An intentionally insecure webapp for security trainings written entirely in Javascript.
@saiyan_cyber_twitter nice, what was the Problem?
Did you set the NODE_ENV like described in: https://pwning.owasp-juice.shop/part1/ctf.html
CTF Flags are not shown unless you have configured JuiceShop to run in CTF mode.
im not sure. I followed the instructions. i do not have a config/ctf.yml, so i made one. could not get that to work. reset the docker and ran docker run -d -e "NODE_ENV=ctf" -p 3000:3000 bkimminich/juice-shop. still no flags. the notifications came up saying i completed the challenge but no flag to input in the ctfd
I updated to nodejs 12.x from 8.x and restarted the computer. When I did that, bash prompted me with an error that I had unexpected EOF in my bashrc file where I created an alias to run both juice-shop-ctf on ctfd and the docker command to run juice shop store in a single command. As soon as I fixed that, I started up docker the flags appeared. This has been quite the learning experience!!
So I looked up the solution for "Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com." and while there are some inconsistencies between the solution instructions and the challenge instructions I tried to implement the PUT and I get a success response, but the actual data does not change. I will share some screenshots.
@bkimminich - Here is a screenshot of Burp showing a request to modify the description. https://imgur.com/BKUmfa9
I understand that this wouldn't solve the challenge, but from the supplied solution it seems that it should still work.
Yes. That worked. I am sorry for the trouble. I should have noticed that.
Thank you. One other thing on my wish list that I am sure you have thought of: I wish the challenges were sequential. Meaning that challenge 10 doesn't suggest using a similar technique as challenge 13 (these are random challenge numbers to illustrate the point). I sometimes got frustrated after trying to solve a challenge and then looked at the solutions and it suggests using information from a challenge that I haven't got to yet. Just a thought. Like I said before I am having fun going through these.
@bkimminich - I am going back through it again, and taking better notes. I started with the one-star and worked my way from top to bottom and then started on the two-star section. I did not realize until just now that the challenges are listed alphabetically and not necessarily in a logical progression. The ordering doesn't cause an issue until the two-star section. The first challenge of the two-star section is access to the Administration Section, the solution points you to the Login Admin challenge (#5 in the two-stars). #4 is Five-star feedback, which again the solution points you to #5. So the logical order to tackle these three would be #5 first, then #1 and #4 in any order. Does that make sense? I will be happy to open a ticket if you think it is a worthwhile change (I found a spelling error that I plan on opening a ticket for also).
Alright, I see your point. Sorting the challenges by dependency won't happen on the Score Board, as that wouldn't be any obvious sorting any more. Giving some kind of hint that it'd be good to solve one challenge before another is usually in the e-book, unless I might have forgotten in some cases. But in general it's not the idea to progress through the Score Board top to bottom but rather by topic of interest and difficulty. And sometimes getting stuck due to an unknown dependency is part of the harder challenges.
For the admin section for example, you could also male yourself an admin user, instead of logging in with the existing. Also, there's more than one existing user with admin role. So, there's different paths and not one sequence only
Juice Shop v9.3.1 is out now! Enjoy higher i18n coverage, campaign coupons for International Women's Day and National Orange Juice Day until 2023 and no more accidental spoilers from the Hacking Instructor due to lazy loading! Happy holidays to all of you! More fancy, crazy and challenging stuff to come in 2020 for Juice Shop!
ℹ️ The
develop branch now hosts the upcoming major release v10.0.0 which will come with at lot of breaking changes, mostly for custom themes right now. Work on that release will continue for a while, because I want to bundle as many incompatible changes, refactorings etc. as possible in this version. If you'd like to prepare for or test the new version, check out the develop branch or use our snapshot Docker image! Feedback and ideas are welcome as always!
Could you help me, please?
I have setup it up as env variable
is there any requirement about the key?
at the cli prompt
thanks for the help!!
Hi @kss682! https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part3/contribution.html should have all the basic information for you. If you have any specific questions, just let us know! 👋