Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more


In this video, you will learn how to exploit authentication-only login using the OWASP Juice Shop.
Welcome back to Broken Authentication session. In this second part, we will exploit several authentication flaws in our intentionally vulnerable application to get access as admin. We will jump straight to the hands-on exploitation. At the end, we will wrap up exploited issues, which we will discuss in more detail in the third and last part of this session. Let’s hack. Let’s start creating a regular user account.
Before submitting the request, let’s pop up Developer Tool so that we can monitor the network traffic.
This would be the sign-up requests, let’s have a look into the request details.
The request body includes our account details where we can see our weak passwords.
We can now log in.
Next, we will try to recover our one password.
Again, let’s first pop up Developer Tools.
While we were typing, several requests were made to the security security-question endpoint. Let’s inspect the last one, which has our complete email address.
Our email address was sent in the requests, and the server returned our security question.
How does the server response look for an email address which does not belong to a Juice Shop account?
This time, the response is empty. Based on these binary responses, we can check whether there’s an admin account.
Comparing this response with the one we’ve got with our own email address, we know that such account exists and we can try to log in.
We don’t know the password. But at least we can try to guess it.
Of course, it’s wrong, but we can do better. Let’s search for common web admin passwords.
Let’s try the first ones with at least five characters since we saw that this is the minimum required in the sign-up.
Doing this one-by one will take long, but this is exactly the type of task computers are great at doing.
The simple bash script does concurrent requests to the login endpoint based on a given email address and the list of passwords. It will stop on a successful log in attempt or at the end of the passwords list.
Let’s move the passwords list into a text file and do some cleanup.
It’s time to run our script with Juice Shop admin’s email address and our password list file.
Two seconds was the time needed to find a password on a simple workstation. Let’s now see whether it really works.
In fact, it does, and we are now logged in as admin.
We said it before, and now you have seen it in practice. Although there’s a password strength calculator in the sign-up form, strong password policies are not enforced, allowing five single-class-characters-long passwords. The recover password mechanism can be used as in Oracle to enumerate valid user accounts based on its response. And finally, the login does not implement a lockout feature based on failed login attempts, meaning that we can test as many passwords as we want for a single email address until we get the right one. In our next video, we will discuss what makes the application vulnerable and how to prevent it.

In this video, you will learn how to exploit authentication-only login using the OWASP Juice Shop.

Now that you understand the difference between authorization and authentication, you are ready to follow the demonstration in this video. You will act as the hacker and will exploit the OWASP Juice Shop. What you learn here can be generalized to some other systems and will help you understand how a hacker may test your system.

Reflect and share: Go to OWASP Broken Authentication to see the OWASP table referred to in the video. Read through the additional information provided, and share your findings here.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now