OWASP tools – Juice-Shop

I have discovered OWASP Juice-shop recently and I found it as a quite interesting tool to train/challenge ourself. Why is that? it is the first “broken tool” I have found with recent technologies (Angular, Node.js …) which will help to get some experience on those technologies.

Another good point is that you have a scoreboard to see your progress on finding all security flaws!

You can get more detail here: https://owasp.org/www-project-juice-shop/

How to install it

  1. Get docker if you don’t already have it (works fine on Windows, Linux, Mac…) and install it
  2. grab the docker image and run it

Run docker pull bkimminich/juice-shop

Run docker run --rm -p 3000:3000 bkimminich/juice-shop

Browse to http://localhost:3000 (on macOS and Windows browse to if you are using docker-machine instead of the native docker installation)

Homepage when the tool is installed and working

How to use it

When you will start it, few hint will appears to give you the first challenge, find the score board, for this you will only need your browser (and the F12 tools)

Score Board level complexity

You will then see the list of every challenges waiting for you in this tool. They are ranked by complexity (12 with one star up to 11 with 6 stars).

For all of them you can have few tips to understand how to start or the direction to take (move over unsolved give a small tips, clicking on it open a page with additional details), for some of them there are full tutorials on how to perform the given attack (orange and white icon hat).

Challenges tips or full tutorial

The goal of this tool is to really get your hands on a technologically recent tool with known and documented vulnerabilities. This is purely a training tool, might be used to assess a developer security understanding as well.

Thanks OWASP !

Posted in Security for Web Developpers, Tools Tagged with: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *