Attacking Juice Shop with Burp Suite

11/22/2020

Juice Shop Logo OWASP Juice Shop

Juice Shop

https://owasp.org/www-project-juice-shop/

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

burp

Burp Suite

https://portswigger.net/burp/communitydownload

Burp Suite is a set of tools used for penetration testing of web applications developed by Portswigger. Burp Suite allows for extensions or plugins called BApps and is one of the most popular tool among professional web app security professionals. Burp Suite has a freee community edition which provides a great way to get started with this toolset.

Some of the common use tools in Burp Suite:

1. Spider:

Spider is used to map the target web application. The objective of the mapping is to get a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering is done for a simple reason that the more endpoints you gather during your recon process, the more attack surfaces you possess during your actual testing.

2. Proxy:

An intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. Similar to Fiddler and Zap

3. Intruder:

Brute Force and dictionary attacks made easy. Intruder allows for several payloads such as XSS or SQL Injection attacks to be thrown against endpoints and builds a result of potential vulnerabilities. Intruder also tests the attack rate limiting of the web application.

4. Repeater:

Repeater lets a user send requests repeatedly with manual modifications. It is used for:

Verifying whether the user-supplied values are being verified.
If user-supplied values are being verified, how well is it being done?
What values is the server expecting in an input parameter/request header?
How does the server handle unexpected values?
Is input sanitation being applied by the server?
How well the server sanitizes the user-supplied inputs?
What is the sanitation style being used by the server?
Among all the cookies present, which one is the actual session cookie.
How is CSRF protection being implemented and if there is a way to bypass it?

5. Sequencer:

Sequencer is designed to identify predictable patterns being used for token generation and identify the underlying method for the generation. If tokens are predicable then they can be faked or absued.

6. Decoder:

Decoder lists the common encoding methods like URL, HTML, Base64, Hex, etc. This tool comes handy when looking for chunks of data in values of parameters or headers. It is also used for payload construction for various vulnerability classes. It is used to uncover primary cases of IDOR and session hijacking.

7. Extender:

BApps can be loaded through extender to greatly increase the abilities of this framework. Many paid and free open source BApps exist with various levels of effectivness and difficulty.