Juice Shop SQL Injection — Lab Exercise & POC

Lab Environment Setup

Target: OWASP Juice Shop running at http://localhost:3000
Prerequisites:

  • Docker running
  • Juice Shop container active
  • curl CLI available

Start Lab:

docker ps | grep juice-shop
# Should show running container on port 3000

Part 1: Reconnaissance

1.1 Identify Login Endpoint

curl -s "http://localhost:3000/rest/user/login" -X POST \
  -H "Content-Type: application/json" \
  -d '{"email":"test@example.com","password":"test"}' \
  | head -20

Expected Response:

Invalid email or password.

This confirms the endpoint exists and validates credentials.

1.2 Test for SQL Injection (Boolean-based)

Payload 1 - Always False:

[]

Lab: File and Directory Discovery on DVWA

Objectives

By the end of this lab, you will:

  1. Identify and exploit command injection vulnerabilities
  2. Execute filesystem reconnaissance commands
  3. Map application and system directory structure
  4. Locate sensitive configuration files
  5. Identify potential persistence and exfiltration vectors
  6. Document findings in a structured format

Prerequisites

  • Docker and docker-compose installed
  • DVWA running on localhost:80
  • Command-line access
  • Basic Linux filesystem knowledge

Lab Setup

Start DVWA

cd esther-lab
docker-compose up -d dvwa mysql
docker-compose logs dvwa

Verify Access

curl -s http://localhost:80/login.php | head -20

Exercise Steps

Step 1: Login to DVWA

# Get login token
TOKEN=$(curl -s -c /tmp/cj.txt http://localhost:80/login.php | \
  grep -oP "user_token'[^']*value='\K[^']*")

# Login with default credentials
curl -s -b /tmp/cj.txt -c /tmp/cj.txt -X POST http://localhost:80/login.php \
  -d "username=admin&password=password&user_token=$TOKEN&Login=Login" -L

Step 2: Access Command Injection Vulnerability

Navigate to: http://localhost:80/vulnerabilities/exec/

[]

OpenSearch Audit Log Analysis — Lab Walkthrough

Date: 2026-03-04
Objective: Identify and analyze unauthenticated requests in OpenSearch security audit logs
Environment: OpenSearch cluster with security plugin enabled

Lab Setup

Prerequisites

  • OpenSearch instance running with security audit plugin
  • Admin credentials (or read access to security indices)
  • curl with support for HTTPS and basic auth
  • jq (optional, for JSON parsing)

Credentials Used

USERNAME="admin"
PASSWORD="<REDACTED>"
OPENSEARCH_URL="https://localhost:9200"

Step 1: Verify OpenSearch Connectivity

Test basic connectivity and authentication:

curl -s -u admin:<REDACTED> https://localhost:9200 --insecure | jq .

Expected Output:

[]