Merge branch 'main' of github.com:SecureFromScratch/Workshops

Author: SecureFromScratch

hacking/devtools/solutions/othersorders.md

@@ -0,0 +1,26 @@
+# See others' Orders
+- Open the developer tool bar network tab
+- Go to your basket
+- Check carefully the request
+- Edit and resend the request so you will be able to get someone else's basket and resend
+- Check the network tab again
+
+
+## How edit and resend requests 
+
+### In Chrome DevTools
+
+1. Open **Network** tab.
+2. Find the request you want to modify.
+3. Right-click it → **Copy → Copy as fetch**.
+4. Go to the **Console**, paste it, edit any part (URL, headers, body), and press **Enter** to resend.
+
+### In Firefox Developer Tools
+
+1. Open **Network** tab.
+2. Right-click the request → **Edit and Resend** (directly available).
+3. Modify any header, method, or body.
+4. Click **Send**.
+
+
+

hacking/devtools/solutions/scoreboard.md

@@ -0,0 +1,21 @@
+# Finding the scoreboard
+
+## Expected result / verification 
+Gain access to the scoreboard
+
+## Hints
+- Use the Pretty Print ({}) function in Sources to make minified JS readable.
+- Search entire sources for keywords rather than scanning files manually.
+
+## Steps (exact DevTools actions)
+- View Page Source (right-click → View Page Source) and search for keywords like "score", "admin", or "hidden".
+- Elements: inspect the DOM for hidden links or HTML comments that contain route hints.
+- Sources: open bundled JS files and search (Ctrl+F) for strings like "scoreboard"
+- Console: construct the discovered path (e.g., `/scoreboard`) and navigate `window.location="/scoreboard"` or fetch it via `fetch("/scoreboard")` to view content.
+- If the route is guarded by client checks, inspect the guard logic in Sources and try modifying client state (localStorage/cookie) accordingly.
+
+## final Solution
+http://localhost:3000/#/score-board
+
+
+

hacking/devtools/welcome.md

@@ -3,13 +3,42 @@
 This lab is designed for **hands-on exploration of OWASP Juice Shop using only the browser’s Developer Tools** — no scanners, scripts, or external tools.  
 Students will learn how attackers uncover client-side weaknesses through **source inspection, network tracing, storage analysis, and live code manipulation** directly within DevTools.
 
+Refer to juice shop repo for installation: [Juice Shop Repo](https://github.com/juice-shop/juice-shop)
+
 # The challanges
-- Find the scoreboard
-- Try to change others' orders
-- Bypass the authentication by modifying in-memory state or calling exposed functions
+- Scoreboard - gain access to the scoreboard
+- View others' orders
+- Access the admin pabel
 - Manipulate authentication tokens stored on the client to change privileges or view protected content.
 - XSS - Find a place where user input is reflected into the DOM without sanitization and achieve JS execution in the page context.
 
+## General Hints
+- View source
+- Check the cookies
+- Inspect the local stroage
+- Check the source control
+- Check the console
+- Check the netwrok tab
+- Debug (in the browser)
+- Use the Pretty Print ({}) function in Sources to make minified JS readable.
+
+## How edit and resend requests 
+
+### In Chrome DevTools
+
+1. Open **Network** tab.
+2. Find the request you want to modify.
+3. Right-click it → **Copy → Copy as fetch**.
+4. Go to the **Console**, paste it, edit any part (URL, headers, body), and press **Enter** to resend.
+
+### In Firefox Developer Tools
+
+1. Open **Network** tab.
+2. Right-click the request → **Edit and Resend** (directly available).
+3. Modify any header, method, or body.
+4. Click **Send**.
+
+
 # Solutions 
 In the next pages will show the solution one after anohter