.. | ||
README.md |
Let's Buy Some Juice
Booting Up Juice Shop
docker run --pull always -p 127.0.0.1:80:3000 bkimminich/juice-shop
SQL Injection
Login as Admin
- Open
Account
=>Login
- Type
' OR TRUE; --
intoEmail
and any password inPassword
Result:
Login as Jim
- Open
Account
=>Login
- Type
jim@juice-sh.op'; --
Result:
Cross Site Scripting
- Open up the Search Box
- Type
<iframe src="javascript:alert('hello')">
Forged Picture
This challenge is impossible due to the /profile
page only reading the username from POST variables.
POST variables cannot be set through links and thus can't be set in an img
-tag's src
either.