Solution to the problem of breakthrough in OWASP juice shop shooting range

1、 Find hidden scoreboard
/#/score-board Will jump directly to the scoreboard
2、 Log in to the administrator account
Here you can try to use sql Enter the administrator interface by injecting
1、 No account number , No password to enter
’ or 0=0 –

2、 Have an account , No password to enter 
	**[email protected]'--**

3、xss attack
Enter in the search box <iframe src=“javascript:alert(xss)”>

4、 Log in to the administrator interface , And don't report mistakes
stay url Input administration that will do

5、 To the store ⼀ A devastating sporadic feedback
Modify page code , Delete disabled that will do

6、 Register as ⽤ Household
1. Use fiddler The packet capturing tool captures the registered user's packet
2. Catch /api/Users Submit a request
3. add to “role”:“admin” jurisdiction
7、 Delete all 5 Star customer feedback

Enter the hidden administrator interface and enter /administration
Delete the five-star comment
8、 Make your order rich
utilize fiddler Tools , Grab the bag of goods in the shopping cart , Change the quantity of goods to a negative number , Send a request , Just finish shopping
9、 See more ⽤ Household shopping cart
1、 utilize fiddler Caught tools , Grab the shopping cart id, Then put the shopping cart id Change to other users id, Send a request
10、 Find the picture of the cat ⽚ Concurrent display ⽰


11、 send ⽤ The administrator's ⽤ Login with user credentials , Violent ⼒ Crack

12、 With other ⽤ Account name release ⼀ Some feedback
adopt fiddler Caught tools , Catch the feedback package , Then modify the user id, Just send

13、 With other ⽤ Household ⾝ Published product reviews or editors
whatever ⽤ Existing comments of users
adopt fiddler Caught tools , Catch the bag of comments , Then modify the user name , Just send

14、 Frequent sending Can I have a coupon code? Get excellent
benefit ！
Brute force cracking

15、 Uploading is not .pdf or .zip Extended name ⽂ Pieces of ,
xml
Find... In the front-end code
You can modify it.
16、 Upload ⼤ On 100 kB Of ⽂ Pieces of , Other types

17、Nosql notes ⼊- Update multiple product reviews at the same time
18、 modify bender⽤ The password of the user - Don't make ⽤ notes ⼊ Of ⽅
type
1、 Login with universal password bender user
2、 Use the packet capture tool to grab the packet that changes the password
3、 Delete the original password url And send it

19、 Put other products ⼊ another ⼀ individual ⽤ Household shopping basket
20、 change OWASP SSL⾼ Level evidence ⼯ have (O-Saft) in
Of the link href by https://owasp.slack.com