SC 300: OWASP ZAP (45 pts)

What You Need

Purpose

To use the OWASP ZAP dynamic scanner to find vulnerabilities in the OWASP Juice Shop.

Finding your Cloud Linux Server's IP Address

Click the link below to open the Google Cloud Console page:
https://console.cloud.google.com
At the top left, click the three-bar icon.

Point to "Compute Engine" and click "VM instances", as shown below.

On the "VM instances" page, click the name of your server, as shown below.

Note your External IP address, outlined in yellow in the image below. You'll need it later.

Installing OWASP ZAP

On your local computer, in a Web browser, go to
https://www.zaproxy.org/download/
Download and install ZAP.

Starting ZAP

On your local computer, launch ZAP.

If a box pops up asking whether to "regenerate the certificate", click OK. An Options box pops up. Click OK.

If an error box pops up, click "Don't send".

A box asks whether to persist the session, as shown below.

Accept the default selection of "No" and click Start.

A "Manage Add-ons" windows opens. Click Close.

You see the main ZAP window, as shown below.

In the top right pane, click the red X to close the "BIG ZAP funding announcement" box.

Scanning the OWASP Juice Shop with ZAP

In the top right pane of ZAP, click the "Automated Scan" button.

In the "URL to attack" field, enter the URL of your cloud OWASP Juice Shop page, as shown below.

In the top right pane of ZAP, click the Attack button.

The scan took about five minutes when I did it.

The results appear in the bottom pane, on the Alerts tab, as shown below.

As you can see, it did not find many vulnerabilities.

To see why, on the lower left, click "Modern Web Application".

The lower right pane explains that you need to use the Ajax spider for modern apps, as shown below.

Using the Ajax Spider

At the top center, click the "Quick Start" button.

Clear the "Use traditional spider" check box and select the "Use ajax spider" box, as shown below.

Click the Attack button.

If an error message appears, saying it cannot find Firefox, you need to adjust it.

I found various solutions on this page:

https://www.zaproxy.org/faq/how-can-i-fix-browser-was-not-found/
On my Mac, the solution was this:

At the top left of the desktop, click Zap, "Settings...".

In the Options box, on the left side, click Selenium.

On the right side, enter the full path to Firefox, which was:

/Applications/Firefox.app/Contents/MacOS/firefox
as shown below.

Click OK and start the scan again.

This scan takes longer. On my system it took about 20 minutes.

Flag SC 300.1: SQL Injection (15 pts)

On the lower left, click "SQL Injection - SQLite", highlighted in the image below.

At the top center, click the Response button, outlined in red in the image below.

The flag is the word covered by a green rectangle in the image below.

Generating a Report

At the top left, click Report, "Generate Report...".

Add "Juice Shop" to the tite, as shown below.

Notice the directory and filename the report will have.

At the bottom right, click the "Generate Report" button.

Navigate to the folder where the report was saved and double-click it.

The report opens, as shown below.

Flag SC 300.2: Cloudflare Library (10 pts)

At the bottom, click "Risk=Medium, Confidence=Medium (3)".

The flag is the word covered by a green rectangle in the image below.

Investigating the SQL Injection Vulnerability

In the Report, scroll to the top.

Click "Alert counts by alert type".

Click "SQL Injection - SQLite".

You get very little information, as shown below.

Click the Reference link to see an OWASP page about SQL Injections.

This page is not very helpful.

In Zap, on the lower left, click "SQL Injection - SQLite".

At the top center, click the Request button,

The top right pane shows the URL that caused the error, which is:

http://34.27.81.154:3000/rest/products/search?q=%27%28
as shown below.

Finding the Vulnerable Code

Let's start from the Respose to the test that shows the SQL injection error, as shown below.

Notice the lower portion of the top right pane. It shows a line of vulnerable core in magenta letters, as shown below.

The vulnerable line of code begins with:

SELECT * FROM Products WHERE ((name LIKE
On your Linux server, type Ctrl+C to stop the Juice Shop.

Then execute this command:

grep FROM\ Products\ WHERE -r . | less -S
The first two lines of the results show the files that work with this code, as shown below.

Type Q to exit "less".

Adding console.log Commands to Mark the Code

Execute this command:
nano routes/search.ts
Add the two lines outlined in yellow to the code, as shown below.

This will print "A" and the query parameter "criterion" on the Linux console when this code is used.

Type Ctrl+X, Y, Enter to exit nano and save changes.

Repeat the process to print out a different letter, such as "B", when the corresponding code is used in the "build/routes/search.ts" file.

Execute this command to start the Juice Shop running again:

npm start

Triggering the Error

On your local system, in a Web browser, go to this URL, replacing the IP address with the external IP address of your Cloud Linux server:
http://34.27.81.154:3000/rest/products/search?q=%27%28
The browser shows a SQLITE_ERROR, as shown below.

The console of the Linux server shows a message printing out a letter, indicating where the vulnerable code is, as shown below.

Fixing the SQL Injection

Modify the code to remove apostrophes from the "criterion" variable, preventing the SQL injection.

I found the information shown below useful, which I got from here.

Flag SC 300.3: Fixing the SQL Injection (20 pts)

In a Web browser, open this page:
https://samlols.samsclass.info/SC/SC300.htm
Enter the IP address of your cloud Linux server in the form for flag SC 300.3, as shown below, and submit the form.

If your code is correct, the flag will appear.

Posted 2-26-24