Have you been reading about cybersecurity, but always wondered how hacks actually work? The best way to really understand something is to do it yourself. That’s why this blog will take you through two live hacks that you can do right now!
Our target will be OWASP Juice Shop, a modern and sophisticated web application. OWASP Juice Shop was built by security professionals to be purposely insecure. It is used for security trainings, awareness demos, competitions, and as a testing ground for new security tools. It is set up as an ecommerce website that sells different juice products. The link to the website goes down a lot and changes sometimes; if that link no longer works when you try this, you can always host one for yourself by going to their GitHub and scrolling down to “Deploy on Heroku” or googling for ‘OWASP Juice Shop’ to find another instance of it running on the web.
This blog will take you through two types of hacks: cross site scripting and SQL injection. Of course hacking on a normal website is illegal without written permission, so let’s stick to the Juice Shop with what we learn.
Cross site scripting (XSS) attack
Cross-site scripting is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. In a real XSS attack, an attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script leading to issues. XSS can also be used to deface websites. We’ll be doing more of the latter.
Start off by going to the website.
Paste the attack string <iframe src="javascript:alert(`xss`)"> into the Search... field.
Hit the Enter key.
An alert box with the text "xss" should appear.
Congrats, you’ve completed your first XSS attack by causing the page to behave in a way it’s not supposed to. Now let’s have a little more fun by doing your first Rick Roll, a common prank from hackers.
Turn on your computer's speakers!
Paste the payload <iframe width="560" height="315" src="https://www.youtube.com/embed/dQw4w9WgXcQ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> into the Search... field and hit Enter
Enjoy your first Rick Roll!
SQL Injection
Next we’ll do a quick SQL injection attack. First off, what is a SQL injection attack? SQL injection is a common vulnerability where an attacker injects malicious SQL code into the SQL query running on the server-side. The SQL query takes the client’s input as a parameter and uses it to query the website’s database. An attacker can modify the query in a way that exposes, modifies, or destroys the data in the database.
Let us inject SQL into the login field to bypass the login and login as the first user in the database. A common SQL query used at login would be: "SELECT * FROM Users WHERE email = '[the email you enter]' AND password = '[the hash of the password you enter]'
So let’s come up with a malicious SQL query that would bypass login. A good try would be:
' OR TRUE --
Let’s break down this query:
' character closes the email string.
OR is a SQL query
TRUE is a boolean value
--will comment out the SQL query after the TRUE
So, now the SQL will check for “email = '' or TRUE” which is always a TRUE statement and it should let us in.
Start off by going to the website.
Click on ‘Account’ in the top right and select ‘Login’
Paste ' OR TRUE -- into the email field and anything into the password field.
Click ‘Log in’
You’re in!
Moreover, if you click on ‘Account’ you will see that you are logged in as the admin. Good developers would “scrub” these types of queries to stop these attacks, but SQL injection still happens all the time.
More Resources
If you’ve enjoyed your first taste of ethical hacking, there are lots of ways to learn more and plenty of other websites to practice on. There are plenty of vulnerabilities on Juice Shop that you can discover. There are also many other websites that you can legally hack:
Conclusion
Hopefully this blog opened your eyes to the mechanics of a hack and also to the mindset of a hacker. Hackers essentially look for ways to manipulate a computer program to behave in ways its creator did not intend. By training your ethical hacking skills you can become a better defender because you know what the bad guys are looking for and how they think. Another reminder to only practice on sites that give permission to be hacked (like Juice Shop), sites or machines you host yourself, or bug bounty programs. Good luck if you decide to venture further into this world and happy hacking!