OWASP Juice Shop THM Write Up

Shady Khourshid
5 min readNov 29, 2020


Owasp Juice Shop is an extremely vulnerable website that allows you to practice your web application penetration testing. The types of attacks you will be using are as follows: Injection type attacks, Broken Authentication, Sensitive Data Exposure, Broken Access Control, and XSS (Cross-Site Scripting).

Task 1 essentially just wants you to deploy the machine and access the webpage so you can complete those tasks and head over to task 2.

Moving on to task 2 Question #1: What’s the administrators email address?

We can find the admins email by searching around the webpage, so after clicking on all the items we eventually find the admins email under the Apple Juice reviews.

admin email

The next question asks what parameter is used for searching? to find this we simply have to make a query and see what letter pops up in the address bar.

After making a query we can see the q=search in the address bar meaning q == query parameter

Question #3: What show does Jim reference in his review

After looking around for Jim’s review we notice the comment about replicators, do a google search and you can find out where it is from.

Task 3 — Inject the Juice

Question #1 Log into the administrator account so for this one you need to capture this packet to see the format of logging in and we try to see if it is susceptible to SQL injection. To capture packet we are going to utilize BurpSuite’s Proxy tab and turn Intercept on. If not already adding the Foxy Proxy web extension for Fire Fox makes it really easy to capture packets with no trouble at all.

the packet containing the login format
After forwarding the packet you should get the flag and move onto the next question
The packet for bender’s login.
Similarly to the admin flag once you forward the package you get the flag for bender.

Task 4 Question 1: Brute force the admin password

So for this one you are going to want to utilize the intruder tab for BurpSuite and switch the attack type to Sniper, what you’ll need to do is the capture the admin login pack then send it to intruder, load your payload from your word lists(They recommend sect-list 1050.txt, and Brute force!

The login packet sent to Intruder tab
Configuring the payload and Brute Forcing the login!
Once you brute force the password just login and you get the flag!

Task 4 Question #2 Reset Jim’s password

Prior we learned the Jim likes star trek so if we do a google search for Jim Star Trek we can find a list of names that may possibly be the siblings middle name, it is given in the task just input Samuel and you reset the password and get the flag!

Task 5 Question #1: Access the confidential document

For task 5 we want to follow the steps on the THM webpage they state if you head over to the about us section you can check out the information. Once we hover over the hyperlink we can see it goes to /ftp so lets check it out!

Bingo! Check out the acquisitions.md file and head back to the home page to get the flag!

Task 5 Question #2: Log into Mc.Safe Search account.

THM provides all the credentials so just go ahead and login and capture that flag!

Task 5 Question #3: Download the backup file

Heading back over to our Machine_IP/ftp we can see a file named package.json.bak but when we click into it we get an error! In order to cap this flag we need to modify the hyperlink with something called the Poison Null Byte (By placing a NULL byte in the string at a certain byte, the string will terminate at that point, nulling the rest of the string, such as a file extension.) So when we input this %2500.md into our hyperlink instead of getting an error message we get the actual file and thus the flag!

Task 6 Question #1 Access the /administration page

For this one I just went right to the administration page and was able to get the flag.

Task 6 Question #2: View another user’s shopping basket: So to see another user’s basket we want to (already logged into admin) change the packet from basket/1 -> basket/2 and you cap that flag!

Task 6 Question #3 Delete the 5-star reviews : For this one head over to the /administration directory and you can see the Customer Feedback just delete the 5 star reviews and head back to the main page and cap that flag!

Task 7 Question 1: Perform DOM XSS:

For XSS we want to see if the search bar sanitizes user data THM provides the script you can try running to see if the site is vulnerable to DOM XSS (<iframe src=”javascript:alert(‘xss’)”> and you should see an alert that says xss head on home and cap that flag!

Task 7 Question 2: Perform persistent XSS:

For this task what you need to do is modify the packet received when you log out of the admin account. Change the bottom values to True-Client-IP and the info to <iframe src=”javascript:alert(‘xss’)”> and you should get the same alert once you forward the packet and that flag!

Task 7 Question #3: Perform a reflected XSS

This one is pretty straight forward, they want you head over to the order & payment tab and click on the truck icon of the product in transit and change the last portion of the link to our xss payload <iframe src=”javascript:alert(‘xss’)”> and cap the flag!

Task 8 Question #1: Score Board

Head over to /#/score-board and cap an easy flag and finish up the room!