Note that the browser of choice here is Google Chrome. Here are my solutions to some of the 1-star challenges in OWASP Juice Box:
Finding the score board
Challenge: Find the carefully hidden 'Score Board' page.
Open up the developer tools on you browser and find the Source tab. If we look at the file main-es2015.js, we can see that it contains code for the routing paths in the app. Use Ctrl-F to search for keywords , in our case "Score". We can see in the code that there exist a path called "score-board".
Enter "score-board" after the /#/
and you get the scoreboard!
How to leave a zero-star rating
Challenge: Give a devastating zero-star feedback to the store
Open up the developer tools on your browser and find the Network tab equivalent on your browser. Lets first investigate the request that is being made when submitting a review.
Notice how the rating is sent to the app. What this means is that we can send a zero star rating if we set the value of rating to zero. We will go about this by intercepting the request with burpsuite and modifying it before it gets sent to the app.
Clicked "Forward" and the modified request will be sent to the app.
That's not how you register a user
Challenge: Follow the DRY principle while registering a user.
This is very similar to the above one in which you intercept and modified the request, thus bypassing any validation done on the client side. Again, lets first investigate the request:
We can modified the payload like the following:
Clicked "Forward" and the modified request will be sent to the app.
Where's the cat photo?
Challenge: Retrieve the photo of Bjoern's cat in "melee combat-mode".
If we go the "Photo Wall" Page, we can see that one of the photos hasn't load properly.
Lets find the url of where the photo is being pulled from:
If we go to to that url and investigate the request on the Network tab:
We can see that the browser didn't execute the full url. The same thing happens when we try to execute the associated twitter link:
It seems like there's an issue with encoding.
To fix it, first find the encoding characters for the 😼 symbol (%F0%9F%98%BC
), then take the rest of the url and url encode it. You can do this by going here. Now put the two parts together and you should have an url that has been properly encoded, and we should be able to see the cat photo now.
That's it for the 1 star challenges. I hope this has help you in any way. Thank you for reading. Till next time!
Top comments (0)