Solving OWASP Juice Shop challenge with XSS attacks

Welcome back to the third OWASP Juice Shop tutorial. In our previous tutorials, you learned how to solve the Login Admin challenge and how to access the Scoreboard and Admin Section in Juice Shop.

Today, I am planning to solve XSS Tier 0 challenge by performing a reflected XSS attack and the XSS Tier 1 challenge by performing a DOM XSS attack. before solving the challenges, let’s understand what is an XSS (also known as Cross-site scripting) attack.

What is Cross-site scripting (XSS)?

Cross-site scripting is a common security vulnerability usually found in web applications. This vulnerability allows attackers to manipulate a vulnerable website so that web site returns malicious code to users. These malicious codes are written in client-side programming languages such as Javascript, HTML, Flash, etc. When this malicious code gets injected into the website, it becomes part of the website, so the attacker can fully compromise their interaction with the application. …

Solving OWASP Juice Shop challenges by inspecting the client resources

Welcome back to the OWASP Juice Shop tutorial. From the previous tutorial, we learned what is OWASP Juice shop, How to set up the OWASP juice shop, and how to solve the login admin challenge using SQL injection.

In this tutorial, I am going to solve the Scoreboard and Admin section challenges by inspecting the client resources. The Juice shop web page has a hidden scoreboard page and administration section of the store. The challenge is to find these hidden webpages. …

Solving OWASP Juice Shop challenge with SQL injection

What is OWASP Juice Shop?

OWASP Juice Shop is a vulnerable web application for security risk awareness and training. It is an open-source project written in Node. js, Express, and Angular.

Image for post
Image for post

OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers.

In this tutorial, I am going to demonstrate how to solve challenges in OWASP Juice Shop using basic SQL injections.

Before getting into that, let’s look at what is SQL injection?

SQL injection is a common vulnerability where an attacker injects malicious SQL code into the SQL query running on the server-side. …

Image for post
Image for post

what is a cron expression?

Cron is a time-based job scheduler in Unix operating systems. It helps to schedule repetitive jobs to run at fixed times, dates, or intervals.

Cron expression consists of six or seven fields, separated by white space, which describes individual details of the schedule.

Cron expression takes the following format:

<secs> <mins> <hours> <days of month> <months> <days of week> <years>

Note: <year> is an optional field

As I mentioned cron expression represents time.

As an example,

0 0 2 * * ? * represents every day at 02:00 AM


0 0 12 1L * ? * represents Every month on the last Sunday, at…

Image for post
Image for post

What is React Native?

Before we begin to start the implementation let’s find out what React Native is. React Native is a JavaScript Framework to build native mobile applications. It uses Native Modules and Native Components which improves the application performance. One of the advantages of using react native is you can use the same implementation for deployment on both iOS and Android platforms. And also react native has ‘Live Reload’ feature, which immediately display the latest changes you have made to the code.

I assume that you are familiar with ReactJS. So let’s dig into React Native.

Let’s Start

I have Node v8 installed and I assume you have already installed Node.js …


Anusha Ihalapathirana

Software Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store