Information Security

Hacking OWASP’s Juice Shop Pt. 34: Privacy Policy Inspection

Posted on by codeblue04

Challenge: 

Name:  Privacy Policy Inspection

Description: Prove that you actually read our privacy policy.

Difficulty: 3 star

Category: Security Through Obscurity

Expanded Description: https://pwning.owasp-juice.shop/part2/security-through-obscurity.html

Tools used:

Burp Suite, FoxyProxy

Resources used:

None.

Methodology: 

First, as usual, I read the expanded description.

Prove that you actually read our privacy policy User agreements and privacy policies are too often simply dismissed or blindly accepted. This challenge kind of forces you to reconsider that approach. • First you should obviously solve Read our privacy policy. Oiltßfineto use the mouse cursor to not lose sight of the paragraph you are currently readinål • If you find someparticularly hot sections in the policy you might want to melt them together similar to what you might have already uncovered in Apply some advanced cryptanalysis to find the real easter egg •

Without the highlighter, that description is much more cryptic. But I decided to try dragging my mouse along the text and was shortly rewarded with a “hot” indicator.

Privacy Policy Effective date: March 15, 2019 OWASP Juice Shop ("us", "we", or "our") operates the http://localbst website (the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of persor associated with that data. Our Privacy Policy for OWASP Juice Shop is created with the help of

After mousing over every single word, I came up with this:

Edit Search http://localhost View We may also instruct your Document browser Help refuse all reasonably necessary responsibilityl to

Initially I was a little confused as to why the localhost address was there, until I decided to try using the hot words as a link, and capture the packets with Burp Suite.

OWASP Juice Shop x Kali Training Kali Tools OWAS OWASP Juice Shop X O OWASP O-Saft q localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility This time, search with:
OWASP Juice Shop x Kali Training Kali Tools OWAS OWASP Juice Shop X O OWASP O-Saft q localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility http://localhost:3000/we/may/also/instruct/you/to/refuse/all/reasonably/necessary/responsibility This time, search with:

When given a link like that, it’s usually a good idea to pay that url a visit.

OWASP Juice Shop X O OWASP O-Saft localhost:3000/http://localhost:3000/jUice-shop/frontend/dist/frontend/assets/private/thank-you.jpg http://localhost:3000/http://localhost:3000/juice-shop/frontend/dist/frontend/assets/private/thank-you.j This time, search with:
You successfully solved a challenge: Privacy Policy Inspection (Prove that you actually read our privacy policy.) X

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s