https://calltobattle.owasp.org - on April 9th, only limited seats available! Support OWASP by booking a ticket (member discount available) and have some exciting virtual escape room experience with a Juice Shop theme! Includes solving actual OWASP Juice Shop challenges but also general puzzle-solving skills to progress and unravel the mystery behind the incident/accident/??? at BUZZBEE Juice Shop!
Don't miss this first-of-its-kind event!
I have tested in Ubuntu 20.04, Debian 10, and Kali with Node LTS v14.16, all of them failed. I have searched for many solutions, like deleting node_modules, reinstall nodejs. But they are of no use.
Hm, if that was a general issue, our CI would fail from it, too.
I ran
npm install --unsafe-perm as https://pwning.owasp-juice.shop/appendix/troubleshooting.html said, and there is no errors. Thanks for that.
https://github.com/bkimminich/juice-shop/releases/tag/v12.7.0 is out now to play with! #codingchallenges #node15 #hbs #typescripteverywhere
Yeah, that one won't work unless you can somehow successfully fake the origin of the attack request to make it look like it came from that editor.
No intentional changes happened there and all e2e tests pass, so the exploit is probably still possible. Did you try the step by step instructions from https://pwning.owasp-juice.shop/appendix/solutions.html as well? Which step fails exactly?
I'm stuck with the challenge about rsa_lord... for several days. I understood the vulnerability, i followed the walkthrough in the documentation, forged the JWT using jwt.io, set up the localstorage, the cookie, the Bearer but the challenge is never validated. Is there a problem with this one or not?
That is one which has caused trouble in the past, it should work if you get the token done right. I can't guarantee that it'll work with jwt.io, though.
@bkimminich Re: the nosql manipulation, it is working now. Not sure why I was getting 400 bad request, I did nothing different. The only change was my PC rebooted (which is where my vmware workstation lives too) for updates, and now its working.
Problem: I lost all my progress because of the reboot of the Juice shop vm :(, And I did not backup my progress. Is there anyway to recover my score board progress? or am I SOL?
Problem: I lost all my progress because of the reboot of the Juice shop vm :(, And I did not backup my progress. Is there anyway to recover my score board progress? or am I SOL?
Progress is kept in a cookie, but if you ran everything in a VM then you probably can‘t get the cookie back... VM users should use the manual backup to JSON file option every now and then. Or you solve the „Challenge #999“ challenge next, and then you can make your own cookie with all the previous challenges easily... ;-)
Hey guys, I'm trying to deploy the juice-shop docker to CTFd, but the problem is that is not running on CTF mode (when i solve a challenge it does not display the flag). I'm running sudo docker run --rm -d -e "CTF_KEY=NGM5N2E2Y2FlMTMyMjY0ZTQ2Zjc3N2Mz" -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop and then sudo docker tag bkimminich/juice-shop registry.ctfd.io/x/x and sudo docker push registry.ctfd.io/x/x
Any idea what could be the issue?
if I ssh into the local docker container i can see the CTF_KEY and NODE_ENV environment variables set, and i've tried to set the showFlagsInNotifications to true in both default.yml and ctf.yml before pushing the image
On startup the server logs its many check results and also the config it's using. Does it say ctf or default there? Also if you request the config via API, like the frontend does, do you get the values you set or just default?
Thank you @bkimminich:matrix.org i fixed the issue! It turned out that i had to run sudo docker commit <container_id> after i made the changes to the local docker container, and then I could tag it and push it to the CTFd platform. I think I was pushing the default juice-shop container all the time that's why I couldn't see the ctf flag reflected. Just another question: it seems that the challenges progress is shown globally to all users, so if someone solves a challenge everyone sees the challenge as solved :/ Is this something that can be changed in the config?
Juice Shop is a "single player" application, every CTF participant needs their own instance and they post their flag codes to a single shared CTF score server, like CTFd for example.
My question is it still possible to create one ?
Or generate one
I you knew all the endpoints of the API you could then of course make your own Swaggerfile from that knowledge.
Hi, is it possible to run the JuiceShop from a sub-directory (ie: localhost:80/test)? I've set up a reverse proxy with nginx to redirect the requests to "/test" directory to port 3000 where JuiceShop is running. I can see that the server returns the JuiceShop index, but it fails to load the javascript files with 404 (looks for them in localhost/file.js instead of localhost/test/file.js). I've set up the basePath: /test in the config file and BASE_PATH=/test in the env but still 404
That is possible, yes. We even have an e2e test for subdirectory deployments and that passes just fine.
Maybe you can check that test out for anything that might be misconfigured or missing?
Can't see anything in the e2e test. I'm getting Loading module from “http://127.0.0.1/test/polyfills-es2018.js” was blocked because of a disallowed MIME type (“text/html”) - It seems that the path 127.0.0.1/test/polyfills-es2018.js can't find the file, but 127.0.0.1:3000/polyfills-es2018.js is okay and I can't see why that's the case
2 replies
Kali is terrible at anything development related as it seens to come with outdated libs and dependencies all over the place. I never tried running it myself, but I've heard from many users that they eventually used Docker and were happier with that on Kali.
It seems that something has got broken in kali update
Hey, is the loginCISO challenge test failing for everyone else?
1 reply
I see. One more question: we are creating a ransomware challenge, but the server tests fail because of an invalid country mapping on the fbctf.yml, how can I find an, unused country mapping and is that necessary to add?
