Metlo Juice Shop
Broken Authentication

The Testing feature can also be used to test for Broken Authentication vulnerabilities.

1. Create Test

You can create a Broken Authentication test from the JUICE_SHOP_BROKEN_AUTHENTICATION template. Go to the Endpoints page in the Metlo Web App and search for this endpoint /rest/user/login. Next, go to the Endpoint Overview page for that endpoint and click on the Tests tab. Now, click Generate Test and JUICE_SHOP_BROKEN_AUTHENTICATION on the drop-down menu. Once you are on the testing page, in the yaml test editor, replace the email field of the 2nd request with the value and password field with the value password. Then replace the email field of the 3rd request with the value ' or 1=1 --.

2. Run Test

Now, if you run the test you will see that the 3rd request failed. It successfully logged in when we provided a SQL Injection payload in the email field with an arbitrary password.


3. Rules

With Metlo’s Testing feature, you can also create Rules that tell Metlo to always test some subset of endpoint with a specific test. Let’s create a Rule that creates Broken Authentication tests for the Card endpoints.

First, go to the Rules tab of the Testing page. Next, click on the New button and fill in the following information:

Name -> Card Endpoints Broken Authentication Test Templates -> JUICE_SHOP_BROKEN_AUTHENTICATION Endpoint Filter -> /api/Card Auto Enable -> Toggled On

Now, click on the Save button. You should now have a new entry in the Rules tab and new auto generated tests in the Tests tab specifically for endpoints that meet the criteria you specified. These tests are generated from the JUICE_SHOP_BROKEN_AUTHENTICATION template and are automatically enabled to be run every 10 minutes. Metlo will also automatically create this test for any new endpoints which are detected that match the rule criteria. After the tests have ran, you can see that these tests pass since the Juice Shop app only allows authenticated users to call these endpoints.