Exploiting Hidden Vulnerabilities: Null Byte Injection and API Tampering in OWASP Juice Shop

Web applications often have hidden vulnerabilities that can be exploited through unexpected inputs or by manipulating API requests. These weaknesses can allow attackers to bypass restrictions, access hidden functionalities, or tamper with data.

In this lab, you will explore two critical vulnerabilities:

1. Poison Null Byte Injection: You will learn how a null byte can bypass input validation, enabling you to uncover hidden functionalities, such as finding a hidden Easter egg in the application.
2. HTTP Request Tampering: By manipulating PUT requests, you will exploit weak access controls to tamper with product descriptions, changing data on the server.

Both challenges highlight the importance of proper input validation and secure API design in web applications.

Objectives

Upon completion of this lab, you will be able to:

• Understand and exploit Poison Null Byte Injection to bypass application restrictions.
• Manipulate HTTP requests to exploit weak access controls and tamper with data.
• Analyze web application vulnerabilities using browser developer tools.

Who is this lab for?

This lab is designed for:

• Security enthusiasts looking to explore hidden application vulnerabilities.
• Developers who want to understand how improper input validation can be exploited.
• Penetration testers and IT professionals learning about API manipulation and injection attacks.