This lab involves exploiting the vulnerable web application called the “Juice Shop”. The first goal is to perform a SQL Injection attack and gain access to the “admin” account of the web application. Having gained access to the “admin,” the final goal involves performing a DOM-based XSS attack that results in an alert message being displayed within the browser. These web application attacks are commonly used by hackers to breach websites and have therefore earned a spot on the OWASP Top 10.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Perform a SQL Injection Attack
To navigate to the OWASP Juice Shop webpage, copy the public IP address for the Kali cloud server from the lab credentials page.
Open a web browser and paste in the IP address followed by
:8080in the browser’s URL field:Example: http://13.226.50.101:8080 From the homepage, navigate to Account > Login and log in to the admin account by performing a SQL injection attack.
- Perform an XSS Attack
From the homepage, utilize the search field to perform a DOM-based cross-site scripting attack that results with a message being displayed within an inline frame.
