Skip main navigation

Exploitation: Hack Your Store

In this video, you will learn how to hack the OWASP Juice Shop database to access client credit card details.
7.2
Let’s get back to our query draft and improve it.
39.1
Since we were commenting everything that comes after the place where our search keyword is first interpolated, it doesn’t make sense the problem is the end, unless there are some brackets around these conditions.
62.3
Let’s see what we get now.
72.2
The same error. Maybe there’s more than one bracket around the condition. Let’s try with an additional brackets.
96.5
Alright, now we know that we are on the right track. Until now, we were able to break the query template and fix it with our own payload. We are just missing a way to join additional data to the query results. SQL allows unions between query results as long as they have the same number of fields. Let’s see how many fields are retrieved for products.
136.1
To be able to do a union, we need the second query to return nine fields.
162.1
Let’s test it.
172.4
Okay, we have our coded record returned by the database server. We can now guess table name and some fields to expose data.
209.2
Table user does exist as well as the ID field. Let’s try guessing other field names until we get something juicy.
264.8
Finally, passwords, or at least their hashes. Vulnerable applications tend to use unsalted MD5 hashes. If this is the case, we should be able to get the original secret searching the hash we got in some rainbow tables.
294.8
And we got it– let’s try to log in as admin.
326.8
Since we’re in, why not check some addresses or credit card data?
356.9
We already know the trick to expose credit card details. Let’s pop up developer tools and reload the page.
373.9
And here they are, the admin’s credit cards.
381
First, we saw that although credit card data appears masked on the screen, it is sent in clear text from the server to the client. Since the application does not implement HTTPS, someone between the client and the server, such as a proxy, will have access to that data. Exploiting a SQL injection flaw, we were able to retrieve arbitrary data from the database. We saw that sensitive data, such as credit card data, is not protected at rest. Finally, still exploiting the SQL injection flaw, we retrieved authentication data. Although passwords were not stored in clear text, hashing was not done properly, and we were able to retrieve some secrets using rainbow tables.
422.2
In our next video, we will discuss what makes the application vulnerable and how to prevent it.

In this video, you will learn how to hack the OWASP Juice Shop database to access client credit card details.

In the previous video, you set up your customer database to store credit card information. This is the type of data that hackers would like access to, so you need to understand how they will try to breach your security to get to it. In this video, you will follow a demonstration showing you how to access the database that stores client information, including clients’ credit card information.

Reflect and share: This activity showed us how easy it can be to hack into some databases and get access to sensitive information. Do you read the terms and conditions when you use online shopping? What do you think you should look for in those terms to ensure your information is safe?

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education