Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £35.99 £24.99. New subscribers only T&Cs apply

Find out more

Exploitation: Hack Your Store

In this video, you will learn how to hack the OWASP Juice Shop database to access client credit card details.
7.2
Let’s get back to our query draft and improve it.
39.1
Since we were commenting everything that comes after the place where our search keyword is first interpolated, it doesn’t make sense the problem is the end, unless there are some brackets around these conditions.
62.3
Let’s see what we get now.
72.2
The same error. Maybe there’s more than one bracket around the condition. Let’s try with an additional brackets.
96.5
Alright, now we know that we are on the right track. Until now, we were able to break the query template and fix it with our own payload. We are just missing a way to join additional data to the query results. SQL allows unions between query results as long as they have the same number of fields. Let’s see how many fields are retrieved for products.
136.1
To be able to do a union, we need the second query to return nine fields.
162.1
Let’s test it.
172.4
Okay, we have our coded record returned by the database server. We can now guess table name and some fields to expose data.
209.2
Table user does exist as well as the ID field. Let’s try guessing other field names until we get something juicy.
264.8
Finally, passwords, or at least their hashes. Vulnerable applications tend to use unsalted MD5 hashes. If this is the case, we should be able to get the original secret searching the hash we got in some rainbow tables.
294.8
And we got it– let’s try to log in as admin.
326.8
Since we’re in, why not check some addresses or credit card data?
356.9
We already know the trick to expose credit card details. Let’s pop up developer tools and reload the page.
373.9
And here they are, the admin’s credit cards.
381
First, we saw that although credit card data appears masked on the screen, it is sent in clear text from the server to the client. Since the application does not implement HTTPS, someone between the client and the server, such as a proxy, will have access to that data. Exploiting a SQL injection flaw, we were able to retrieve arbitrary data from the database. We saw that sensitive data, such as credit card data, is not protected at rest. Finally, still exploiting the SQL injection flaw, we retrieved authentication data. Although passwords were not stored in clear text, hashing was not done properly, and we were able to retrieve some secrets using rainbow tables.
422.2
In our next video, we will discuss what makes the application vulnerable and how to prevent it.

In this video, you will learn how to hack the OWASP Juice Shop database to access client credit card details.

In the previous video, you set up your customer database to store credit card information. This is the type of data that hackers would like access to, so you need to understand how they will try to breach your security to get to it. In this video, you will follow a demonstration showing you how to access the database that stores client information, including clients’ credit card information.

Reflect and share: This activity showed us how easy it can be to hack into some databases and get access to sensitive information. Do you read the terms and conditions when you use online shopping? What do you think you should look for in those terms to ensure your information is safe?

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now