NAME

IS TURNING

!
burp suite
tool

Studetns:
Esmaail almawri
Mohammed aljunied
Amr homra
Step 1. Download OWASP Juice Shop

First, we need to download the latest release of OWASP Juice Shop from their official-
GitHub page. As of writing this post, the latest release is Version 14.0.1. We will use
the wget command to download the file in our desired location to keep things clean and
simple. Therefore, right-click on the OWASP version you want to download and select the
option "copy link address or copy link location."

Launch the Kali Linux Terminal and use the cd command to navigate to the location where
you want to download the OWASP Juice Shop file. Use the syntax below to download the
zip file on your system.

bash

sudo wget [file-link]

e.g

sudo wget
https://github.com/juice-shop/juice-shop/releases/download/v14.0.1/juice-
shop-14.0.1_node14_linux_x64.tgz

We need to extract the contents since we downloaded the file in a "zip" format. Use the
unzip command as shown below.

bash

tar zxvf [file-name.tgz]

e.g

tar zxvf juice-shop-14.0.1_node14_linux_x64.tgz

You will see the newly extracted OWASP Juice Shop folder with the version of your web app.

ALSO READ:Easy OSINT using infooze tool V 1.0 [With Examples]

Step 2. Install NodeJS and NPM

Now, we need to install NodeJS and NPM on our system. But there is a catch!

Note: You should only install the NodeJS version similar to the version of the OWASP Juice
Shop setup file you downloaded. For example, in our case, we downloaded OWASP Juice
Shop version 14.0.1. Therefore, we will need to download NodeJS version 14.

Navigate to the official NodeJS releases website and download the NodeJS setup for Linux
systems. We highly recommend using the link provided since that is the only official page
where you can download earlier versions of NodeJS. In our case, we will download the file
using the wget command. We will copy the link address for "NodeJS for x64 Linux systems"
and use the syntax below to download the file on our system.

bash

sudo wget https://nodejs.org/download/release/v14.1.0/node-v14.1.0-linux-

x64.tar.xz

Now follow the steps below to install NodeJS and NPM on our system.

Extract the contents of the file we downloaded using the tar command.

bash
sudo tar -xvf file-name

e.g

sudo tar -xvf node-v14.1.0-linux-x64.tar.xz

You will see a new "Node" folder created on your system. There are several files we need to
copy from this newly extracted folder to the /usr directory to install NodeJS and NPM on
our system. Execute the command below to keep things simple.

bash

sudo cp -r [extracted-directory-name]/{bin,include,lib,share} /usr/

e.g

sudo cp -r node-v14.1.0-linux-x64/{bin,include,lib,share} /usr/

That's it! You have successfully installed NodeJS and NPm on your system. You can verify
that by running the --version command as shown below.

bash

node --version

npm --version

Now, we can finish installing and setting up OWASP Juice Shop on our system.

Step 3. Install Node Dependecies

Now, go back to the OWASP Juice Shop you extracted in Step 1. Use the cd command to
change your directory to that folder and execute the command to install the Node packages
required to run OWASP Juice Shop.
bash

npm install

This process might take some time, depending on the speed of your internet. Please be
patient. When done, execute the command below to run OWASP Juice Shop.

bash

npm start

This command will start the web app on port 3000. However, if there is another application
running on that port, you will see an option to use a different port like 3001. Launch your
browser and enter the URL below to access the web application.
 bash

http://localhost:[PORT-NUMBER]/

e.g.,

http://localhost:3000/

You should see a web page similar to the image below. It is a simple web page with several
Fruit juices that you can buy (well, not like you would on Amazon).

ALSO READ:Install DVWA on Kali Linux (Step-by-Step)

That's it! We have successfully installed OWASP Juice Shop on our Kali Linux machine. I
recommend you start with the first obvious challenge of finding the "Score Board." If you
have developed a website before, this shouldn't be hard. You can try browsing the source
code, guessing URLs, or checking the Javascript files.

on Burp Suite.
Burp Suite has multiple key features. I’m going to focus on Proxy, Target, Repeater, and
Intruder for this tutorial.

Proxy: Funnels traffic to Burp Suite

Target: As the name implies - identify the target web app

Repeater: Send repeated requests or modification of previously sent requests

Intruder: Mounting attacks on insecure web app authentication fields

OK - let’s get started!

Proxy
In order for Burp Suite to act as a proxy, you need to set up your browser to easily route
traffic to and from it. For this, you can install a Firefox web browser extension - ‘FoxyProxy
Standard.’ Modify FoxyProxy to add the Burp Suite proxy. By default, the location of the
Burp Proxy server is 127.0.0.1. Add this to FoxyProxy, and turn it on as below.
OWASP Juice Shop
OWASP stands for Open Web Application Security Project and they provide a bunch of
open-source software project resources. Burp Suite in combination with OWASP is a great
way to get started in hands-on web application security.

OWASP has a quirky but awesome website called the OWASP Juice Shop (I’m always
craving for a good juice shop - I never found one in the US, and there are tons in India :) ).
On the OWASP website, they say:

“OWASP Juice Shop is probably the most modern and sophisticated insecure
web application!”
There are multiple ways to start the OWASP Juice Shop including local instances on
Docker, or Heroku instances. For conveniences, you can visit https://juice-
shop.herokuapp.com/.

After visiting this website, the page will appear as if it is loading constantly. Do not fear -
this is because the Burp Suite proxy server is intercepting all traffic.

Target
In the Intercept sub-tab under proxy in Burp Suite, turn off intercept.
Next, in HTTP history, click on the website and ‘add to scope.’

Now explore the website on your browser and go to the target tab. After exploring the web
app, you should see the site map of the website.
On the main webpage, clicking on the 3 dashes on the left should show you the Customer
Feedback option. Click on this.

Next, give some anonymous feedback, as below.

When you visit the Proxy http history on Burp Suite, you should see the post request
corresponding to this.

Repeater
Now, let’s try and modify the customer feedback to give an impossibly low rating of 0 out of
5!
Send this POST request to the repeater, and change the rating value to 0. If the response is a
success, then you have successfully sent an extremely low feedback.

I was looking forward to some good, simple, freshly squeezed juice(s) :( .

Intruder
In this section, we are going to try and login as admin. You can find the login button on the
top right corner. Choose some random credentials (which will of course not work).
Next, find this post request in the HTTP history, and send to Intruder. Make sure to clear all
the highlighted fields, and only choose the email field, and select the Add $ button.

Next, we are going to try SQL injection to force our way into the authentication system.
SQL injection takes advantage of the syntax of SQL to inject commands. For example in the
case of authentication - SQL queries check usernames and passwords against the list of
authenticated users. SQL injection codes could bypass passwords requirements through SQL
logic statements. Some standard attacks for default applications are given in this text
file: https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/sql-injection/detect/
xplatform.txt.

In this example, I copy and paste the .txt document into the Intruder Payload sub-tab, and
start the attack.

And success! The attack returns a successful 200 status. The resulting SQL injection code
is a' OR 1=1--.
When I run this, I get the following confirmation!
Thank you