Date post: | 15-Jul-2015 |
Category: |
Technology |
Upload: | bjoern-kimminich |
View: | 930 times |
Download: | 0 times |
OWASP JUICE SHOPAn intentionally insecure Javascript Web ApplicationThe most trustworthy online shop out there ( )@dschadow
https://www.owasp.org/index.php/OWASP_Juice_Shop_ProjectPresentation by / Björn Kimminich @bkimminich
0 Tweet Follow @owasp_juiceshop Follow @bkimminich Follow @bkimminich 116 Star 18610LikeOPEN CHAT
WHY THE NAME "JUICE SHOP"?!?Translating or into
German yields which can bereverse-translated word by word into
. Hence the project name.
"dump" "useless outfit""Sa laden"
"juice shop"
That the initials "JS" match with those of"Javascript" was purely coincidental!
OPEN CHAT
WHY ANOTHER BROKEN WEBAPP?!?OWASP Juice Shop is the first applicationwritten entirely in Javascript listed in the
. It also seems to bethe first broken webapp that uses thecurrently popular architecture of an/ frontend with a backend.
OWASP VWA Directory
SPA RIA RESTful
OPEN CHAT
TECHNOLOGY STACKJavascript all the way from UI to REST API
OPEN CHAT
TEST PYRAMIDMaximizing & Test Automation Code Coverage
OPEN CHAT
BUILD PROCESSAutomated & Continuous Integration Demo Deployment
OPEN CHAT
SIMPLE INSTALLATIONWorks in , and environmentcloud local containerized
OPEN CHAT
LIVE DEMO ENVIRONMENT
Unsuspectingly like Average Joe!browse the Juice Shop
OPEN CHAT
MORE THAN 30 CHALLENGESCovering various vulnerabilities and serious design flaws
OWASP Juice Shop covers all vulnerabilities from the latest and more.OWASP Top 10
OPEN CHAT
CHALLENGE DIFFICULTYContains low-hanging fruits & hard-to-crack nuts
OPEN CHAT
DIRECT ROUTE TO VICTORYFor some challenges it actually works like this
OPEN CHAT
INFORMATION GATHERING PAYS OFFMost challenges are easier to solve a er some research
OPEN CHAT
MULTI-STAGE ATTACK CHALLENGESThe toughest challenges require multiple preparation steps
OPEN CHAT
SCORE BOARDChallenge progress is tracked on server-side
OPEN CHAT
FAQIf & don't help, or FAQ README ask in the chat open an issue
Can I use my Pentesting toys?Can I do a white box pentest?Can I look at the server log?Can I use the internet?Installation does not work!What if I crash the server?I'm stuck with a challenge!I found another vulnerability!Are there other ways to contribute?Is there a contribution reward?
OPEN CHAT
CAN I USE MY PENTESTING TOYS?Yes, definitely! Use whatever tools you like the most!
Proxies like or can be useful, but most automated scanners won't help much.ZAP Burp
OPEN CHAT
CAN I DO A WHITE BOX PENTEST?No! The code would spoiler all challenge solutions!
OPEN CHAT
CAN I LOOK AT THE SERVER LOG?No! The console would reveal several challenge solutions!
OPEN CHAT
CAN I USE THE INTERNET?Yes! Feel free to look for ideas & hints everywhere...
...except in the GitHub repository and the logs of the Travis-CI & SauceLabs build jobs!
OPEN CHAT
INSTALLATION DOES NOT WORK!Please carefully follow the instructions in the README
If & docs don't help, you should or .
Setup Troubleshooting seek help in the community chat open anissue
OPEN CHAT
WHAT IF I CRASH THE SERVER?The application is cleanly reset on every startup
Warning: This includes the challenge tracking and Score Board progress!
OPEN CHAT
I'M STUCK WITH A CHALLENGE!Feel free to ask for hints in the community chat
challengechallenge unsolvedunsolved
Please do not ask for solutions. You can find executable solutions for all challenges in the . You can also .
end-to-endtestsuite watch the running e2e-suite on Youtube
OPEN CHAT
I FOUND ANOTHER VULNERABILITY!Please by opening an issuereport untracked vulnerabilities
challengechallenge not foundnot found
Of course you can also contribute directly by . Just don't break any tests.opening a pull request
OPEN CHAT
ARE THERE OTHER WAYS TO CONTRIBUTE?Glad that you're asking! You can
*. You can also into other languages!
help implementing newfeatures or bugfixes help translating the
application
*Especially those !tagged with "help wanted"
OPEN CHAT
IS THERE A CONTRIBUTION REWARD?For your first accepted pull request you will receive some
and a pin-back button for free!official Juice Shop stickers
For core project team members, there's even t-shirts, mugs and other glorious merchandise!
OPEN CHAT
ROADMAPgithub.com/bkimminichOWASP/juice‐shopTechnical Evolution (Angular, Sequelize, Jasmine/Frisby)CTF-mode (earliest in 3.x release)
Timeline? When it's done!
OPEN CHAT
ADDITIONAL INFORMATIONOfficial Site
Sourcecode
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
https://github.com/bkimminich/juice-shop
BJOERN'S MATERIAL ON WEB APPLICATION SECURITYWeb Application Security in a Nutshell
Web Application Security Introduction
Web Application Security Training Workshop
http://webappsec-nutshell.kimminich.de
http://slideshare.net/BjrnKimminich/web-application-security-introduction
http://slideshare.net/BjrnKimminich/web-application-security-21684264
OPEN CHAT
COPYRIGHT (C) 2014-2016 BJÖRN KIMMINICHLicensed under the .MIT license
Created with - The HTML Presentation Frameworkreveal.js
OPEN CHAT