[go: up one dir, main page]

DEV Community

Cover image for OWASP Juice Shop DOM XSS Walkthrough <OWASP-JS Pt.2>
haXarubiX
haXarubiX

Posted on • Edited on

OWASP Juice Shop DOM XSS Walkthrough <OWASP-JS Pt.2>

Let's dive into setting up and exploring the first two vulnerabilities in OWASP Juice Shop: Scoreboard and DOM XSS. Without accessing

Setting Up Juice Shop with Docker (Quick Recap)

If you haven't already set up Juice Shop using Docker, here's a quick recap:

  1. Pull the Juice Shop image:
   docker pull bkimminich/juice-shop
Enter fullscreen mode Exit fullscreen mode
  1. Run Juice Shop:
   docker run --rm -p 3000:3000 bkimminich/juice-shop
Enter fullscreen mode Exit fullscreen mode
  1. Access Juice Shop in your browser at http://localhost:3000.

1. Scoreboard Challenge

The Scoreboard is where Juice Shop tracks and displays all the challenges you've solved. This challenge involves finding a way to access the Scoreboard without manually solving other challenges.

Steps to Access the Scoreboard:

  1. Open the Developer Tools:

    • Right-click anywhere on the page and select Inspect (this opens Developer Tools).
    • Go to the Console tab.
  2. Search for the Scoreboard:

    • In the Console, Juice Shop gives away some hints if you inspect closely. Type the following to try and locate the scoreboard:
     document.querySelector('iframe')
    
  • This will display the iframe element containing the Scoreboard.
  1. Manipulate the DOM:

    • Once you've identified the iframe, you can try to access its content by playing around with the code in the console.
    • One common method is looking for the URL of the scoreboard in the source code by checking the network requests or hidden elements.
  2. Access the Scoreboard Directly:

    • Juice Shop’s scoreboard is often located at an easily guessable path. Try visiting:

    http://localhost:3000/#/score-board

  • This should take you directly to the scoreboard, showing all challenges.

Exploiting the Scoreboard:

The Scoreboard doesn't require a complex exploit, but accessing it reveals all the challenges, giving you insight into the available challenges and their difficulties.


2. DOM-based XSS (Cross-Site Scripting)

DOM XSS occurs when the malicious script is executed as part of the web page's Document Object Model (DOM) rather than through traditional server-side input.

Steps to Perform DOM XSS in Juice Shop:

  1. Identify the Vulnerable Field:

    • Navigate to the Contact Us page (http://localhost:3000/#/contact).
    • There is a feedback form where users can submit messages.
  2. Inject XSS Payload:

    • In the feedback form, enter the following payload in the "Comment" field:
     <script>alert('XSS')</script>
    
  • Submit the form and observe if the alert box pops up. This is the simplest way to check for basic XSS vulnerability.
  1. Explore the DOM Behavior:

    • DOM-based XSS happens if the website uses the data from the comment field directly into the page’s HTML/JS without proper sanitization.
    • You can inspect the page source and see if any data you input is being reflected directly in the DOM, which leads to execution of your injected script.
  2. Bypassing Basic Filters:

    • Sometimes, Juice Shop may filter out <script> tags. Try other payloads to bypass this:
     <img src=x onerror=alert('XSS')>
    
  • Or use more advanced payloads based on the context in which the input is being reflected.
  1. Validate Your Exploit:
    • If successful, you should see an alert or be able to manipulate the page's DOM via the injected code.
    • Your goal is to make Juice Shop execute your JavaScript code, demonstrating the DOM XSS vulnerability.

Wrapping Up

In this combined Scoreboard and DOM XSS challenge, you've explored:

  • How to access the Scoreboard by inspecting elements and understanding Juice Shop's structure.
  • How to exploit a DOM XSS vulnerability by manipulating input fields and injecting malicious JavaScript into the page.

Next, we can start with more of what some would call the "fun stuff," so stay tuned and welcome to the Rubixverse.

Top comments (0)