by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Ati Ok
@ao10

Hi, I have a question about the reflected xss challenge for the /rest/track-order/:id endpoint. If we pass in the following attack vector to id: <iframe src="javascript:alert(`xss`)">, the attack gets rendered as JSON in the browser because the content-type header for the response is set to application/json and no attack is executed.

Is this still a valid reflected xss attack? Imo, it does not seem like it

Björn Kimminich
@bkimminich
If that request would be sent from some place in the client and the JSON response then insecurely rendered, you'd certainly have an XSS issue.
It could be argued if that fully qualifies as "reflected" or if it is still more "DOM-based", but it's still XSS at the end of the day.
Ati Ok
@ao10
@bkimminich Ah I see, thank you. I couldn't find anything in the exploit guide about it, but do you know how I can go about reproducing the xss on the client-side? I tried to send the URL with the attack vector through the browser but I kept getting redirected and couldn't get the XSS to execute
Björn Kimminich
@bkimminich
Local or Docker or Heroku or ...?
Björn Kimminich
@bkimminich
That XSS challenge is disabled on Heroku and Docker, because it's also a portal for NoSQLi and that is susceptible to RCE.
Ati Ok
@ao10
Ah I was trying to do it on Heroku
JackN-code
@JackN-code
Hi, I am working on the Score Board: Find the carefully hidden 'Score Board' page. Is the general idea Hidden / Secret URL Vulnerability?
JackN-code
@JackN-code
it is also called Forced browsing https://owasp.org/www-community/attacks/Forced_browsing
Björn Kimminich
@bkimminich
You can find it by forced browsing, but as it's a UI route, it's much faster to comb through the frontend code to find the URL. Or just guess it. If you click "Help getting started" on the welcome banner or side menu, a little tutorial will guide you through the process.
Cloufish
@Cloufish
I'm trying to see it (score-board url) in the Source code, but nothing's there
I'm running it in owasp zap hud
The tutorial says it is in Sources tab, but there are not sources tab in firefox dev tools. But maybe I am wrong and there is this tab
Cloufish
@Cloufish
Okay nvm, now that I realized I can launch hud with Chrome everything is clear xD
sorry for being nooby
Björn Kimminich
@bkimminich
Yeah, in Firefox it's in the "Debugger" tab, you're right. I could try to identify the browser being used and pass in the tab name accordingly into the tutorial text...
...or just change it into Sources/Debugger tab ... :-D
kw1tt3
@kw1tt3
Hi, I am stuck on this error , not loading the real easter egg js files
Refused to execute script from '<URL>' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled. & Uncaught ReferenceError: THREE is not defined.
Any idea?
Björn Kimminich
@bkimminich
I just checked and can confirm this behavior in Chrome 83. That's entirely unwanted. Didn't try in other browsers yet.
Chrome on Android shows blank page too.
Tor 9.5 blanks too...
Björn Kimminich
@bkimminich
Firefox 68 also blanks... So, it's pretty sure some issue with serving the files. If you want, please open a bug issue for this, @kw1tt3. Cheers!
kw1tt3
@kw1tt3
@bkimminich it´s done...my first time i opened a bug issue.
Björn Kimminich
@bkimminich
Thank you! 👍 I'll leave that one open for.a.while
because I think it's a good ticket for new contributors actually.
Björn Kimminich
@bkimminich
@kw1tt3 The problem with the easter egg is fixed. It was just a simple path issue.
kw1tt3
@kw1tt3
Thank you! I already pulled the last commit from developer branch. There are no blank pages anymore. 👍
Björn Kimminich
@bkimminich
If you want to ask the Juice Shop core team anything while sipping on a cocktail (that you have to make yourself, thanks to COVID-19) you really need to join https://open-security-summit-2020.heysummit.com/talks/owasp-juice-shop-cocktail-party-ask-us-anything tonight, 15th June 21:00 CEST!
Ian Muchina
@IanMuchina_gitlab
Ok, I'm setting up juiceshop in a Docker container and I want to change the default port from 3000 so I can access juiceshop from containerip:80 not localhost
Björn Kimminich
@bkimminich
https://docs.docker.com/config/containers/container-networking has several examples for port mapping in Docker.
Soundofsnow
@Soundofsnow
Hi, I've just installed Juice shop in one VM and it's working beautifully. I have also installed it onto another (Kali) VM as part of CTFd using juice-shop-ctf-cli. That appears to have worked as well. However, my (possibly silly) question is how do you interact with the actual juice shop website when using the CTFd version i.e. I can see the (black box) challenges but how do I get the original juice shop website up and running at the same time?
Björn Kimminich
@bkimminich
You need to run Juice Shop as well and make sure you use the same ctfKey like the CTFd server. See also https://pwning.owasp-juice.shop/part1/ctf.html for hopefully all the information to get this running.
Soundofsnow
@Soundofsnow
Thanks Bjorn. I've got them both installed together now and they are both working.
Soundofsnow
@Soundofsnow
Hi Bjorn, I'm struggling to understand how to make the ctfkey the same on both Juice Shop and the CTFd. I installed them using Docker.
Soundofsnow
@Soundofsnow
I've tried following the instructions in the Section "Running Juice Shop in CTF-mode".
Björn Kimminich
@bkimminich
https://pwning.owasp-juice.shop/part1/ctf.html - when using the juice-shop-ctf-cli module, you specify the same key that you use on your participants' instances, and that's it. CTFd gets the flags from the data import then and they're equal to the flag code shown when solving a challenge. It's all in the docs... 😉
Björn Kimminich
@bkimminich
Our official (yet manually built) Docker images for arm are now available! They're built on a 4B model with Raspian 32bit. Please let ke know if they (don't) work on your various RasPi models!
Matheus
@mtps3
I installed the juice-shop on a machine and wanted to make an internal CTF using the juice-shop + CTF, but when a person punctuates the flag, the other people who are at the same time on the platform appear to them also, how to solve that ?
Björn Kimminich
@bkimminich
Apart from the score-tracking server, each participant must have their own instance of OWASP Juice Shop. As explained in the Single-user restriction section, having a shared instance for each team is strongly discouraged, because Juice Shop is programmed as a single-user application.
https://pwning.owasp-juice.shop/part1/running.html#single-user-restriction
Mzon AlThunayan
@mzonth__twitter
Hi , I am working on "Some vulnerabilities Analysis" research and i want to use Juice shop as a case study, I already know that it is entirely written in JavaScript and you are more expert in this field, what makes Juice shop different than other vulnerable web applications e.g (Hackzon, WackoPicko, DVWA .... ) from vulnerabilities Perspectives?, Thanks in Advance.
Björn Kimminich
@bkimminich
@mzonth__twitter I'll simply stick to our slogan here: "OWASP Juice Shop is probably the most modern and sophisticated insecure web application!" - and would recommend you to check out https://pwning.owasp-juice.shop for all the background you probably need on the project. If you are only interested in the variety or vulnerabilities included, here's a list: https://pwning.owasp-juice.shop/part1/categories.html (and here a mapping to the built in hacking challenges: https://owasp.org/www-project-juice-shop/#div-challenges).
Maciej
@HdFullOfCiphers_twitter

Hi, I'm working hard on API-only XSS, could you guide me a little? I prepared a 2x curl queries:
curl --verbose --header "Content-type: application/json" --header "Authorization: Bearer valid_token"--data '{"name": "XSS", "description": "<iframe src=\"javascript:alert(xss)\">", "price": 47.11}' --request "PUT" "http://127.0.0.1:3000/api/Products/1"

curl --verbose --header "Content-type: application/json" --header "Authorization: Bearer valid_token"--data '{"name": "XSS", "description": "<iframe src=\"javascript:alert(xss)\">", "price": 47.11}' --request "POST" "http://127.0.0.1:3000/api/Products"

and none is solving the challenge :( 1 one is changing the apple juice description with success (without green flag), second returns 'invalid token'. Could you please explain what I'm doing wrong?
token was valid for admin user ofc
Björn Kimminich
@bkimminich
Your payload is not exactly the one mentioned on the Score Board. If you fix that, it should recognize your solution.
Maciej
@HdFullOfCiphers_twitter
Thanks a lot :)
tagmankiller
@tagmankiller
does any one have the coupon for this month?
Björn Kimminich
@bkimminich
The cron job that auto-posts the coupon is schedule for 11h from now... Stay tuned! :-D
tagmankiller
@tagmankiller
thanks