Welcome to the second article of my Juice Shop series, where I will be documenting a miniature penetration test against OWASP’s Vulnerable Web Application, Juice Shop.
As a reminder, there are a few stages to the penetration testing process:
- Pre-engagement Interactions
- Reconnaissance / Information Gathering
- Scanning (or Enumeration)
- Vulnerability Assessment
These phases aren’t always linear. It’s best to think of it as an iterative process. For example: scanning, enumeration and exploitation can all provide additional insights about the system under test, so as hackers we are constantly gathering information which can be used to perform further exploits.
From briefly browsing around the Juice Shop and the source code, it’s apparent that this is an Angular application. Angular is a client-side rendered application which often relies on REST APIs to populate the site with data. Burp Suite is a useful tool for capturing HTTP requests to see what’s happening under the hood.
Before I started the information gathering process, I had the Burp Suite proxy running to capture requests to help me build a map of the application. I visit some of the URLs identified in the gathering phase (such as the FTP directory linked to in the About page).
After a while, I have collected a lot of URIs which tell me a lot about the structure of the application. I have highlighted some potentially valuable items below:
Finding additional directories
There are additional tools, such as dirb, which can be useful for further enumerating directories that might not be linked to from the main page.
For the sake of brevity, the below automated directory enumeration scan shows the result of enumeration using a relatively small wordlist:
$ dirb http://localhost:3000 /usr/share/seclists/Discovery/Web-Content/common.txt -i -r -o juice-shop-dirs.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- OUTPUT_FILE: juice-shop-dirs.txt START_TIME: Fri May 20 16:01:20 2022 URL_BASE: http://localhost:3000/ WORDLIST_FILES: /usr/share/seclists/Discovery/Web-Content/common.txt OPTION: Using Case-Insensitive Searches OPTION: Not Recursive ----------------- GENERATED WORDS: 4555 ---- Scanning URL: http://localhost:3000/ ---- + http://localhost:3000/.well-known/security.txt (CODE:200|SIZE:383) + http://localhost:3000/Video (CODE:200|SIZE:10075518) + http://localhost:3000/assets (CODE:301|SIZE:179) + http://localhost:3000/ftp (CODE:200|SIZE:11053) + http://localhost:3000/profile (CODE:500|SIZE:1249) + http://localhost:3000/promotion (CODE:200|SIZE:6586) + http://localhost:3000/redirect (CODE:500|SIZE:3126) + http://localhost:3000/robots.txt (CODE:200|SIZE:28) + http://localhost:3000/security.txt (CODE:200|SIZE:383) + http://localhost:3000/snippets (CODE:200|SIZE:683) + http://localhost:3000/metrics (CODE:200|SIZE:22825) ----------------- END_TIME: Fri May 20 16:02:10 2022 DOWNLOADED: 4555 - FOUND: 10
Stay tuned for the next article in the series, Juice Shop: Vulnerability Assessment