Be A Better Hacker!

Let's continue from the previous post on learning to hack using the Juice Shop application to using a web application security scanner. It'll be fun :)

So what is an web application security scanner? Well, here's the official wikipedia page. There are plenty of such tools available in all flavors: commercial, free and open source. Here's a quick list for you to peruse. But, we'll use one that is very popular and surprisingly off that list - OWASP's ZAP.

We're going to setup ZAP and then use it to find more vulnerabilities in the Juice Shop project. We'll also use Firefox as our browser for some technical reasons - mostly that it is easy to setup and use proxies with Firefox vs. other browsers and that it keeps your penetration testing tools separate from your daily browser.

So, go ahead an install both of the tools:

• Firefox (I'm using the developer edition but that's your choice).
• OWASP ZAP

Both are free and cross-platform, so they work on all platforms and are super easy to install. And we already have the Juice Shop docker image from the previous post. So, first we run the Juice Shop with:

docker run --rm -p 3000:3000 bkimminich/juice-shop

Next, run ZAP and you should see something like this:

By default ZAP already runs a proxy on port 8080 on localhost/127.0.0.1. Next we run Firefox and set it to use ZAP as the proxy so that all requests are going thru ZAP. We do this by going to Firefox preferences and then either searching for the "proxy" in the settings or just scroll down to the bottom of the preferences page and click the "Network Proxy Settings" button. You should see something like this:

Set the manual proxy configuration to point to the ZAP proxy @ 127.0.0.1 with port 8080 and then remove the default "No Proxy for" settings and leave them blank. This allows us to run everything on the same host without the proxy being bypassed for localhosts/127.0.0.1 hosts.

If everything is setup correctly, you should be able to browse to "localhost:3000" and see the Juice Shop application in Firefox. We can unlock the score-board like last time by browsing to the "http://localhost:3000/#/score-board" url. And you should see:

You can see the "Score Board" challenge already completed and all the interaction with the application in the ZAP UI under the sites section as shown in the picture above. So, I'm going to show you how to manipulate a request so that you can attack the application that you're testing for vulnerabilities in ways that application is not expecting. So, let's do the "Zero Stars" challenge.

If you browse to the "Contact Us", you'll see a feedback form as shown below. Let's give some feedback -- anything is fine. And then if you go to ZAP, you'll see that it intercepted that interaction and you'll be able to see the request and response that were sent.

So, let's manipulate the request to send a zero star feedback. That's not possible using the UI but if you look at the request in ZAP, you can see that the value is right there in the request. So, right click on the request and you'll see an option to "Open/Resent with Request Editor" as such:

Now, you can manipulate the request (replace the "rating" to "0") and resend it with the previously not possible zero stars feedback as such:

And, if you now go back to the Juice Shop application, you'll see that particular challenge has been completed:

There you go! Now you know how to manipulate requests that are not normally possible using just the UI. No go have fun and see which other challenges you can complete.

Enjoy!