Introduction

OWASP Juice Shop is an intentionally vulnerable web application project that can be used by beginners or cybersecurity aspirants to improve their skills in web application penetration testing. It is a great platform to practice on before stepping into the world of bug hunting, as it gives you an upper hand by providing prior knowledge and hands-on experience.

I am willing to explain each topic we learn through each challenge in depth. Yes, I am trying to explain each hacking concept and provide more details through the OWASP challenge. So, this is not just a normal solution to the OWASP room. If that’s what you want, then go ahead and search Google, there will be a lot of solutions to the challenge. But here, we learn hacking concepts too.

Concepts and skills you must understand while solving this lab:

Source Code Exploration and Analysis, and Endpoint Discovery, Use of Browser Developer Tools.

Source Code Exploration and Analysis

It is a way of understanding how a piece of a system works by understanding and analyzing the underlying code that is available to us. It will come in handy for finding many bugs in the web app, as some beginner developers may forget to remove comments from the source code, which can highly benefit us by providing crucial information in some cases.

How to do it? What are the prerequisites?

To do source code exploration and analysis, you should be proficient in at least one programming language. If you are into web app pentesting, then JavaScript will be helpful. It is not a requirement that you must master the language, but if you can effectively use AI chatbots like GPT, Gemini, etc., it will help you perform the task flawlessly. However, the main thing is that you must understand what’s happening. If you want to do it properly, then learn a language by understanding its core concepts.

Other skills like using browser developer tools and endpoint discovery are also useful, and they are so simple and essential that it’s not even necessary for me to explain their importance. I specifically highlighted the importance of source code analysis because many beginners mistakenly believe that they don’t need to learn any programming language to become a good hacker.

At first, you need to be curious and ready to understand the working of your target platform. A hacker is not one who just always types code on the computer; he’s the one who knows how a thing works. If you know the working, then it is easy to break it, right?

When you analyze the code, you may come across important information that normal people can’t see, and you can use it to conduct your hack. In this challenge, there is something that normal people can’t see, and when we find it, we solve the lab.

Endpoint Discovery

Endpoint discovery is another crucial and important aspect of web app penetration testing. We normally use automated tools to do it, and if there are any endpoints with common names that are usually used, the tool will find them. If they use any unique names, we can simply guess or analyze the code to find them.

It will give us a larger attack surface. More attack surface means that if we have a lot of endpoints, there may be a chance that one of them will be poorly maintained, have bugs, or simply lead to our next attack move.

There are a lot of tools in the industry to perform this process. Some of them are: Gobuster, Dirbuster, Nikto, etc.

You can find the syntax to perform the attack by simply searching for it on Google. In my previous article, we already mentioned Gobuster and demonstrated its working.

Setup:

Link: github

Step 1: Install node.js

Step 2: Run git clone https://github.com/juice-shop/juice-shop.git --depth 1 (or clone your own fork of the repository).

Step 3: Change directory to the cloned folder.

cd juice-shop

Step 4: Run npm install (only has to be done before first start or when you change the source code)

Step 5: Run npm start

Step 6: Browse to http://localhost:3000

Task

The task is to find the hidden scoreboard by locating the hidden scoreboard page. The objective of this task is code analysis or code reading, and we have to find the hint given in the source code that will help us solve the task. This is a 1-star category task, which is very easy and can be solved in less than 3 minutes.

Solution

Step 1: Right-click on the page and select Inspect to enter Inspect Mode (Developer Tools).

Step 2: Navigate to the Sources tab, then go to the Pages subsection. Here, you’ll find a list of source files, including one named main.js.

Step 3: the ctrl+f in the main.js file after opening it, then search the word “score” in the serachbox, and it will give you a lot of results and go through the result, and within a few try you will get into an endpoint.

The hidden endpoint you’ll discover is: /score-board,
which can be accessed directly via: http://localhost:3000/#/score-board

Conclusion

We just completed the OWASP Juice Shop’s first simple task through a few steps, but don’t underestimate the rest of the challenges. You’ve just experienced the tip of the iceberg, and this is just the beginning. We will soon be sharing more solutions to the challenges in my own way of explaining.