Hacking OWASP’s Juice Shop Pt. 16: Visual Geo Stalking


Name: Visual Geo Stalking

Description: Determine the answer to Emma’s security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.

Difficulty: 2 star

Category: Sensitive Data Exposure

Expanded Description: https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html

Tools used:


Resources used:



To know what we’re looking for, first we should visit the “Forgot Password” page and find out what Emma’s security question is by entering her email address into the appropriate box.

Forgot Password 
Security Ouestion 
Pompany you first work for as an adult 
P'ease provide an answer to your security questior•n 
New Password 
O Password must be 5-20 characters long. 
Repeat New Password 
Show password advice 

We appear to be looking for a business name. Next we need to find the photo in question. After navigating to the Photo Wall, the first thing to do is figure out which photo belongs to Emma. Three of the images belong to Bjoern, and one to John. That leaves the image of a building with the caption “My old workplace… (© E=ma²)” which is close enough to “Emma” that, coupled with knowing who took all of the other photos, we should focus on it. Save it to your system and let’s get started!

Using the GNU Image Manipulation Program (GIMP), open the photo and examine it very carefully for anything which might give away the name. I promise the answer is there if you look hard enough.

Seriously. Keep looking. Try harder.


OK, here’s the answer.

That looks an awful lot like “ITsec”, doesn’t it? Let’s give it a shot!

You successfully solved a challenge: Visual Geo Stalking (Determine the answer to Emma's security question by 
looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.) X

Prevention and mitigation strategies:

OWASP Mitigation Cheat Sheet

When posting photos, don’t reveal sensitive information to the masses. For instance, if you’re using your father’s middle name as a security question, don’t take a photo of his mail.

Lessons Learned and Things Worth Mentioning: 

  1. Take the time to gather as much data as possible. Had I not known that this sign was here (from past tinkering with Juice Shop), I’d have passed right by it. In the future I will be more patient and thorough

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s