Broken Access Control

Challenge "Access the administration section of the store"

Search through the page source code for any interesting links

1. With the Juice Shop open, go to the Sources tab of the Developer tools in your browser.
2. Go to the dist/juice-shop.min.js resource in the source tree.
3. Notice how the file has been minified and is hard to read.
4. Use the "Pretty print"/code formatting feature to make it more readable.
5. Scroll down a bit to find the route configuration (try searching within the file view for routeprovider if you can't find it).
6. This section shows some of the logical contents of the site, not all of which are accessible via the navigation.
7. Notice how there's a route that looks particularly interesting called /administration.

Attempt to open the URL you just discovered

8. Try appending /administration after the hash sign (#) in the address bar of your browser.

Questions

• What security measures seems to have been used to protect the Administration section from unintended use?

Challenge "Access someone else's basket"

Create a basket for the victim

1. Login as any user.
2. Add some Strawberry juice to the basket.
3. Logout.

Attempt to access the victim's basket as a different user

4. Login as any other user (create a new if necessary).
5. Go to the "Application"(Chrome) or "Debug"(Edge) tab of the developer tools and check under "Session storage".
6. Notice there's a bid key there. Maybe "bid" is short for "basket id"?
7. Decrease the value of bid by 1.
8. Refresh the page.
9. Go to the basket/checkout page.

Questions

• What risk does this present to
  • the Juice Shop?
  • the customers of the Juice Shop?
• How could this vulnerability be negated?

Recommended reading

• OWASP Top 10-2017:A5 Broken Access Control