I have discovered OWASP Juice-shop recently and I found it as a quite interesting tool to train/challenge ourself. Why is that? it is the first “broken tool” I have found with recent technologies (Angular, Node.js …) which will help to get some experience on those technologies.
Another good point is that you have a scoreboard to see your progress on finding all security flaws!
You can get more detail here: https://owasp.org/www-project-juice-shop/
How to install it
- Get docker if you don’t already have it (works fine on Windows, Linux, Mac…) and install it
- grab the docker image and run it
docker pull bkimminich/juice-shop
docker run --rm -p 3000:3000 bkimminich/juice-shop
How to use it
When you will start it, few hint will appears to give you the first challenge, find the score board, for this you will only need your browser (and the F12 tools)
You will then see the list of every challenges waiting for you in this tool. They are ranked by complexity (12 with one star up to 11 with 6 stars).
For all of them you can have few tips to understand how to start or the direction to take (move over unsolved give a small tips, clicking on it open a page with additional details), for some of them there are full tutorials on how to perform the given attack (orange and white icon hat).
The goal of this tool is to really get your hands on a technologically recent tool with known and documented vulnerabilities. This is purely a training tool, might be used to assess a developer security understanding as well.
Thanks OWASP !