OWASP Juice Shop — Access ‘Scoreboard’ and ‘Admin section’
Solving OWASP Juice Shop challenges by inspecting the client resources
Welcome back to the OWASP Juice Shop tutorial. From the previous tutorial, we learned what is OWASP Juice shop, How to set up the OWASP juice shop, and how to solve the login admin challenge using SQL injection.
In this tutorial, I am going to solve the Scoreboard and Admin section challenges by inspecting the client resources. The Juice shop web page has a hidden scoreboard page and administration section of the store. The challenge is to find these hidden webpages. For that, we are going to use our browser developer tools to find the path to the scoreboard and Admin section.
Every browser’s developer tool has a debugger that shows the source code. We are trying to find the path using some guessed keywords.
Open debugger tab in Firefox web browser developer tool. (Source tab if you are using the Chrome web browser)
We can see the source files on the left side and the source code related to the selected file in the middle.
Find the Scoreboard
To find the scoreboard, we are going to search through every file in the source tree using the guessed keyword score.
We can find “score” keyword occurrences in the main.js file.
Next, we are going to search through those keywords and found a meaningful path to the scoreboard web page. We can find the path to the scoreboard in the main.js file.
{path: "score-board", component: Wt}Now we know the path to the scoreboard. We can use it as a URL parameter to find the hidden scoreboard in the OWASP Juice Shop.
http:localhost:3000/#/score-board
Find the Admin section
We can use the same method to find the admin section on the Juice shop webpage. In this challenge, we are going to use adminas the guessed keyword.
When we search through the files, we can see admin keyword occurrences in the main.js file and the path.
{path: "administration", component: U,canActivate:[Hi]}Now you can access the administration panel using the below URL.
Remember to log in to the Juice shop before access the admin panel. If you don’t know how to log in please follow the steps in my previous tutorial.
http:localhost:3000/#/administration
Congratulations!!! Today we solved two challenges in Juice Shop.
