OWASP Juice Shop - An intentionally insecure Javascript Web Application

8,640 views

Published on

>>> View this presentation online at http://bkimminich.github.io/juice-shop <<<

This is the introduction page and presentation for "OWASP Juice Shop" - An intentionally insecure webapp suitable for pentesting and security awareness trainings written in Node, Express and Angular.

You can find the official project page at: https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

If you are new to Web Application Security you might want to have a look at "Web Application Security in a Nutshell" (http://webappsec-nutshell.kimminich.de) to get some ideas what might be broken in this web shop.

Happy hacking!

Published in: Technology

OWASP Juice Shop - An intentionally insecure Javascript Web Application

  1. 1. OWASP JUICE SHOP An intentionally insecure Javascript Web Application The most trustworthy online shop out there ( )@dschadow https://www.owasp.org/index.php/OWASP_Juice_Shop_Project Presentation by /Björn Kimminich @bkimminich 0  Tweet Follow @owasp_juiceshop Follow @bkimminich Follow @bkimminich 116 Star 18610Like OPEN CHAT
  2. 2. WHY THE NAME "JUICE SHOP"?!? Translating or into German yields which can be reverse-translated word by word into   . Hence the project name. "dump" "useless outfit" "Sa laden" "juice shop" That the initials "JS" match with those of "Javascript" was purely coincidental! OPEN CHAT
  3. 3. WHY ANOTHER BROKEN WEBAPP?!? OWASP Juice Shop is the first application written entirely in Javascript listed in the . It also seems to be the first broken webapp that uses the currently popular architecture of an / frontend with a backend. OWASP VWA Directory SPA RIA RESTful OPEN CHAT
  4. 4. TECHNOLOGY STACK Javascript all the way from UI to REST API OPEN CHAT
  5. 5. TEST PYRAMID Maximizing &Test Automation Code Coverage OPEN CHAT
  6. 6. BUILD PROCESS Automated &Continuous Integration Demo Deployment OPEN CHAT
  7. 7. SIMPLE INSTALLATION Works in , and environmentcloud local containerized OPEN CHAT
  8. 8. LIVE DEMO ENVIRONMENT Unsuspectingly like Average Joe!browse the Juice Shop OPEN CHAT
  9. 9. MORE THAN 30 CHALLENGES Covering various vulnerabilities and serious design flaws OWASP Juice Shop covers all vulnerabilities from the latest and more.OWASP Top 10 OPEN CHAT
  10. 10. CHALLENGE DIFFICULTY Contains low-hanging fruits & hard-to-crack nuts OPEN CHAT
  11. 11. DIRECT ROUTE TO VICTORY For some challenges it actually works like this OPEN CHAT
  12. 12. INFORMATION GATHERING PAYS OFF Most challenges are easier to solve a er some research OPEN CHAT
  13. 13. MULTI-STAGE ATTACK CHALLENGES The toughest challenges require multiple preparation steps OPEN CHAT
  14. 14. SCORE BOARD Challenge progress is tracked on server-side OPEN CHAT
  15. 15. FAQ If & don't help, orFAQ README ask in the chat open an issue Can I use my Pentesting toys? Can I do a white box pentest? Can I look at the server log? Can I use the internet? Installation does not work! What if I crash the server? I'm stuck with a challenge! I found another vulnerability! Are there other ways to contribute? Is there a contribution reward? OPEN CHAT
  16. 16. CAN I USE MY PENTESTING TOYS? Yes, definitely! Use whatever tools you like the most! Proxies like or can be useful, but most automated scanners won't help much.ZAP Burp OPEN CHAT
  17. 17. CAN I DO A WHITE BOX PENTEST? No! The code would spoiler all challenge solutions! OPEN CHAT
  18. 18. CAN I LOOK AT THE SERVER LOG? No! The console would reveal several challenge solutions! OPEN CHAT
  19. 19. CAN I USE THE INTERNET? Yes! Feel free to look for ideas & hints everywhere... ...except in the GitHub repository and the logs of the Travis-CI & SauceLabs build jobs! OPEN CHAT
  20. 20. INSTALLATION DOES NOT WORK! Please carefully follow the instructions in the README If & docs don't help, you should or . Setup Troubleshooting seek help in the community chat open an issue OPEN CHAT
  21. 21. WHAT IF I CRASH THE SERVER? The application is cleanly reset on every startup Warning: This includes the challenge tracking and Score Board progress! OPEN CHAT
  22. 22. I'M STUCK WITH A CHALLENGE! Feel free to ask for hints in the community chat challengechallenge unsolvedunsolved Please do not ask for solutions. You can find executable solutions for all challenges in the . You can also . end-to-end testsuite watch the running e2e-suite on Youtube OPEN CHAT
  23. 23. I FOUND ANOTHER VULNERABILITY! Please by opening an issuereport untracked vulnerabilities challengechallenge not foundnot found Of course you can also contribute directly by . Just don't break any tests.opening a pull request OPEN CHAT
  24. 24. ARE THERE OTHER WAYS TO CONTRIBUTE? Glad that you're asking! You can *. You can also into other languages! help implementing new features or bugfixes help translating the application *Especially those !tagged with "help wanted" OPEN CHAT
  25. 25. IS THERE A CONTRIBUTION REWARD? For your first accepted pull request you will receive some and a pin-back button for free!official Juice Shop stickers For core project team members, there's even t-shirts, mugs and other glorious merchandise! OPEN CHAT
  26. 26. ROADMAP github.com/bkimminichOWASP/juice‐shop Technical Evolution (Angular, Sequelize, Jasmine/Frisby) CTF-mode (earliest in 3.x release) Timeline? When it's done! OPEN CHAT
  27. 27. ADDITIONAL INFORMATION Official Site Sourcecode https://www.owasp.org/index.php/OWASP_Juice_Shop_Project https://github.com/bkimminich/juice-shop BJOERN'S MATERIAL ON WEB APPLICATION SECURITY Web Application Security in a Nutshell Web Application Security Introduction Web Application Security Training Workshop http://webappsec-nutshell.kimminich.de http://slideshare.net/BjrnKimminich/web-application-security-introduction http://slideshare.net/BjrnKimminich/web-application-security-21684264 OPEN CHAT
  28. 28. COPYRIGHT (C) 2014-2016 BJÖRN KIMMINICH Licensed under the .MIT license Created with - The HTML Presentation Frameworkreveal.js OPEN CHAT

×