Part II - Challenge hunting
This part of the book can be read from end to end as a hacking guide. Used in that way you will be walked through various types of web vulnerabilities and learn how to exploit their occurrences in the Juice Shop application. Alternatively you can start hacking the Juice Shop on your own and use this part simply as a reference and source of hints in case you get stuck at a particular challenge.
In case you want to look up hints for a particular challenge, the following tables lists all challenges of the OWASP Juice Shop grouped by their difficulty and in the same order as thery appear on the Score Board.
The challenge hints found in this release of the companion guide are compatible with v8.3.0 of OWASP Juice Shop.
Trivial Challenges ( )
Easy Challenges ( )
Medium Challenges ( )
|Admin Registration||Get registered as admin user.|
|Basket Access Tier 2||Put an additional product into another user's shopping basket.|
|CAPTCHA Bypass Tier 1||Submit 10 or more customer feedbacks within 10 seconds.|
|Forged Feedback||Post some feedback in another users name.|
|Forged Review||Post a product review as another user or edit any user's existing review.|
|Forgotten Sales Backup||Access a salesman's forgotten backup file.|
|Login Amy||Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")|
|Login Bender||Log in with Bender's user account.|
|Login Jim||Log in with Jim's user account.|
|Payback Time||Place an order that makes you rich.|
|Product Tampering||Change the
|Reset Bjoern's Password Tier 1||Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the truthful answer to his security question.|
|Reset Jim's Password||Reset Jim's password via the Forgot Password mechanism with the truthful answer to his security question.|
|Upload Size||Upload a file larger than 100 kB.|
|Upload Type||Upload a file that has no .pdf extension.|
|XSS Tier 2||Perform a persisted XSS attack with
|XSS Tier 3||Perform a persisted XSS attack with
|XXE Tier 1||Retrieve the content of
Hard Challenges ( )
Dreadful Challenges ( )
Diabolic Challenges ( )
In case you are getting frustrated with a particular challenge, you can refer to Appendix - Challenge solutions where you find explicit instructions how to successfully exploit each vulnerability. It is highly recommended to use this option only as a last resort. You will learn a lot more from hacking entirely on your own or relying only on the hints in this part of the book.