Homework 4: SECURITY
Hacking a juice shop š§
Due: Monday, November 25, 2024 at 11:59:00 PM
Hacking a juice shop
We will be hacking the UIC Juiceshop. This is an intentionally vulnerable full stack web application built with Angular, Express, and Sqlite.
When starting to use the juice shop, it will ask you for your team name. This is
an individual assignment. Use your netID (not your UIN, ckanich is a
netID) as your team name. Feel free to get started as soon as you find this
writeup online.
Once youāre in the Juice Shop, there are hints about what you should do first. Eventually, you will find a main map of how the entire intentionally vulnerable application āgameā works. The main task will be to find and exploit several different flavors of vulnerability.
The juice shop keeps a high score board. You receive nothing but bragging rights for getting a high score.
Find it fix it
In addition to exploiting vulnerabilities, a subset of all of the tasks have a āfind it + fix itā task, where you first select which lines are the problem, and then choose from a set of multiple choice options for how to best fix that problem. You get as many attempts as you want for these, and it will explain what the right answer is for you.
These do not show up in the score board, but will be computed as part of your score on the homework (see below).
Academic integrity
There are two forms of documentation available for the juice shop - the hints that are directly linked from the score board, and other materials available online. Using the hints available through the juice shop is totally acceptable, and the hints available on the main writeup on pwning.owasp-juice.shop. However, to get the most out of the assignment, give it a shot without reading through all of the hints right away.
There are also various other writeups and videos online that walk you through the entire task (including a solutions appendix on the official documentation website). Do NOT use those. Juice Shop has several anti-cheat mechanisms built into it that will make it easy to detect people who arenāt attempting the assignment in good faith. Itās all open source so youāre free to inspect the anti-cheat mechanisms.
If we detect evidence of cheating, we reserve the right to ask you to perform the tasks that you were able to successfully perform in your submission. This assignment leans heavily on the honor system for getting the most out of it: students who are found through the DoS process to have broken the academic integrity policy on this assignment will fail the course. If you ONLY use Piazza for Q&A and ONLY use the built-in hint system, you will be fine.
Collaboration and Extra credit
This is an individual assignment, but helping each other is encouraged - my two rules for helping are:
- Any help that you provide to others must be posted as a public question on Piazza.
- Any help on Piazza should not COMPLETELY give the answer away, but it is fine to come closer than the hints provided in the main writeup on pwning.owasp-juice.shop.
As I mentioned in the syllabus, significant assistance for other students can be converted into extra credit on your final grade. There is no cutoff for this (please donāt ask what it is), but people who make a good faith effort will generally be rewarded. Also, this only counts if I see it - so do this help on Piazza (not Discord).
Submitting your score
To submit your score, you will need to download your progress snapshot:
Then upload this file to gradescope.
Using someone elseās (partial or full) progress snapshot is a violation of the academic integrity policy. They are not tied to your identity, so the juice shop wonāt prevent you from uploading someone elseās progress file, but the monitoring system can detect when you upload a progress snapshot that you did not achieve yourself.
Points
There are far more tasks in this juice shop than we would expect you to get done. To get 100% for this assignment, youneed to finish 11 āfind it fix itā tasks and 30 of the main puzzles. āfind it fix itā tasks are worth twice as much as normal puzzles. Beyond that, every additional āfind it fix itā is a bonus 2%, and every additional puzzle is a bonus 1%, up to a total bonus of 100% (which is equivalent to wiping out a whole missed assignment).
Your full score can be computed as:
| Task | Points |
|---|---|
| first 11 āfind it fix itā tasks | ~3.85% each |
| first 30 puzzles | ~1.92% each |
| next 15 āfind it fix itā tasks | 2% each |
| next 70 puzzles | 1% each |
Due date
This homework is due on Monday, November 25, 2024 at 11:59:00 PM This deadline is FIRM. This assignment is easier than all of the rest, so please put some time in and finish it before the deadline, so you have more time to work on your final project.