The OWASP Top 10 is a standard awareness document that lists the most common weaknesses of modern web applications. Burp Suite will help our application security testing along the Developer Mode of the browser. We will break in to the OWASP Juice Shop, the most modern and sophisticated insecure web shop.
Important note: hacking in the wild is illegal! Do NOT do it out of the lab, unless you are a penetration tester with a signed contract!
In this article we will use SQL Injection to bypass the authentication of the OWASP Juice Shop.
SQL Injection (or SQLi) is a web security vulnerability that allows the malicious actors to bypass authentication, or access restricted areas of web applications.
As an Ethical Hacker we have to think like a malicious actor, so we want to collect information. It generally means user emails, passwords and other personal data like bank account details.
Let’s look around the application, investigate its functions. This is part of our enumeration process.
Step 1: reconnaissance and scanning
Let’s navigate to the links of the web site. look for forms, free text areas and collect as much information as we can. After opening the Juice Shop the main page welcomes us.
We can see that there are products listed, and clicking on any individual product shows us information about it and it has customer reviews.
Opening the the Apple Juice the first review is written by the admin user! We know the email of the admin now!
admin@juice-sh.opScrolling through the reviews will reveal more Juice Shop customer email addresses.
- bender@juice-sh.op
- stan@juice-sh.op
- uvogin@juice-sh.op
- jim@juice-sh.op
- mc.safesearch@juice-sh.op
Even the first page revealed us a lot of information!
Step 2: investigate a login attempt
Let’s check the login form, open it in the browser.
Now let’s fire up the Burp Suite and go to the Proxy tab. Turn on the Intercept mode to proxy the web traffic through Burp.
We have to configure our browser to use this proxy. We can use FoxyProxy for this.
Let’s try to login with some random data. We know that there is an admin user with the admin@juice-sh.op email address. Add it to the email field and write something random in the password field.
When we forward the query in Burp it will reveal that the following data travels through our proxy server.
{"email":"admin@juice-sh.op","password":"something"}Let’s try to inject some SQL code to bypass this authentication form!
Step 3: SQL Injection in practice and gaining access
We know a real user’s email address to the site. We will use the admin user’s email address.
Let’s try a basic SQL Injection to stop processing the query after the email and let us in before providing the password.
We will add the followings to the payload in Burp:
{"email":"admin@juice-sh.op';--","password":"something"}After the admin email address we add a single quotation mark that instructs the SQL that the query ends here.
The semi-colon ends the whole SQL statement.
The double dash (–) will make sure that every statement after them are handled as comment, so they will not be processed.
Let’s forward this query to the page!
This is a very basic SQL injection. As the email address returns as a true value and we tricked to stop the SQL statement after it we could log in to the web application without providing the password for the admin user.
The form was vulnerable to this type of injection, so we are logged in as admin now!
Final thoughts
If we want to test web application security the most fundamental knowledge is the HTML markup language.
Most websites use SQL as a database backend. SQL is a bold topic and it is also important to learn. We can study the basics on W3Schools’ SQL tutorial.
For web security we have to know some JavaScript as well.
If we learn the web some PHP knowledge and CSS experience won’t hurt either!
If you have anything to share then please visit my Tom’s IT Cafe Discord Server.
Tom's IT Cafe 