The OWASP Juice Shop is arguably the most modern and sophisticated "insecure" web application for security training. Recently, I completed the Juice Shop room on TryHackMe, moving through the OWASP Top 10 vulnerabilities.

In this post, I'll break down my methodology, the "Aha!" moments during exploitation, and the technical evidence for each major finding.

1. Reconnaissance: Finding the Score Board

Every engagement begins with reconnaissance. While browsing the application, a common practice is to check the client-side code for hidden routes.

By inspecting the Debugger tab in Firefox and searching through main.js, I identified several hidden paths. The most important was the /score-board route. Navigating here allowed me to track my progress and understand the scope of the vulnerabilities present.

2. Injection: The Classic SQLi

The first major breakthrough was gaining Administrative access. The application's login form failed to sanitize input, allowing for a Classic SQL Injection.

  • Vulnerability: SQL Injection
  • Payload: ' OR 1=1 --
  • The Logic: This payload forces the database query to return "True" for the first user in the table (usually the Admin) while commenting out the password requirement.

3. Broken Authentication: Resetting Jim's Password

One of the trickier tasks involved gaining access to Jim's account. This wasn't a direct injection but a failure in the Forgot Password mechanism.

  • The Exploit: I used the security question "What is your eldest siblings' name?"
  • The Gap: I had to cross-reference Jim's profile and publicly available information within the shop to find the answer.
  • Automation: I used Burp Suite Intruder to automate the password reset request, confirming the success when the server returned a 200 OK response.

4. Broken Access Control: IDOR in Baskets

Insecure Direct Object Reference (IDOR) occurs when an application provides direct access to objects based on user-supplied input.

  • The Evidence: While logged in, I noticed the URL for my basket was /rest/basket/1.
  • The Attack: By simply changing the integer to /rest/basket/2, I was able to view another user's private shopping cart. This represents a massive privacy breach where session tokens are not properly validated against the requested resource.

5. Improper Input Validation: The Poison Null Byte

The most technical challenge was bypassing the file download filter in the /ftp directory. The server was configured to only allow the download of .md or .pdf files.

  • The Goal: Download package.json.bak (a forbidden file).
  • The Payload: /ftp/package.json.bak%2500.md
  • The Technical "Why": 1. The application sees .md at the end and allows the request. 2. The %2500 is a double-encoded Null Byte. 3. When the backend filesystem processes the path, it stops at the Null Byte, ignoring everything after it. 4. Result: The server delivers the .bak file, exposing internal application dependencies and security configurations.