OWASP Juice Shop Extra Language
Dec 25, 2021
Aldrin Navarro
2 minute read

Cracking the “Extra Language” Challenge


Name Difficulty Description Category Tags
Extra Language ⭐️⭐️⭐️⭐️⭐️ Retrieve the language file that never made it into production. Broken Anti Automation Brute Force


The Juice Shop has a language switcher on the top right corner.

alt Language switcher

Possibly only 38 languages made it to production of the i18n module.

alt Devtools getting the available languages in prod

Requesting for the i18n file for a specific language is via this endpoint : http://localhost/assets/i18n/<language(_locale)>.json

Discovering the Extra Language

I gather many sources of language codes including the following:

  1. https://raw.githubusercontent.com/citation-style-language/locales/master/locales.json
  2. https://raw.githubusercontent.com/richardevcom/JSON-Locales/master/locales.json

Made a script in Go to request for the files.

But every time I add a language, it just keeps responding with 200 OK and that the challenge banner does not appear (indicating we found the extra language).

So I thought to just wing it and see if a fictional language may work. I am a trekker 🖖 and noticed a lot of computer geeks are too. So why not add Klingon to the mix!

The language code for Klingon on the Minecraft is tlh_aa which means that we may need to request it from Juice Shop as tlh_AA.

And sure enough, we also get a 200 OK.

alt Klingon is found on the server

Let’s use BurpSuite to intercept the switching of language from the user perspective, modify the request to the specific language code tlh_AA, and send it to the server hoping it changes the language of the website to Klingon.

alt Klingon is found on the server


To be honest, I wouldn’t have found the flag if it wasn’t for the track Data & Picard by Pogo and remembered Star Trek. I’m not sure if I would have found it if at all not for this. Probably will take me more time from the list of language codes available.

I believe if the attack was to be brute force, the web app will benefit from rate limiting requests. But for this case, we emulate the user behavior effectively bypassing some of the known anti-automation security techniques.


  1. OWASP Juice Shop https://github.com/juice-shop/juice-shop

🐋 hello there! If you enjoy this, a "Thank you" is enough.

Or you can also ...

Buy me a teaBuy me a tea

comments powered by Disqus