Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Björn Kimminich
@bkimminich
totally!
Just need to set the environment variables NODE_ENV=ctf and optionally pass in the used CTF_KEY if you don't use the default.
Anoop Kumar Gupta
@anoop-gupt
Hi,I just need to use Juice Shop for 3-4 Junior developers training. Do I need to setup a server or they can just run local instanse for hacking excercises?
Jannik Hollenbach
@J12934
Sure they can just run local instances if that ist easier for you
Anoop Kumar Gupta
@anoop-gupt
@J12934 Thanks, that means we can run local instances and do excerscises at local machines without interfering others
Björn Kimminich
@bkimminich
Actually this is exactly how it should be done with one instance per user. That way everyone has their own Score Board.
Björn Kimminich
@bkimminich
You should investigate the client side JavaScript code closely for some "special case handling" of a coupon that is not like the others.
And your clock assumption is correct to then exploit it... 😉
dexterkhan634
@dexterkhan634
Hi , I am trying to decode the block chain Tier 1 bug... After so many things tried. I finally landed to solution. as per that solution , when i run javascript for match function it did not return me path name as mentioned in solution . Please guide to solve this as per solution
Björn Kimminich
@bkimminich
So, you checked the corresponding solution in https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/appendix/solutions.html but it didn't work for you? As there is the Angular code minifier in between, the solution might vary slightly over time, but the general approach should still work fine.
jasjadv
@jasjadv
Juice Shop might be a great learning platform but you should be careful for using it with CTF events, especially when you award prizes:
When you use https://github.com/jasjadv/juice-cheater you can "solve" any challenge you want without having the slightest idea what you are doing.
Jannik Hollenbach
@J12934
Thats a good point. I feel like there Juice Shop for CTF style events is best if the focus is on learning / teaching not really on the competition.
If somebody starts to cheat in a CTF which is meant to teach them something, they obiously didnt get the point of the CTF
But the ContinueCodes always being generated with the same static hash is something which maybe should be changed. Or at least give the option to configure for ctf events. This doesnt really make cheating impossible, but at least harder.
Björn Kimminich
@bkimminich
I really like your Cheater script, @jasjadv! Nice work! I'm a bit hesitant to make the Juice Shop more "cheat resistant" because it was not recommended to be used in competetive CTFs right from the start. Putting any more work into cheat prevention now, could be misread as step towards supporting competetive use...
Also, using any salt other than the current one would make the "Imaginary Challenge" challenge kind of unsolvable or require rework on it. It's actually meant to use it in the silly way it does right now... ;-)
Jannik Hollenbach
@J12934
@bkimminich Only requirement for the salt would be that it is brute forcable, right? Or was there another method to get it?
Björn Kimminich
@bkimminich
No, it's using the value given on the used hash function's own demo page... Emulates a really lazy developer. No brute force involved.
Tejas Khairnar
@tejas619
Hello, I am trying to customize juice-shop for our internal ctf event. Is there a way to put in the config if we want only certain challenges to be running? I tried editing the challenges.yml file but it is throwing me all different node errors
Björn Kimminich
@bkimminich
This is not a supported mode of using Juice Shop, no. Some challenges are disabled depending on the runtime environment to prevent potential damage, but then the underlying vulns are disabled as well.
Just don't have all 86 challenges on your CTF score server, then people can hack all the Juice Shop if they want but only get points for what you want them to focus on.
Stian Fauskanger
@stianfauskanger
Hi. How can I save the state of the Juice Shop when running in Docker?
If possible*
Björn Kimminich
@bkimminich
It automatically saves state in your browser in the continueCode cookie. So as long as you use the same URL all the time you should be fine.
Stian Fauskanger
@stianfauskanger
Ah. Thanks. My browser removes all cookies, localStorage, etc. when I close the tab, that's why this didn't work for me. Added an exception for localhost:3000. Looks like it "remembers me" now ^_^
Tejas Khairnar
@tejas619
How does the app establish a session after authenticating with google? We are trying to integrate our own oauth integration alongside google. We are getting redirected correctly but now got stuck on how the app established a session and creates the profile. Any help?
Björn Kimminich
@bkimminich
What happens after the Google OAuth step the. Juice Shop botches the account creation. So, it's already a hacking challenge. You'd have to replace the OAuth part without "breaking" the challenge.
Explaining how it exactly works would spoiler the challenge
Best check the OAuth component code, then you'll see it for yourself.
Björn Kimminich
@bkimminich
:new: https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 :new:
Jeroen Willemsen
@commjoen
congrats!
staticnotdynamic
@staticnotdynamic
hola! is it permissible to ask for hints here ?
Björn Kimminich
@bkimminich
Of course!
Björn Kimminich
@bkimminich
https://youtu.be/9LkWOWiLZoc - 95% Score Board completion in 3min! (at 6x speed)
Björn Kimminich
@bkimminich
https://youtu.be/Msi52Kicb-w - XSS Demo: Juice Shop 9.x dances while leaking credentials
Randy Vroegop
@vroegop
Hey there! I used the juice-shop docker image with some custom CTF setup, but flags are shared among clients! If one of us solves a challenge, all of the clients have it solved in the scoreboard. Is it possible to change this?
V9.0.1
Jannik Hollenbach
@J12934
That is expected. A single JuiceShop instance should not be used for multiple users.
See the CTF Hosting section of pwning juice shop: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part1/ctf.html#ctf-event-infrastructure
Björn Kimminich
@bkimminich
https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part1/running.html
See section "Single user restriction" at the very bottom.
Kevin Winters
@kevinhwinters_gitlab
Hello! I'm getting some issues when trying to run, "npm install" in the juice-shop-master" folder. It's throwing a bunch of different compile errors like: c:\program files\juice-shop-master\node_modules\iltorb\src\dec\stream_decode.cc(14): error C2661: 'v8::Value::ToObject': no overloaded function takes 0 arguments [C:\Program Files\juice-shop-master\node_modules
\iltorb\build\iltorb.vcxproj]
Björn Kimminich
@bkimminich
With Node 12 on Windows that wouldn't surprise me as Travis CI is also choking on that one for a while now. Did you try a pre-packaged ZIP for your Node+OS combo?
staticnotdynamic
@staticnotdynamic
regarding the language file that never made it into production, i've tried all ISO-639 codes, however no new languages are retrieved. is the language file name an abnormal one ?
Björn Kimminich
@bkimminich
Yeah, it's got a three letter country code part... 😁
staticnotdynamic
@staticnotdynamic
dang! willl try that ASAP
happyliubei
@happyliubei
Hello. I'm trying to solve the "Successfully redeem an expired campaign coupon code" challenge. After I have changed date to 8th of March, the coupon with correct value still can't be redeemed. Any idea why?
Björn Kimminich
@bkimminich
Could it be a time zone issue?
happyliubei
@happyliubei
Which time zone is supposed to be used?
Björn Kimminich
@bkimminich
UTC, if I'm not mistaken...
happyliubei
@happyliubei

I did the following test in console in my browser:
a=new Date
Date 2019-03-08T15:00:04.351Z
a.setHours(0,0,0,0)
1551996000000
a=a.getTime()
1551996000000

And I can only get value 1551996000000 but in your source code the value is 15519996e5. They can never be equal. And I don't think it's because of timezone, but really get stuck here