Hacking OWASP’s Juice Shop Pt. 34: Privacy Policy Inspection

Challenge: 

Name:  Privacy Policy Inspection

Description: Prove that you actually read our privacy policy.

Difficulty: 3 star

Category: Security Through Obscurity

Expanded Description: https://pwning.owasp-juice.shop/part2/security-through-obscurity.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

First, as usual, I read the expanded description.

Prove that you actually read our privacy policy 
User agreements and privacy policies are too often simply dismissed or blindly accepted. This challenge 
kind of forces you to reconsider that approach. 
• First you should obviously solve Read our privacy policy. 
Oiltßfineto use the mouse cursor to not lose sight of the paragraph you are currently readinål 
• If you find someparticularly hot sections in the policy you might want to melt them together similar to 
what you might have already uncovered in Apply some advanced cryptanalysis to find the real easter 
egg •

Without the highlighter, that description is much more cryptic. But I decided to try dragging my mouse along the text and was shortly rewarded with a “hot” indicator.

Privacy Policy 
Effective date: March 15, 2019 
OWASP Juice Shop ("us", "we", or "our") operates the http://localbst website (the "Service"). 
This page informs you of our policies regarding the collection, use, and disclosure of persor 
associated with that data. Our Privacy Policy for OWASP Juice Shop is created with the help of

After mousing over every single word, I came up with this:

Edit 
Search 
http://localhost 
View 
We may also instruct your 
Document 
browser 
Help 
refuse all reasonably necessary responsibilityl 
to

Initially I was a little confused as to why the localhost address was there, until I decided to try using the hot words as a link, and capture the packets with Burp Suite.

OWASP Juice Shop 
x 
Kali Training Kali Tools 
OWAS 
OWASP Juice Shop 
X O OWASP O-Saft 
q 
localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility 
http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility 
This time, search with:
OWASP Juice Shop 
x 
Kali Training Kali Tools 
OWAS 
OWASP Juice Shop 
X O OWASP O-Saft 
q 
localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility 
http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility 
This time, search with:

When given a link like that, it’s usually a good idea to pay that url a visit.

OWASP Juice Shop 
X O OWASP O-Saft 
localhost:3000/http://localhost:3000/jUice-shop/frontend/dist/frontend/assets/private/thank-you.jpg 
http://localhost:3000/http://localhost:3000/juice-shop/frontend/dist/frontend/assets/private/thank-you.j 
This time, search with:
You successfully solved a challenge: Privacy Policy Inspection (Prove that you actually read our privacy policy.) X

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s