Geo Stalking challenges [⭐]

[bkimminich]

⭐ Challenge idea

Description

A clear and concise description of the new hacking challenge and why the Juice Shop needs it...

This could actually become two challenges with two different user accounts and individual pictures on the Photo Wall. One with geo tags in the image, one without but enough hints in the photo itself to deduce the location. The secret questions with which these challenges could work are:

• Your ZIP/postal code when you were a teenager?
  • Photo story: "I'm bringing my parents a nice fresh smoothie from Juice Shop!"
• Company you first worked for as an adult?
  • Photo story: "I'm bringing my co-workers a nice fresh smoothie from Juice Shop!"
• Last name of dentist when you were a teenager?
  • Photo story: "I drank too much smoothie from Juice Shop, so now look where I am... 😢"

💡 Should be two out of these three, preferably the dentist story (because there is no challenge with that question yet) plus one of the other two.

❓ Which one is better for the geo-tag and which for the visual hints?

Underlying vulnerability/ies

1. EXIF data containing geo information in a user's Photo Wall picture (for a relatively easy challenge)
2. Another picture with no geo data but visual hints about the location of another user (for a harder challenge)

Expected difficulty

✔️ / ❌	Difficulty
❌	⭐
✔️	⭐⭐
✔️	⭐⭐⭐
(:heavy_check_mark:)	⭐⭐⭐⭐
❌	⭐⭐⭐⭐⭐
❌	⭐⭐⭐⭐⭐⭐

Possible attack flow

• https://www.pic2map.com (for the EXIF based challenge)
• https://lens.google.com (for the visual hints based challenge)

[bkimminich]

⚠️ Before submitting any PR for this idea, please post candidate images here along with suggested caption for the memory wall! Thanks! Only original photos you took yourself, not something you scraped from the Internet!

If there are enough good ones to choose from, the two selected winners will receive a free Juice Shop t-shirt!

https://twitter.com/owasp_juiceshop/status/1240213624704118784

(Disclaimer: While GitHub comment up-/downvotes might be considered, but final decision is made by the Project Core Team)

[lucky70707]

Hey, we're a group of 6 it-students who would like to work on implementing this challenge in the juice shop for a school project. Would it be an issue to forego the competition you set out and start working on it with our own pictures?

[bkimminich]

Sure, go ahead! Bonus task: Make both challenges configurable, i.e. so that you can configure the photos and ZIP / Dentist name.

[lucky70707]

There are some privacy/copyright issues with the dentist option. I don't think we're going to find a real dentist who wants their name to be used for this challenge. A fictional dentist would be hard, the ony way to do that is to have the photo be doxxable without geodata and it's likely to be copyrighted material.
Do you have any suggestions on how to work around this problem? For now our team is going to look at the other recovery questions.

[bkimminich]

We could change the Dentist bit in the question also to something else if that makes it less problematic from a privacy perspective. Like asking for a school or a store or something less personal. Ideas are welcome!

[Instinctsz]

Hey, I'm one of the members of the team that is working on this. We were wondering how you would like to be able to configure challenge. Currently, the photo's on the photo wall can be changed in the default.yml file in the config folder and the security question/answer can be changed users.yml file in data/static. Is this fine as it is?

[bkimminich]

The security question/answer would have to be in the default.yml for this challenge because users.yml is not part of the customization (on purpose).

[bkimminich]

@justinsmid I've moved the configuration of the geo stalking challenges into memories and also added validation of the config is valid. That should catch

• Either challenge not being configured
• One memory having both challenges configured
• Security answer/question keys of both challenges mixed up
• Any user other than John/Emma associated with the corresponding memory (no user being specified is fine, then it takes the right one anyway)

Also the users John/Emma now use the configured email domain and not a static one.

See https://github.com/bkimminich/juice-shop/tree/pull/1409 if you're interested in what was changed to get that.

[bkimminich]

I'm not entirely sure if the Hacking Instructor scripts are a good idea, though. Researching the answers takes a bit of time, and there is not really much help coming from these tutorials other than what the hints on the Score Board already says. Essentially the user muast figure it out and it's not really easy, so it is likely they are just getting stuck and can never solve the tutorial. That'd be bad for the new tutorial mode then, because they'd be blocked from getting the entires Score Board unlocked.

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.