UKBTutorials/Lab03 - Let's Buy Some Juice
2023-11-10 17:16:21 +01:00
..
cross_site_scripting.png add pictures 2023-11-10 13:27:50 +01:00
login_admin.png add pictures 2023-11-10 13:27:50 +01:00
login_jim.png add pictures 2023-11-10 13:27:50 +01:00
README.md Add lab title 2023-11-10 17:16:21 +01:00

Lab 03 - Let's Buy Some Juice

Booting Up Juice Shop

docker run --pull always -p 127.0.0.1:80:3000 bkimminich/juice-shop

SQL Injection

Login as Admin

  1. Open Account => Login
  2. Type ' OR TRUE; -- into Email and any password in Password

Result:

Login as Jim

  1. Open Account => Login
  2. Type jim@juice-sh.op'; --

Result:

Cross Site Scripting

  1. Open up the Search Box
  2. Type <iframe src="javascript:alert('hello')">

Forged Picture

This challenge is impossible due to the /profile page only reading the username from POST variables.

POST variables cannot be set through links and thus can't be set in an img-tag's src either.