Skip to content

Lab 06 Injection

Jump to bottom
Tomas Rosenqvist edited this page Aug 30, 2018 · 17 revisions

Injection

Challenge "Login Admin"

In a previous lab, we noticed that the username/password verification subsystem appears to be vulnerable to SQL injection. Now, we're going to try using some basic SQL injection to see if we can exploit the vulnerability.

  1. Go to the login form.
  2. Enter ' or 1=1;-- as the email and any password.
  3. Login.
  4. Check if the system treats you as a logged in user, e.g. by going to the administration view.

Questions

  • What happened on the back-end during this scenario?
    • What do you think the SQL code looked like that got executed?

Challenge "Login Jim"

In this lab, we're going to try logging in as a specific user (Jim). First, you need to get Jims user name. Fortunately, the Juice Shop lists all registered users in the administration view. For a different application, you could try finding Jim on LinkedIn and then guessing Jims email address based on his current employer. You could also use some sort of social engineering to get hold of his user name.

For this lab, we're going to use the administration view though.

  1. Login as any user. Create a new user if you need to.
  2. Go to the administration view. Note Jims email address there.
  3. Log out.
  4. Go to the login form.
  5. Enter Jims email address followed by ';-- as the email and any password.
  6. Check if the system treats you as a logged in user, e.g. by going to the administration view.

Questions

  • What do you think the SQL code looked like that got executed?

Challenge "Order the Christmas special offer of 2014"

  1. Login as any user. Create a new user if you need to.
  2. Open the network tab of your developer tools in your browser.
  3. Search for ';-- in the Juice Shop.
  4. Notice that the developer tools shows a failed request.
  5. Click the request in the developer tools to inspect it.

Depending on which browser/version you're using, you might need to expand the response to view all of it.

  1. Notice how the response contains the SQL statement being used (and where your search input was inserted).
  2. Use this information to craft a new search string that short-circuits the "DeletedAt" filter in the SQL.

Hint

  1. Add the "Christmas Super-Surprise-Box (2014 Edition)" to your basket.
  2. Checkout.

Questions

  • What is the risk to the Juice Shop during this scenario?
  • What is the risk to a general Web app for this type of scenario?

Recommended reading

Clone this wiki locally