use the "Deploy to Heroku" button in the README and you'll have a personal instance to play with.
Brian Hartling
@hartlin2
Thanks!
Jonathan Meredith
@jimender2
Is it possible to do CTF on a Heroku instance of Juice Shop?
Björn Kimminich
@bkimminich
@jimender2 Yes, titl
totally!
Just need to set the environment variables NODE_ENV=ctf and optionally pass in the used CTF_KEY if you don't use the default.
Anoop Kumar Gupta
@anoop-gupt
Hi,I just need to use Juice Shop for 3-4 Junior developers training. Do I need to setup a server or they can just run local instanse for hacking excercises?
Jannik Hollenbach
@J12934
Sure they can just run local instances if that ist easier for you
Anoop Kumar Gupta
@anoop-gupt
@J12934 Thanks, that means we can run local instances and do excerscises at local machines without interfering others
Björn Kimminich
@bkimminich
Actually this is exactly how it should be done with one instance per user. That way everyone has their own Score Board.
Björn Kimminich
@bkimminich
You should investigate the client side JavaScript code closely for some "special case handling" of a coupon that is not like the others.
And your clock assumption is correct to then exploit it... 😉
dexterkhan634
@dexterkhan634
Hi , I am trying to decode the block chain Tier 1 bug... After so many things tried. I finally landed to solution. as per that solution , when i run javascript for match function it did not return me path name as mentioned in solution . Please guide to solve this as per solution
Björn Kimminich
@bkimminich
So, you checked the corresponding solution in https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html but it didn't work for you? As there is the Angular code minifier in between, the solution might vary slightly over time, but the general approach should still work fine.
jasjadv
@jasjadv
Juice Shop might be a great learning platform but you should be careful for using it with CTF events, especially when you award prizes:
When you use https://github.com/jasjadv/juice-cheater you can "solve" any challenge you want without having the slightest idea what you are doing.
Jannik Hollenbach
@J12934
Thats a good point. I feel like there Juice Shop for CTF style events is best if the focus is on learning / teaching not really on the competition.
If somebody starts to cheat in a CTF which is meant to teach them something, they obiously didnt get the point of the CTF
But the ContinueCodes always being generated with the same static hash is something which maybe should be changed. Or at least give the option to configure for ctf events. This doesnt really make cheating impossible, but at least harder.
Björn Kimminich
@bkimminich
I really like your Cheater script, @jasjadv! Nice work! I'm a bit hesitant to make the Juice Shop more "cheat resistant" because it was not recommended to be used in competetive CTFs right from the start. Putting any more work into cheat prevention now, could be misread as step towards supporting competetive use...
Also, using any salt other than the current one would make the "Imaginary Challenge" challenge kind of unsolvable or require rework on it. It's actually meant to use it in the silly way it does right now... ;-)
Jannik Hollenbach
@J12934
@bkimminich Only requirement for the salt would be that it is brute forcable, right? Or was there another method to get it?
Björn Kimminich
@bkimminich
No, it's using the value given on the used hash function's own demo page... Emulates a really lazy developer. No brute force involved.
Tejas Khairnar
@tejas619
Hello, I am trying to customize juice-shop for our internal ctf event. Is there a way to put in the config if we want only certain challenges to be running? I tried editing the challenges.yml file but it is throwing me all different node errors
Björn Kimminich
@bkimminich
This is not a supported mode of using Juice Shop, no. Some challenges are disabled depending on the runtime environment to prevent potential damage, but then the underlying vulns are disabled as well.
Just don't have all 86 challenges on your CTF score server, then people can hack all the Juice Shop if they want but only get points for what you want them to focus on.
Stian Fauskanger
@stianfauskanger
Hi. How can I save the state of the Juice Shop when running in Docker?
If possible*
Björn Kimminich
@bkimminich
It automatically saves state in your browser in the continueCode cookie. So as long as you use the same URL all the time you should be fine.
Stian Fauskanger
@stianfauskanger
Ah. Thanks. My browser removes all cookies, localStorage, etc. when I close the tab, that's why this didn't work for me. Added an exception for localhost:3000. Looks like it "remembers me" now ^_^
Tejas Khairnar
@tejas619
How does the app establish a session after authenticating with google? We are trying to integrate our own oauth integration alongside google. We are getting redirected correctly but now got stuck on how the app established a session and creates the profile. Any help?
Björn Kimminich
@bkimminich
What happens after the Google OAuth step the. Juice Shop botches the account creation. So, it's already a hacking challenge. You'd have to replace the OAuth part without "breaking" the challenge.
Explaining how it exactly works would spoiler the challenge
Best check the OAuth component code, then you'll see it for yourself.
Björn Kimminich
@bkimminich
Jeroen Willemsen
@commjoen
congrats!
staticnotdynamic
@staticnotdynamic
hola! is it permissible to ask for hints here ?
Björn Kimminich
@bkimminich
Of course!
Björn Kimminich
@bkimminich
https://youtu.be/9LkWOWiLZoc - 95% Score Board completion in 3min! (at 6x speed)
Björn Kimminich
@bkimminich
https://youtu.be/Msi52Kicb-w - XSS Demo: Juice Shop 9.x dances while leaking credentials
Randy Vroegop
@vroegop
Hey there! I used the juice-shop docker image with some custom CTF setup, but flags are shared among clients! If one of us solves a challenge, all of the clients have it solved in the scoreboard. Is it possible to change this?
V9.0.1
Jannik Hollenbach
@J12934
That is expected. A single JuiceShop instance should not be used for multiple users.
See the CTF Hosting section of pwning juice shop: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part1/ctf.html#ctf-event-infrastructure
See section "Single user restriction" at the very bottom.