Skip main navigation

Exploitation: Set Up Your Store

In this video, you will see a demonstration showing you how to set up the OWASP Juice Shop user database to include credit card details.
6.3
Welcome back to Sensitive Data Exposure session. In this second part, we will exploit our intentionally vulnerable application to get access to some sensitive data. We will jump straight to the hands-on exploitation. Before closing, we will review what’s wrong with our target application. Let’s hack. Before some shopping, let’s configure our default address and payment methods.
109
All right, we are now ready to buy some juice.
126.8
Let’s review our order and proceed to checkout. In the next step, we should be asked to select a payment method. Let’s pop up developer tools so that we can inspect what data is exchanged between the browser and the backend server.
152.8
See how credit card number is masked in the interface. However, if we look up the request to retrieve credit card details from the server, we will find something completely different.
169.7
The credit card number was sent in clear text. Since the application does not use HTTPS, anyone between client and server will be able to see it as any malware installed on the client device.
184.9
Let’s complete our order and see how far we can go exposing sensitive data.
207.7
On our first session, we exploited the SQL injection vulnerability to bypass authentication. In that case, we could not retrieve any data from the database since the backend server was just counting matched records instead of returning the actual results. If we find a vulnerable endpoint that asks for user inputs to merge with a query template returning phone records, then chances are we will be able to access arbitrary data on the database. Usually, search features are good candidates. Why not try our luck? Let’s pop up developer tools and search for orange adding a trailing single quote character as we did in the injection flow session to exploit SQL injection.
274.6
Apparently, nothing happened. Better opening to get request in a new tab so that we can easily modify the QUrl perimeter.
286.7
Let’s do it again.
292.9
Okay, this time it looks promising. We now have a SQL error.
308.2
The percentage character is a good sign that the SQL-like operator is being used, but think how the backend query template may look like.
340.9
This could be the backend query template. Let’s replace the input keywords with our current payload and see how it looks like.
369.1
Another SQL error. This time, the query is incomplete. Maybe the query template tries to match our search keyword both in product’s title and description.

In this video, you will see a demonstration showing you how to set up the OWASP Juice Shop user database to include credit card details.

The OWASP Juice Shop is our target in this course. In this video, you will start by setting up the customer database to collect credit card details. This is important because the next video will teach you how to hack into the database to retrieve this data.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education