scanners/zap/parser/__testFiles__/juice-shop.xml
<!--
SPDX-FileCopyrightText: the secureCodeBox authors
SPDX-License-Identifier: Apache-2.0
-->
<?xml version="1.0"?><OWASPZAPReport version="D-2020-10-13" generated="Thu, 22 Oct 2020 07:58:22">
<site name="http://juice-shop:3000" host="juice-shop" port="3000" ssl="false"><alerts><alertitem>
<pluginid>10098</pluginid>
<alert>Cross-Domain Misconfiguration</alert>
<name>Cross-Domain Misconfiguration</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<desc><p>Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK7mu&sid=0b5CIcRfebjeUP6IAAAN</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es5.js</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/quarantine/juicy_malware_windows_64.exe.url</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJzM-</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/rest/admin/application-configuration</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/rest/products/search?q=</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/eastere.gg</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/assets/public/images/carousel/4.jpg</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/suspicious_errors.yml</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/coupons_2013.md.bak</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJzWy&sid=NHcMgUohTH8k9p2zAAAL</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/main-es5.js</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/assets/public/images/products/permafrost.jpg</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/rest/continue-code</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/main-es2018.js</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/quarantine/juicy_malware_linux_amd_64.url</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJwR_</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/sitemap.xml</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJkNZ</uri>
<method>GET</method>
<evidence>Access-Control-Allow-Origin: *</evidence>
</instance>
</instances>
<count>99</count>
<solution><p>Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).</p><p>Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.</p></solution>
<otherinfo><p>The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.</p></otherinfo>
<reference><p>http://www.hpenterprisesecurity.com/vulncat/en/vulncat/vb/html5_overly_permissive_cors_policy.html</p></reference>
<cweid>264</cweid>
<wascid>14</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10029</pluginid>
<alert>Cookie Poisoning</alert>
<name>Cookie Poisoning</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<desc><p>This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJiBX&sid=i44E23_d7HysXmYyAAAF</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJZAS&sid=xm0oUZMe5lefHrYkAAAB</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJkP3&sid=L5sTGQm7gTPIvgamAAAG</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJwTQ&sid=m1nJpf-U7x4l9EdgAAAK</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJv2N&sid=PktdCTeisMU99B0XAAAJ</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJec3&sid=N2BAvk-LoI6ydM_fAAAD</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaS&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJc38&sid=RwTg5sM3urRvTowDAAAC</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKABn&sid=OP1vxyAS7ESoZCFeAAAO</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJzWy&sid=NHcMgUohTH8k9p2zAAAL</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJfF2&sid=QfhYpBR7a8XY6KopAAAE</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJqEu&sid=Qno6lcSl69M4txIfAAAI</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJmDG&sid=5CB4rI51v9EBwoLaAAAH</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaU&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYh4&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYKz&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK7mu&sid=0b5CIcRfebjeUP6IAAAN</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK4S_&sid=Snz1P_3VBpE70slrAAAM</uri>
<method>GET</method>
<param>sid</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKC2m&sid=wTbs-39HN_Hq77_nAAAP</uri>
<method>GET</method>
<param>sid</param>
</instance>
</instances>
<count>19</count>
<solution><p>Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.</p></solution>
<otherinfo><p>An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name=controlledValue;name=anotherValue;).</p><p></p><p>This was identified at:</p><p></p><p>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJiBX&sid=i44E23_d7HysXmYyAAAF</p><p></p><p>User-input was found in the following cookie:</p><p>io=i44E23_d7HysXmYyAAAF; Path=/; HttpOnly; SameSite=Strict</p><p></p><p>The user input was:</p><p>sid=i44E23_d7HysXmYyAAAF</p></otherinfo>
<reference><p>http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie</p></reference>
<cweid>20</cweid>
<wascid>20</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10096</pluginid>
<alert>Timestamp Disclosure - Unix</alert>
<name>Timestamp Disclosure - Unix</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<desc><p>A timestamp was disclosed by the application/web server - Unix</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/rest/admin/application-configuration</uri>
<method>GET</method>
<evidence>1970691216</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/rest/products/search?q=</uri>
<method>GET</method>
<evidence>1970691216</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>179464974</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>0000039834</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es2018.js</uri>
<method>GET</method>
<evidence>597720130</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es2018.js</uri>
<method>GET</method>
<evidence>1801948466</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>1803700518</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/styles.css</uri>
<method>GET</method>
<evidence>33335333</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>0000051215</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/styles.css</uri>
<method>GET</method>
<evidence>33333333</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es2018.js</uri>
<method>GET</method>
<evidence>0000000005</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>0000000005</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/styles.css</uri>
<method>GET</method>
<evidence>33334333</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es5.js</uri>
<method>GET</method>
<evidence>94906265</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es2018.js</uri>
<method>GET</method>
<evidence>1801949248</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>1801948466</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es2018.js</uri>
<method>GET</method>
<evidence>1803700518</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/rest/admin/application-configuration</uri>
<method>GET</method>
<evidence>1969196030</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es5.js</uri>
<method>GET</method>
<evidence>62425156</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
<evidence>597720130</evidence>
</instance>
</instances>
<count>29</count>
<solution><p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p></solution>
<otherinfo><p>1970691216, which evaluates to: 2032-06-12 22:13:36</p></otherinfo>
<reference><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>3</pluginid>
<alert>Session ID in URL Rewrite</alert>
<name>Session ID in URL Rewrite</name>
<riskcode>2</riskcode>
<confidence>3</confidence>
<riskdesc>Medium (High)</riskdesc>
<desc><p>URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJwTQ&sid=m1nJpf-U7x4l9EdgAAAK</uri>
<method>GET</method>
<param>sid</param>
<evidence>m1nJpf-U7x4l9EdgAAAK</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=N2BAvk-LoI6ydM_fAAAD</uri>
<method>GET</method>
<param>sid</param>
<evidence>N2BAvk-LoI6ydM_fAAAD</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKABn&sid=OP1vxyAS7ESoZCFeAAAO</uri>
<method>GET</method>
<param>sid</param>
<evidence>OP1vxyAS7ESoZCFeAAAO</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJec3&sid=N2BAvk-LoI6ydM_fAAAD</uri>
<method>GET</method>
<param>sid</param>
<evidence>N2BAvk-LoI6ydM_fAAAD</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=PktdCTeisMU99B0XAAAJ</uri>
<method>GET</method>
<param>sid</param>
<evidence>PktdCTeisMU99B0XAAAJ</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaU&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>GET</method>
<param>sid</param>
<evidence>r2xfyQoKfs1Qc7gKAAAA</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=RwTg5sM3urRvTowDAAAC</uri>
<method>GET</method>
<param>sid</param>
<evidence>RwTg5sM3urRvTowDAAAC</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=NHcMgUohTH8k9p2zAAAL</uri>
<method>GET</method>
<param>sid</param>
<evidence>NHcMgUohTH8k9p2zAAAL</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJv2N&sid=PktdCTeisMU99B0XAAAJ</uri>
<method>GET</method>
<param>sid</param>
<evidence>PktdCTeisMU99B0XAAAJ</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=m1nJpf-U7x4l9EdgAAAK</uri>
<method>GET</method>
<param>sid</param>
<evidence>m1nJpf-U7x4l9EdgAAAK</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYh4&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
<param>sid</param>
<evidence>r2xfyQoKfs1Qc7gKAAAA</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=wTbs-39HN_Hq77_nAAAP</uri>
<method>GET</method>
<param>sid</param>
<evidence>wTbs-39HN_Hq77_nAAAP</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=Snz1P_3VBpE70slrAAAM</uri>
<method>GET</method>
<param>sid</param>
<evidence>Snz1P_3VBpE70slrAAAM</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>GET</method>
<param>sid</param>
<evidence>r2xfyQoKfs1Qc7gKAAAA</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJqEu&sid=Qno6lcSl69M4txIfAAAI</uri>
<method>GET</method>
<param>sid</param>
<evidence>Qno6lcSl69M4txIfAAAI</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJmDG&sid=5CB4rI51v9EBwoLaAAAH</uri>
<method>GET</method>
<param>sid</param>
<evidence>5CB4rI51v9EBwoLaAAAH</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=0b5CIcRfebjeUP6IAAAN</uri>
<method>GET</method>
<param>sid</param>
<evidence>0b5CIcRfebjeUP6IAAAN</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKC2m&sid=wTbs-39HN_Hq77_nAAAP</uri>
<method>GET</method>
<param>sid</param>
<evidence>wTbs-39HN_Hq77_nAAAP</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=websocket&sid=QfhYpBR7a8XY6KopAAAE</uri>
<method>GET</method>
<param>sid</param>
<evidence>QfhYpBR7a8XY6KopAAAE</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJkP3&sid=L5sTGQm7gTPIvgamAAAG</uri>
<method>GET</method>
<param>sid</param>
<evidence>L5sTGQm7gTPIvgamAAAG</evidence>
</instance>
</instances>
<count>35</count>
<solution><p>For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.</p></solution>
<reference><p>http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10109</pluginid>
<alert>Modern Web Application</alert>
<name>Modern Web Application</name>
<riskcode>0</riskcode>
<confidence>2</confidence>
<riskdesc>Informational (Medium)</riskdesc>
<desc><p>The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000</uri>
<method>GET</method>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es2018.js</uri>
<method>GET</method>
<evidence><script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/sitemap.xml</uri>
<method>GET</method>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/tutorial-es2018.js</uri>
<method>GET</method>
<evidence><a>",'</evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/</uri>
<method>GET</method>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es5.js</uri>
<method>GET</method>
<evidence><a></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/</uri>
<method>GET</method>
<evidence><a href="">ftp</a></evidence>
</instance>
</instances>
<count>7</count>
<solution><p>This is an informational alert and so no changes are required.</p></solution>
<otherinfo><p>No links have been found while there are scripts, which is an indication that this is a modern web application.</p></otherinfo>
<reference><p></p></reference>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>90033</pluginid>
<alert>Loosely Scoped Cookie</alert>
<name>Loosely Scoped Cookie</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<desc><p>Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJiBX&sid=i44E23_d7HysXmYyAAAF</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJf4l</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJmAk</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJv2N&sid=PktdCTeisMU99B0XAAAJ</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJkNZ</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKC1F</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaS&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJq6f</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJc38&sid=RwTg5sM3urRvTowDAAAC</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKAAX</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJeSU</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJec3&sid=N2BAvk-LoI6ydM_fAAAD</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYh4&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK4Is</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJY_O</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJwTQ&sid=m1nJpf-U7x4l9EdgAAAK</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJfF2&sid=QfhYpBR7a8XY6KopAAAE</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJZAS&sid=xm0oUZMe5lefHrYkAAAB</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK7mu&sid=0b5CIcRfebjeUP6IAAAN</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJwR_</uri>
<method>GET</method>
</instance>
</instances>
<count>35</count>
<solution><p>Always scope cookies to a FQDN (Fully Qualified Domain Name).</p></solution>
<otherinfo><p>The origin domain used for comparison was: </p><p>juice-shop</p><p>io=i44E23_d7HysXmYyAAAF</p><p></p></otherinfo>
<reference><p>https://tools.ietf.org/html/rfc6265#section-4.1</p><p>https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html</p><p>http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies</p></reference>
<cweid>565</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10021</pluginid>
<alert>X-Content-Type-Options Header Missing</alert>
<name>X-Content-Type-Options Header Missing</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJzM-</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYKz&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJc38&sid=RwTg5sM3urRvTowDAAAC</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK7mu&sid=0b5CIcRfebjeUP6IAAAN</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJwR_</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJv0-</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKABn&sid=OP1vxyAS7ESoZCFeAAAO</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJmAk</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJkNZ</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJeSU</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaU&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJY_O</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaS&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJfF2&sid=QfhYpBR7a8XY6KopAAAE</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJq6f</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJZAS&sid=xm0oUZMe5lefHrYkAAAB</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJh_q</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK7eA</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFKC1F</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFK4Is</uri>
<method>GET</method>
<param>X-Content-Type-Options</param>
</instance>
</instances>
<count>35</count>
<solution><p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p></solution>
<otherinfo><p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At "High" threshold this scan rule will not alert on client or server error responses.</p></otherinfo>
<reference><p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://owasp.org/www-community/Security_Headers</p></reference>
<cweid>16</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10027</pluginid>
<alert>Information Disclosure - Suspicious Comments</alert>
<name>Information Disclosure - Suspicious Comments</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<desc><p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/tutorial-es2018.js</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/main-es5.js</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es2018.js</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/main-es2018.js</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es2018.js</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/vendor-es5.js</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/polyfills-es5.js</uri>
<method>GET</method>
</instance>
</instances>
<count>7</count>
<solution><p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</p></solution>
<otherinfo><p>The following comment/snippet was identified via the pattern: \bQUERY\b</p><p>(window.webpackJsonp=window.webpackJsonp||[]).push([[5],{s2oO:function(e,t,o){"use strict";o.r(t),o.d(t,"hasInstructions",(function(){return q})),o.d(t,"startHackingInstructorFor",(function(){return M}));var a={"":["<em>","</em>"],_:["<strong>","</strong>"],"\n":["<br />"]," ":["<br />"],"-":["<hr />"]};function r(e){return e.replace(RegExp("^"+(e.match(/^(\t| )+/)||"")[0],"gm"),"")}function n(e){return(e+"").replace(/"/g,"&quot;").replace(/</g,"&lt;").replace(/>/g,"&gt;")}function i(e){return new Promise(t=>{setTimeout(t,e)})}function s(e,t,o={ignoreCase:!0}){return async()=>{const a=document.querySelector(e);for(;a.value!==t&&(!o.ignoreCase||a.value.toLowerCase()!==t.toLowerCase());)await i(100)}}function l(e,t,o={ignoreCase:!0}){return async()=>{const a=document.querySelector(e);for(;a.value===t&&(!o.ignoreCase||a.value.toLowerCase()!==t.toLowerCase());)await i(100)}}function u(e){return async()=>{const t=document.querySelector(e);for(;!t.value||""===t.value;)await i(100)}}function p(e){return async()=>{const t=document.querySelector(e);t||console.warn(`Could not find Element with selector "${e}"`),await new Promise(e=>{t.addEventListener("click",()=>e())})}}function d(e,t){return async()=>{for(;;){const o=document.querySelector(e);if(o&&o.innerHTML===t)break;await i(100)}}}function c(e){return()=>i(e)}function h(e){return async()=>{for(;window.location.hash!=="#/"+e;)await i(100)}}function f(){return async()=>{for(;null===localStorage.getItem("token");)await i(100)}}function m(){return async()=>{for(;null!==localStorage.getItem("token");)await i(100)}}function g(){let e=!1;const t=new Image;return Object.defineProperty(t,"id",{get:function(){e=!0}}),async()=>{for(;console.dir(t),!e;)await i(100)}}const b={name:"Login Admin",hints:[{text:"To start this challenge, you'll have to log out first.",fixture:"#navbarAccount",unskippable:!0,resolved:m()},{text:"Let's try if we find a way to log in with the administrator's user account. To begin, go to the _Login_ page via the _Account_ menu.",fixture:"app-navbar",unskippable:!0,resolved:h("login")},{text:"To find a way around the normal login process we will try to use a **SQL Injection** (SQLi) attack.",fixture:"#email",resolved:c(8e3)},{text:"A good starting point for simple SQL Injections is to insert quotation marks (like `\"` or `'`). These mess with the syntax of an insecurely concatenated query and might give you feedback if an endpoint is vulnerable or not.",fixture:"#email",resolved:c(15e3)},{text:"Start with entering `'` in the **email field**.",fixture:"#email",unskippable:!0,resolved:s("#email","'")},{text:"Now put anything in the **password field**. It doesn't matter what.",fixture:"#password",unskippable:!0,resolved:u("#password")},{text:"Press the _Log in_ button.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"Nice! Do you see the red `[object Object]` error at the top? Unfortunately it isn't really telling us much about what went wrong...",fixture:"#rememberMe",resolved:c(1e4)},{text:"Maybe you will be able to find out more information about the error in the JavaScript console or the network tab of your browser!",fixture:"#rememberMe",resolved:c(1e4)},{text:"Did you spot the error message with the `SQLITE_ERROR` and the entire SQL query in the console output? If not, keep the console open and click _Log in_ again. Then inspect the occuring log message closely.",fixture:"#rememberMe",resolved:c(3e4)},{text:"Let's try to manipulate the query a bit to make it useful. Try out typing `' OR true` into the **email field**.",fixture:"#email",unskippable:!0,resolved:s("#email","' OR true")},{text:"Now click the _Log in_ button again.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"Mhh... The query is still invalid? Can you see why from the new error in the console?",fixture:"#rememberMe",resolved:c(8e3)},{text:"We need to make sure that the rest of the query after our injection doesn't get executed. Any Ideas?",fixture:"#rememberMe",resolved:c(8e3)},{text:"You can comment out anything after your injection payload from query using comments in SQL. In SQLite databases you can use `--` for that.",fixture:"#rememberMe",resolved:c(1e4)},{text:"So, type in `' OR true--` into the email field.",fixture:"#email",unskippable:!0,resolved:s("#email","' OR true--")},{text:"Press the _Log in_ button again and sit back...",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"That worked, right?! To see with whose account you just logged in, open the _Account_ menu.",fixture:"#navbarAccount",unskippable:!0,resolved:p("#navbarAccount")},{text:"\u{1f389} Congratulations! You have been logged in as the **administrator** of the shop! (If you want to understand why, try to reproduce what your `' OR true--` did _exactly_ to the query.)",fixture:"app-navbar",resolved:c(2e4)}]},y={name:"DOM XSS",hints:[{text:"For this challenge, we'll take a close look at the _Search_ field at the top of the screen.",fixture:".fill-remaining-space",unskippable:!0,resolved:c(8e3)},{text:"Let's start by searching for all products containing `owasp` in their name or description.",fixture:".fill-remaining-space",unskippable:!0,resolved:s("#searchQuery input","owasp")},{text:"Now hit enter.",fixture:".fill-remaining-space",unskippable:!0,resolved:d("#searchValue","owasp")},{text:"Nice! You should now see many cool OWASP-related products.",fixture:".fill-remaining-space",resolved:c(8e3)},{text:"You might have noticed, that your search term is displayed above the results?",fixture:"app-search-result",resolved:c(8e3)},{text:"What we will try now is a **Cross-Site Scripting (XSS)** attack, where we try to inject HTML or JavaScript code into the application.",fixture:"app-search-result",resolved:c(15e3)},{text:"Change your search value into `<h1>owasp` to see if we can inject HTML.",fixture:".fill-remaining-space",unskippable:!0,resolved:s("#searchQuery input","<h1>owasp")},{text:"Hit enter again.",fixture:".fill-remaining-space",unskippable:!0,resolved:d("#searchValue","<h1>owasp</h1>")},{text:"Hmm, this doesn't look normal, does it?",fixture:".noResult",resolved:c(8e3)},{text:"If you right-click on the search term and inspect that part of the page with your browser, you will see that our `h1`-tag was _actually_ embedded into the page and is not just shown as plain text!",fixture:".noResult",resolved:c(16e3)},{text:"Let's now try to inject JavaScript. Type `<script>alert(xss)<\/script>` into the search box now.",fixture:".fill-remaining-space",unskippable:!0,resolved:s("#searchQuery input","<script>alert(xss)<\/script>")},{text:"Hit enter again.",fixture:".fill-remaining-space",unskippable:!0,resolved:d("#searchValue","<script>alert(xss)<\/script>")},{text:"\u{1f614} This didn't work as we hoped. If you inspect the page, you should see the `script`-tag but it is not executed for some reason.",fixture:".noResult",resolved:c(1e4)},{text:'Luckily there are _many_ different XSS payloads we can try. Let\'s try this one next: <code>&lt;iframe src="javascript:alert(&#96;xss&#96;)"&gt;</code>.',fixture:".fill-remaining-space",unskippable:!0,resolved:s("#searchQuery input",'<iframe src="javascript:alert(`xss`)">')},{text:"Hit enter one more time. If an alert box appears, you must confirm it in order to close it.",fixture:".fill-remaining-space",unskippable:!0,resolved:d("#searchValue",'<iframe src="javascript:alert(`xss`)"></iframe>')},{text:"\u{1f389} Congratulations! You just successfully performed an XSS attack!",fixture:".noResult",resolved:c(8e3)},{text:"More precisely, this was a **DOM XSS** attack, because your payload was handled and improperly embedded into the page by the application frontend code without even sending it to the server.",fixture:".noResult",resolved:c(16e3)}]},x={name:"Score Board",hints:[{text:"This application is riddled with security vulnerabilities. Your progress exploiting these is tracked on a _Score Board_.",fixture:"app-navbar",unskippable:!0,resolved:c(1e4)},{text:"You won't find a link to it in the navigation or side bar, though. Finding the _Score Board_ is in itself actually one of the hacking challenges.",fixture:"app-navbar",resolved:c(12e3)},{text:"You could just start guessing the URL of the _Score Board_ or comb through the client-side JavaScript code for useful information.",fixture:"app-navbar",resolved:c(12e3)},{text:"You find the JavaScript code in the DevTools of your browser that will open with `F12`.",fixture:"app-navbar",resolved:g()},{text:"Look through the client-side JavaScript in the _Sources_ tab for clues. Or just start URL guessing. It's up to you!",fixture:"app-navbar",unskippable:!0,resolved:h("score-board")},{text:"\u{1f389} Congratulations! You found the _Score Board_! Good luck and happy hacking!",fixture:"app-score-board",resolved:c(6e4)}]},v={name:"Privacy Policy",hints:[{text:"Log in with any user to begin this challenge. You can use an existing or freshly registered account.",fixture:"app-navbar",unskippable:!0,resolved:f()},{text:"Great, you are logged in! Now open the _Account_ menu.",fixture:"#navbarAccount",resolved:p("#navbarAccount")},{text:"Open the _Privacy & Security_ sub-menu and click _Privacy Policy_.",fixture:"app-navbar",unskippable:!0,resolved:h("privacy-security/privacy-policy")},{text:"\u{1f389} That was super easy, right? This challenge is a bit of a joke actually, because nobody reads any fine print online... \u{1f648}",fixture:"app-navbar",resolved:c(6e4)}]},w={name:"Login Jim",hints:[{text:"To start this challenge, you'll have to log out first.",fixture:"#navbarAccount",unskippable:!0,resolved:m()},{text:"Let's try if we find a way to log in with Jim's user account. To begin, go to the _Login_ page via the _Account_ menu.",fixture:"app-navbar",unskippable:!0,resolved:h("login")},{text:"As you would expect you need to supply Jim's email address and password to log in regularly. But you might have neither at the moment.",fixture:"app-navbar",resolved:c(15e3)},{text:"If we had at least the email address, we could then try a **SQL Injection** (SQLi) attack to avoid having to supply a password.",fixture:"app-navbar",resolved:c(15e3)},{text:"So, let's go find out Jim's email! Luckily the shop is very bad with privacy and leaks emails in different places, for instance in the product reviews.",fixture:"app-navbar",resolved:c(15e3)},{text:"Go back to the product list and click on some to open their details dialog which also hold the user reviews.",fixture:".fill-remaining-space",resolved:h("search")},{text:"Once you found a user review by Jim and learned his email, go to the _Login_ screen.",fixture:".fill-remaining-space",unskippable:!0,resolved:h("login")},{text:"Supply Jim's email address in the **email field**.",fixture:"#email",unskippable:!0,resolved:s("#email","jim@juice-sh.op")},{text:"Now put anything in the **password field**. Let's assume we don't know it yet, even if you happen to already do.",fixture:"#password",unskippable:!0,resolved:l("#password","ncc-1701")},{text:"Press the _Log in_ button.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"This didn't work, but did you honestly expect it to? We need to craft an SQLi attack first!",fixture:"#rememberMe",resolved:c(1e4)},{text:"You can comment out the entire password check clause of the DB query by adding `'--` to Jim's email address!",fixture:"#email",unskippable:!0,resolved:s("#email","jim@juice-sh.op'--")},{text:"Now click the _Log in_ button again.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"\u{1f389} Congratulations! You have been logged in as Jim!",fixture:"app-navbar",resolved:c(5e3)}]},k={name:"View Basket",hints:[{text:"This challenge is about **Horizontal Privilege Escalation**, meaning you are supposed access data that does not belong to your own account but to another user's.",fixture:"app-navbar",resolved:c(18e3)},{text:"To start this challenge, you'll have to log in first.",fixture:"app-navbar",unskippable:!0,resolved:f()},{text:"First, go to the _Your Basket_ page to view your own shopping basket. It's likely to be empty, if you didn't add anything yet.",fixture:"app-navbar",unskippable:!0,resolved:h("basket")},{text:"To pass this challenge, you will need to peak into another user's basket while remaining logged in with your own account.",fixture:"app-navbar",resolved:c(8e3)},{text:"If the application stores a reference to the basket somewhere in the browser, that might be a possible attack vector.",fixture:"app-navbar",resolved:c(12e3)},{text:"Open the browser's _Development Tools_ and locate the _Session Storage_ tab. Similar to \u{1f36a}s, it can be used to store data in key/value pairs for each website.",fixture:"app-navbar",resolved:g()},{text:"Look over the names of the used session keys. Do you see something that might be related to the shopping basket? Try setting it to a different value! \u270d\ufe0f",fixture:"app-navbar",unskippable:!0,async resolved(){let e=sessionStorage.getItem("bid");for(;sessionStorage.getItem("bid")===e;)await i(100)}},{text:"Great, you have changed the `bid` value which might be some ID for the shopping basket!",fixture:"app-navbar",resolved:c(8e3)},{text:"Now, go to any other screen and then back to _Your Basket_. If nothing happens you might have set an invalid or non-existing `bid`. Try another in that case.",fixture:"app-navbar",unskippable:!0,async resolved(){let e=sessionStorage.getItem("itemTotal");for(;sessionStorage.getItem("itemTotal")===e;)await i(100)}},{text:"\u{1f389} Congratulations! You are now viewing another user's shopping basket!",fixture:"app-navbar",resolved:c(15e3)}]},_={name:"Forged Feedback",hints:[{text:"To start this challenge, first go to the _Customer Feedback_ page.",fixture:"app-navbar",unskippable:!0,resolved:h("contact")},{text:"This challenge is about broken access controls. To pass it, you need to impersonate another user while providing feedback.",fixture:"app-navbar",resolved:c(1e4)},{text:"If you would now submit feedback, it would be posted by yourself while logged in or anonymously while logged out.",fixture:"app-navbar",resolved:c(1e4)},{text:"We will now search for any mistake the application developers might have made in setting the author of any new feedback.",fixture:"app-navbar",resolved:c(1e4)},{text:"Open the browser's _Development Tools_ and try finding anything interesting while inspecting the feedback form.",fixture:"app-navbar",resolved:g()},{text:"There is more than meets the eye among the fields of the form... \u{1f609}",fixture:"app-navbar",resolved:c(8e3)},{text:"Once you found the field that shouldn't even be there, try manipulating its value to one that might represent another user!",fixture:"app-navbar",unskippable:!0,async resolved(){let e=document.getElementById("userId").value;for(;document.getElementById("userId").value===e;)await i(100)}},{text:"You found and changed the invisible `userId`! Now submit the form to complete the challenge.",fixture:"app-navbar",unskippable:!0,resolved:p("#submitButton")},{text:"\u{1f389} Congratulations, you successfully submitted a feedback as another user!",fixture:"app-navbar",resolved:c(15e3)}]},S={name:"Password Strength",hints:[{text:"To start this challenge, you'll have to log out first.",fixture:"#navbarAccount",unskippable:!0,resolved:m()},{text:"In this challenge we'll try to log into the administrator's user account using his original credentials.",fixture:"app-navbar",resolved:c(7e3)},{text:"If you don't know it already, you must first find out the admin's email address. The user feedback and product reviews are good places to look into. When you have it, go to the _Login_ page.",fixture:"app-navbar",unskippable:!0,resolved:h("login")},{text:"Enter the admin's email address into the **email field**.",fixture:"#email",unskippable:!0,resolved:s("#email","admin@juice-sh.op")},{text:"Now for the password. Lucky for us, the admin chose a really, really, **really** stupid one. Just try any that comes to your mind!",fixture:"#password",unskippable:!0,resolved:u("#password")},{text:"\u{1f926}\u200d\u2642\ufe0f Nah, that was wrong! Keep trying! I'll tell you when you're one the right track.",fixture:"#password",unskippable:!0,resolved:s("#password","admin")},{text:"Okay, you are one the right track, but this would have been the worst password in the world for an admin. He spiced it up a little bit with some extra non-letter characters. Keep trying!",fixture:"#password",unskippable:!0,resolved:s("#password","admin1")},{text:"\u{1f525} Yes, it's getting warmer! Try adding some more numbers maybe?",fixture:"#password",unskippable:!0,resolved:s("#password","admin12")},{text:"\u{1f9ef} It's getting hot! Just one more digit...",fixture:"#password",unskippable:!0,resolved:s("#password","admin123")},{text:"Okay, now press the _Log in_ button.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"\u{1f389} Congratulations! You have been logged in as the **administrator** of the shop thanks to his very ill chosen password!",fixture:"app-navbar",resolved:c(2e4)}]},L={name:"Bonus Payload",hints:[{text:"Assuming you did the **DOM XSS** tutorial already, this one just uses a funnier payload on the _Search_ field.",fixture:".fill-remaining-space",unskippable:!0,resolved:c(1e4)},{text:"Enter or paste this payload into the _Search_ field: <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto&lowbar;play=true&amp;hide&lowbar;related=false&amp;show&lowbar;comments=true&amp;show&lowbar;user=true&amp;show&lowbar;reposts=false&amp;show&lowbar;teaser=true&quot;&gt;&lt;/iframe&gt;</code>.",fixture:".fill-remaining-space",unskippable:!0,resolved:s("#searchQuery input",'<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>')},{text:"Make sure your speaker volume is cranked up. Then hit enter.",fixture:".fill-remaining-space",unskippable:!0,resolved:d("#searchValue",'<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>')},{text:"\u{1f389} Congratulations and enjoy the music!",fixture:".noResult",resolved:c(5e3)}]},I={name:"Login Bender",hints:[{text:"To start this challenge, you'll have to log out first.",fixture:"#navbarAccount",unskippable:!0,resolved:m()},{text:"Let's try if we find a way to log in with Bender's user account. To begin, go to the _Login_ page via the _Account_ menu.",fixture:"app-navbar",unskippable:!0,resolved:h("login")},{text:"As you would expect you need to supply Bender's email address and password to log in regularly. But you might have neither at the moment.",fixture:"app-navbar",resolved:c(15e3)},{text:"If we had at least the email address, we could then try a **SQL Injection** (SQLi) attack to avoid having to supply a password.",fixture:"app-navbar",resolved:c(15e3)},{text:"So, let's go find out Bender's email! Luckily the shop is very bad with privacy and leaks emails in different places, for instance in the user feedback.",fixture:"app-navbar",resolved:c(15e3)},{text:"Go to the _About Us_ page where user feedback is displayed among other things.",fixture:"app-navbar",resolved:h("about")},{text:"Once you found an entry by Bender in the feedback carousel leaking enough of his email to deduce the rest, go to the _Login_ screen.",fixture:"app-about",unskippable:!0,resolved:h("login")},{text:"Supply Bender's email address in the **email field**.",fixture:"#email",unskippable:!0,resolved:s("#email","bender@juice-sh.op")},{text:"Now put anything in the **password field**. Let's assume we don't know it yet, even if you happen to already do.",fixture:"#password",unskippable:!0,resolved:l("#password","OhG0dPlease1nsertLiquor!")},{text:"Press the _Log in_ button.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"This didn't work, but did you honestly expect it to? We need to craft an SQLi attack first!",fixture:"#rememberMe",resolved:c(1e4)},{text:"You can comment out the entire password check clause of the DB query by adding `'--` to Bender's email address!",fixture:"#email",unskippable:!0,resolved:s("#email","bender@juice-sh.op'--")},{text:"Now click the _Log in_ button again.",fixture:"#rememberMe",unskippable:!0,resolved:p("#loginButton")},{text:"\u{1f389} Congratulations! You have been logged in as Bender!",fixture:"app-navbar",resolved:c(5e3)}]},T={name:null,hints:[{text:"\u{1f613} Sorry, this hacking challenge does not have a step-by-step tutorial (yet) ... \u{1f9ed} Can you find your own way to solve it?",fixture:"app-navbar",resolved:c(15e3)},{text:"\u270d\ufe0f Do you want to contribute a tutorial for this challenge? [Check out our documentation](https://pwning.owasp-juice.shop/part3/tutorials.html) to learn how! \u{1f3eb}",fixture:"app-navbar",resolved:c(15e3)},{text:"And now: \u{1f47e} **GLHF** with this challenge!",fixture:"app-navbar",resolved:c(1e4)}]},B=[x,b,w,y,v,k,_,S,L,I];function C(e){const t=document.querySelector(e.fixture);if(!t)return null;const o=document.createElement("div");o.id="hacking-instructor",o.style.position="absolute",o.style.zIndex="20000",o.style.backgroundColor="rgba(50, 115, 220, 0.9)",o.style.maxWidth="400px",o.style.minWidth=e.text.length>100?"350px":"250px",o.style.padding="16px",o.style.borderRadius="8px",o.style.whiteSpace="initial",o.style.lineHeight="1.3",o.style.top="24px",!0!==e.unskippable&&(o.style.cursor="pointer"),o.style.fontSize="14px",o.style.display="flex",o.style.alignItems="center";const i=document.createElement("img");i.style.minWidth="64px",i.style.minHeight="64px",i.style.width="64px",i.style.height="64px",i.style.marginRight="8px",i.src="/assets/public/images/hackingInstructor.png";const s=document.createElement("span");s.style.flexGrow="2",s.innerHTML=function e(t){var o,i,s,l,u,p=/((?:^|\n+)(?:\n---+|\* \*(?: \*)+)\n)|(?:^```(\w*)\n([\s\S]*?)\n```$)|((?:(?:^|\n+)(?:\t| {2,}).+)+\n*)|((?:(?:^|\n)([>*+-]|\d+\.)\s+.*)+)|(?:\!\[([^\]]*?)\]\(([^\)]+?)\))|(\[)|(\](?:\(([^\)]+?)\))?)|(?:(?:^|\n+)([^\s].*)\n(\-{3,}|={3,})(?:\n+|$))|(?:(?:^|\n+)(#{1,3})\s*(.+)(?:\n+|$))|(?:`([^`].*?)`)|( \n\n*|\n{2,}|__|\*\*|[_*])/gm,d=[],c="",h=0,f={};function m(e){var t=a[e.replace(/\*/g,"_")[1]||""],o=d[d.length-1]==e;return t?t[1]?(d[o?"pop":"push"](e),t[0|o]):t[0]:e}function g(){for(var e="";d.length;)e+=m(d[d.length-1]);return e}for(t=t.replace(/^\[(.+?)\]:\s*(.+)$/gm,(function(e,t,o){return f[t.toLowerCase()]=o,""})).replace(/^\n+|\n+$/g,"");s=p.exec(t);)i=t.substring(h,s.index),h=p.lastIndex,o=s[0],i.match(/[^\\](\\\\)*\\$/)||(s[3]||s[4]?o='<pre class="code '+(s[4]?"poetry":s[2].toLowerCase())+'">'+r(n(s[3]||s[4]).replace(/^\n+|\n+$/g,""))+"</pre>":s[6]?((u=s[6]).match(/\./)&&(s[5]=s[5].replace(/^\d+/gm,"")),l=e(r(s[5].replace(/^\s*[>*+.-]/gm,""))),">"===u?u="blockquote":(u=u.match(/\./)?"ol":"ul",l=l.replace(/^(.*)(\n|$)/gm,"<li>$1</li>")),o="<"+u+">"+l+"</"+u+">"):s[8]?o='<img src="'+n(s[8])+'" alt="'+n(s[7])+'">':s[10]?(c=c.replace("<a>",'<a href="'+n(s[11]||f[i.toLowerCase()])+'">'),o=g()+"</a>"):s[9]?o="<a>":s[12]||s[14]?o="<"+(u="h"+(s[14]?s[14].length:"="===s[13][0]?1:2))+">"+e(s[12]||s[15])+"</"+u+">":s[16]?o="<code>"+n(s[16])+"</code>":(s[17]||s[1])&&(o=m(s[17]||"--"))),c+=i,c+=o;return(c+t.substring(h)+g()).trim()}(e.text),o.appendChild(i),o.appendChild(s);const l=document.createElement("div");return l.style.position="relative",l.style.display="inline",l.appendChild(o),t.parentElement.insertBefore(l,t),l}function j(e){return new Promise(t=>{e.addEventListener("click",t)})}function q(e){return void 0!==B.find(({name:t})=>t===e)}async function M(e){const t=B.find(({name:t})=>t===e)||T;for(const o of t.hints){const e=C(o);if(!e){console.warn(`Could not find Element with fixture "${o.fixture}"`);continue}e.scrollIntoView();const t=[o.resolved()];!0!==o.unskippable&&t.push(j(e)),await Promise.race(t),e.remove()}}}}]);</p><p></p></otherinfo>
<reference><p></p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10038</pluginid>
<alert>Content Security Policy (CSP) Header Not Set</alert>
<name>Content Security Policy (CSP) Header Not Set</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/ftp/coupons_2013.md.bak</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYh4&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/sitemap.xml</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/package.json.bak</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/suspicious_errors.yml</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaS&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/eastere.gg</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/quarantine</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp</uri>
<method>GET</method>
</instance>
<instance>
<uri>http://juice-shop:3000/ftp/encrypt.pyc</uri>
<method>GET</method>
</instance>
</instances>
<count>13</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.</p></solution>
<reference><p>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</p><p>https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html</p><p>http://www.w3.org/TR/CSP/</p><p>http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html</p><p>http://www.html5rocks.com/en/tutorials/security/content-security-policy/</p><p>http://caniuse.com/#feat=contentsecuritypolicy</p><p>http://content-security-policy.com/</p></reference>
<cweid>16</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10017</pluginid>
<alert>Cross-Domain JavaScript Source File Inclusion</alert>
<name>Cross-Domain JavaScript Source File Inclusion</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>The page includes one or more script files from a third-party domain.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000</uri>
<method>GET</method>
<param>//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js</param>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/sitemap.xml</uri>
<method>GET</method>
<param>//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js</param>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/</uri>
<method>GET</method>
<param>//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js</param>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/</uri>
<method>GET</method>
<param>//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js</param>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000/sitemap.xml</uri>
<method>GET</method>
<param>//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js</param>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script></evidence>
</instance>
<instance>
<uri>http://juice-shop:3000</uri>
<method>GET</method>
<param>//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js</param>
<evidence><script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script></evidence>
</instance>
</instances>
<count>6</count>
<solution><p>Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.</p></solution>
<reference><p></p></reference>
<cweid>829</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10020</pluginid>
<alert>X-Frame-Options Header Not Set</alert>
<name>X-Frame-Options Header Not Set</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<desc><p>X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYh4&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
<param>X-Frame-Options</param>
</instance>
<instance>
<uri>http://juice-shop:3000/socket.io/?EIO=3&transport=polling&t=NLFJYaS&sid=r2xfyQoKfs1Qc7gKAAAA</uri>
<method>POST</method>
<param>X-Frame-Options</param>
</instance>
</instances>
<count>2</count>
<solution><p>Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).</p></solution>
<reference><p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options</p></reference>
<cweid>16</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>2</pluginid>
<alert>Private IP Disclosure</alert>
<name>Private IP Disclosure</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<desc><p>A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.</p></desc>
<instances>
<instance>
<uri>http://juice-shop:3000/rest/admin/application-configuration</uri>
<method>GET</method>
<evidence>192.168.99.100:3000</evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.</p></solution>
<otherinfo><p>192.168.99.100:3000</p><p></p></otherinfo>
<reference><p>https://tools.ietf.org/html/rfc1918</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
</alerts></site></OWASPZAPReport>