Hacking the Juice Shop: Enumeration

Welcome to the second article of my Juice Shop series, where I will be documenting a miniature penetration test against OWASP’s Vulnerable Web Application, Juice Shop.

As a reminder, there are a few stages to the penetration testing process:

  1. Pre-engagement Interactions
  2. Reconnaissance / Information Gathering
  3. Scanning (or Enumeration)
  4. Vulnerability Assessment
  5. Exploitation
  6. Reporting

These phases aren’t always linear. It’s best to think of it as an iterative process. For example: scanning, enumeration and exploitation can all provide additional insights about the system under test, so as hackers we are constantly gathering information which can be used to perform further exploits.

ENUMERATION

Burp Suite

From briefly browsing around the Juice Shop and the source code, it’s apparent that this is an Angular application. Angular is a client-side rendered application which often relies on REST APIs to populate the site with data. Burp Suite is a useful tool for capturing HTTP requests to see what’s happening under the hood.

Before I started the information gathering process, I had the Burp Suite proxy running to capture requests to help me build a map of the application. I visit some of the URLs identified in the gathering phase (such as the FTP directory linked to in the About page).

After a while, I have collected a lot of URIs which tell me a lot about the structure of the application. I have highlighted some potentially valuable items below:

http://localhost:3000/
http://localhost:3000/.well-known/security.txt
http://localhost:3000/api
http://localhost:3000/api/Addresss
http://localhost:3000/api/Addresss
http://localhost:3000/api/Addresss/7
http://localhost:3000/api/BasketItems
http://localhost:3000/api/Cards
http://localhost:3000/api/Challenges
http://localhost:3000/api/Deliverys
http://localhost:3000/api/Deliverys
http://localhost:3000/api/Deliverys/2
http://localhost:3000/api/Feedbacks
http://localhost:3000/api/Products
http://localhost:3000/api/Products/1
http://localhost:3000/api/Products/1?d=Thu%20May%2019%202022
http://localhost:3000/api/Quantitys/
http://localhost:3000/api-docs/
http://localhost:3000/assets
http://localhost:3000/assets/i18n/en.json
http://localhost:3000/assets/public
http://localhost:3000/assets/public/css
http://localhost:3000/assets/public/css/userProfile.css
http://localhost:3000/assets/public/favicon_js.ico
http://localhost:3000/assets/public/images
http://localhost:3000/assets/public/images/carousel
http://localhost:3000/assets/public/images/products
http://localhost:3000/assets/public/images/uploads
http://localhost:3000/assets/public/images/uploads/assets
http://localhost:3000/assets/public/images/uploads/assets/public
http://localhost:3000/encryptionkeys
http://localhost:3000/ftp/
http://localhost:3000/main.js
http://localhost:3000/MaterialIcons-Regular.woff2
http://localhost:3000/metrics
http://localhost:3000/polyfills.js
http://localhost:3000/profile
http://localhost:3000/rest
http://localhost:3000/rest/basket
http://localhost:3000/rest/basket/1
http://localhost:3000/rest/captcha
http://localhost:3000/rest/continue-code
http://localhost:3000/rest/products
http://localhost:3000/rest/products/24
http://localhost:3000/rest/products/24/reviews
http://localhost:3000/rest/products/search?q=
http://localhost:3000/rest/saveLoginIp
http://localhost:3000/rest/user
http://localhost:3000/rest/user/login
http://localhost:3000/rest/user/whoami

http://localhost:3000/rest/wallet
http://localhost:3000/rest/wallet/balance
http://localhost:3000/runtime.js
http://localhost:3000/security.txt
http://localhost:3000/snippets
http://localhost:3000/socket.io
http://localhost:3000/styles.css
http://localhost:3000/tutorial.js
http://localhost:3000/vendor.js

Finding additional directories

There are additional tools, such as dirb, which can be useful for further enumerating directories that might not be linked to from the main page.

For the sake of brevity, the below automated directory enumeration scan shows the result of enumeration using a relatively small wordlist:

$ dirb http://localhost:3000 /usr/share/seclists/Discovery/Web-Content/common.txt -i -r -o juice-shop-dirs.txt

-----------------
DIRB v2.22
By The Dark Raver
-----------------

OUTPUT_FILE: juice-shop-dirs.txt
START_TIME: Fri May 20 16:01:20 2022
URL_BASE: http://localhost:3000/
WORDLIST_FILES: /usr/share/seclists/Discovery/Web-Content/common.txt
OPTION: Using Case-Insensitive Searches
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4555

---- Scanning URL: http://localhost:3000/ ----
+ http://localhost:3000/.well-known/security.txt (CODE:200|SIZE:383)
+ http://localhost:3000/Video (CODE:200|SIZE:10075518)
+ http://localhost:3000/assets (CODE:301|SIZE:179)
+ http://localhost:3000/ftp (CODE:200|SIZE:11053)
+ http://localhost:3000/profile (CODE:500|SIZE:1249)
+ http://localhost:3000/promotion (CODE:200|SIZE:6586)
+ http://localhost:3000/redirect (CODE:500|SIZE:3126)
+ http://localhost:3000/robots.txt (CODE:200|SIZE:28)
+ http://localhost:3000/security.txt (CODE:200|SIZE:383)
+ http://localhost:3000/snippets (CODE:200|SIZE:683)
+ http://localhost:3000/metrics (CODE:200|SIZE:22825)

-----------------
END_TIME: Fri May 20 16:02:10 2022
DOWNLOADED: 4555 - FOUND: 10

Stay tuned for the next article in the series, Juice Shop: Vulnerability Assessment