Juice Shop Hidden Score Board (1 Star) with coding challenge
Name: Score Board
Difficulty: 1 Star
Description: Find the carefully hidden ‘Score Board’ page.
Category: Miscellaneous
Let’s open up Firefox’s Dev Tools via F12 and search for path:”score
We will find a path called score-board that we can now navigate to
Once we do, we will have found the flag
Now we are going to launch the associated Coding Challenge
If we scroll down to the score board section of the code, we will see the line we need. We just need to select the correct line, then keep scrolling and clicking Submit
Once we submit it, we will be brought to a new screen with 3 possible fixes, that we then need to select the correct option
The code for Fix 1 is using the atob parameter which will encode the score-board url and be harder to locate
Fix 2 completely removes the code, at which point the page that tracks the challenges would be completely gone, and if this was a production site, wouldn’t be the best option if that page was important
Fix 3 doesn’t change anything, at which point, it is still vulnerable to finding either via dev tools or using something like dirbuster or gobuster to locate the hidden url
Once we feel we’ve selected the correct fix (option 1), we will then scroll down and click on Submit to see if we were right
Unfortunately I was wrong (this is all a learning process after all :) )
Option 3 (leaving it as is) turns out to be the correct solution after all
Lessons Learned:
Sometimes, it is necessary to leave code as is, but in most cases it would be better to encode (as long as it is tested in a dev environment to make sure the change wouldn’t break prod)
