Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Björn Kimminich
@bkimminich
If you want a working file,take a look at the /test/files folder in the Juice Shop repo. Maybe you can find out the difference to your own file.
keng swee
@yeokengswee_twitter
i see, now it makes sense. thanks!
CyberSaiyan
@saiyan_cyber_twitter
i got my docker issue sorted out. Now, when I complete a challenge I do not get the flag in the notifications.
Jannik Hollenbach
@J12934

@saiyan_cyber_twitter nice, what was the Problem?

Did you set the NODE_ENV like described in: https://pwning.owasp-juice.shop/part1/ctf.html

CTF Flags are not shown unless you have configured JuiceShop to run in CTF mode.

CyberSaiyan
@saiyan_cyber_twitter
im not sure. I followed the instructions. i do not have a config/ctf.yml, so i made one. could not get that to work. reset the docker and ran docker run -d -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop. still no flags. the notifications came up saying i completed the challenge but no flag to input in the ctfd
CyberSaiyan
@saiyan_cyber_twitter
also running npm start gives error even though npm update says newest verion already installed
CyberSaiyan
@saiyan_cyber_twitter
I GOT IT TO WORK!!!!!
CyberSaiyan
@saiyan_cyber_twitter
I updated to nodejs 12.x from 8.x and restarted the computer. When I did that, bash prompted me with an error that I had unexpected EOF in my bashrc file where I created an alias to run both juice-shop-ctf on ctfd and the docker command to run juice shop store in a single command. As soon as I fixed that, I started up docker the flags appeared. This has been quite the learning experience!!
Björn Kimminich
@bkimminich
I'm glad it works for you, @saiyan_cyber_twitter, but you lost me at "I don't have a config/ctf.yml" - it's part of the source and also every packaged release and official Docker image...
Trevor Christiansen
@tjcim
I am having trouble with the challenge "Change the href of the link within ..." is this the right place to ask for help?
Björn Kimminich
@bkimminich
Hey @gordonnant_twitter! Sure, shoot! 🧃
Trevor Christiansen
@tjcim
First, thank you for both creating it and sharing it. I am having fun working through the challenges!
So I looked up the solution for "Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com." and while there are some inconsistencies between the solution instructions and the challenge instructions I tried to implement the PUT and I get a success response, but the actual data does not change. I will share some screenshots.
Trevor Christiansen
@tjcim
@bkimminich - Here is a screenshot of Burp showing a request to modify the description. https://imgur.com/BKUmfa9
I understand that this wouldn't solve the challenge, but from the supplied solution it seems that it should still work.
Björn Kimminich
@bkimminich
In both my API and e2e test I've set request header "Content-type","application/json" for this challenge... Can you check if that makes it work?
Trevor Christiansen
@tjcim
Will do.
Yes. That worked. I am sorry for the trouble. I should have noticed that.
Björn Kimminich
@bkimminich
No problem! I'm updating the ebook solution with the changes expected URL that you notices still being my personal www-landing page... :-)
Trevor Christiansen
@tjcim
Thank you. One other thing on my wish list that I am sure you have thought of: I wish the challenges were sequential. Meaning that challenge 10 doesn't suggest using a similar technique as challenge 13 (these are random challenge numbers to illustrate the point). I sometimes got frustrated after trying to solve a challenge and then looked at the solutions and it suggests using information from a challenge that I haven't got to yet. Just a thought. Like I said before I am having fun going through these.
Björn Kimminich
@bkimminich
Making them sequential would be giving too much away... sometimes their intedependencies are wanted... for some we could maybe mention the dependency earlier in the hints and not only in the solutions...
Trevor Christiansen
@tjcim
Makes sense.
Björn Kimminich
@bkimminich
If you have examples where it bugged you, can you open a ticket in the ebook repo?
Trevor Christiansen
@tjcim
Will do.
Björn Kimminich
@bkimminich
Thx!
Trevor Christiansen
@tjcim
@bkimminich - I am going back through it again, and taking better notes. I started with the one-star and worked my way from top to bottom and then started on the two-star section. I did not realize until just now that the challenges are listed alphabetically and not necessarily in a logical progression. The ordering doesn't cause an issue until the two-star section. The first challenge of the two-star section is access to the Administration Section, the solution points you to the Login Admin challenge (#5 in the two-stars). #4 is Five-star feedback, which again the solution points you to #5. So the logical order to tackle these three would be #5 first, then #1 and #4 in any order. Does that make sense? I will be happy to open a ticket if you think it is a worthwhile change (I found a spelling error that I plan on opening a ticket for also).
Björn Kimminich
@bkimminich
Alright, I see your point. Sorting the challenges by dependency won't happen on the Score Board, as that wouldn't be any obvious sorting any more. Giving some kind of hint that it'd be good to solve one challenge before another is usually in the e-book, unless I might have forgotten in some cases. But in general it's not the idea to progress through the Score Board top to bottom but rather by topic of interest and difficulty. And sometimes getting stuck due to an unknown dependency is part of the harder challenges.
For the admin section for example, you could also male yourself an admin user, instead of logging in with the existing. Also, there's more than one existing user with admin role. So, there's different paths and not one sequence only
Trevor Christiansen
@tjcim
Fair enough. You shouldn't cater to the lowest common denominator and in this case, that is probably me.
Björn Kimminich
@bkimminich
Juice Shop v9.3.1 is out now! Enjoy higher i18n coverage, campaign coupons for International Women's Day and National Orange Juice Day until 2023 and no more accidental spoilers from the Hacking Instructor due to lazy loading! Happy holidays to all of you! More fancy, crazy and challenging stuff to come in 2020 for Juice Shop!
Björn Kimminich
@bkimminich
ℹ️ The develop branch now hosts the upcoming major release v10.0.0 which will come with at lot of breaking changes, mostly for custom themes right now. Work on that release will continue for a while, because I want to bundle as many incompatible changes, refactorings etc. as possible in this version. If you'd like to prepare for or test the new version, check out the develop branch or use our snapshot Docker image! Feedback and ideas are welcome as always!
Nicola Palumbo
@palumbonicola_twitter
Hi guys, thank you for your amazing juice-shop....I made it running on Heroku within just a few clicks (thanks for your doc). I have set up also a ctf scoreboard but unfortunately when I submit the flag : "Incorrect Flag".
Could you help me, please?
Jannik Hollenbach
@J12934
What Scoreboard do you use? And how did you import the challenges to the scoreboard?
Nicola Palumbo
@palumbonicola_twitter
I'm using cftd.io and I have just executed the instruction on the official doc to import into cftd. Did I reply to your question?
Jannik Hollenbach
@J12934
Ok sound good. What’s important is that you use the same CTF Key for your JuiceShop as for the challenge export for CTFd. Did you by any chance changed that?
Nicola Palumbo
@palumbonicola_twitter
yes I did
Jannik Hollenbach
@J12934
Okay. Did you use the key also for your Heroku instance?
Nicola Palumbo
@palumbonicola_twitter
but I when the tool juice-shop-ctf asked for the CTF key I have provided it from a file
I have setup it up as env variable
Jannik Hollenbach
@J12934
And you have used the same key for both the export as for the heroku instance?
Nicola Palumbo
@palumbonicola_twitter
yes
is there any requirement about the key?
Jannik Hollenbach
@J12934
No. Can you double check that both were specified correctly? The key is pretty much the only thing which can go wrong to make this not work correctly
Nicola Palumbo
@palumbonicola_twitter
It works! I found the issue I have provided a path to a file instead of the secret key
at the cli prompt
thanks for the help!!
Jannik Hollenbach
@J12934
Nice 👍
Srinidhi Krishna
@kss682
Hi , I am new here and I am interested in contributing to Juice shop . How can I start?
Björn Kimminich
@bkimminich
Hi @kss682! https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part3/contribution.html should have all the basic information for you. If you have any specific questions, just let us know! 👋