OWASP JUICE SHOPAn intentionally insecure Javascript Web ApplicationThe most trustworthy online shop out there ( )@dschadow

https://www.owasp.org/index.php/OWASP_Juice_Shop_ProjectPresentation by / Björn Kimminich @bkimminich

0  Tweet Follow @owasp_juiceshop Follow @bkimminich Follow @bkimminich 116 Star 18610LikeOPEN CHAT

WHY THE NAME "JUICE SHOP"?!?Translating or into

German yields which can bereverse-translated word by word into

  . Hence the project name.

"dump" "useless outfit""Sa laden"

"juice shop"

That the initials "JS" match with those of"Javascript" was purely coincidental!

OPEN CHAT

WHY ANOTHER BROKEN WEBAPP?!?OWASP Juice Shop is the first applicationwritten entirely in Javascript listed in the

. It also seems to bethe first broken webapp that uses thecurrently popular architecture of an/ frontend with a backend.

OWASP VWA Directory

SPA RIA RESTful

OPEN CHAT

TECHNOLOGY STACKJavascript all the way from UI to REST API

OPEN CHAT

TEST PYRAMIDMaximizing & Test Automation Code Coverage

OPEN CHAT

BUILD PROCESSAutomated & Continuous Integration Demo Deployment

OPEN CHAT

SIMPLE INSTALLATIONWorks in , and environmentcloud local containerized

OPEN CHAT

LIVE DEMO ENVIRONMENT

Unsuspectingly like Average Joe!browse the Juice Shop

OPEN CHAT

MORE THAN 30 CHALLENGESCovering various vulnerabilities and serious design flaws

OWASP Juice Shop covers all vulnerabilities from the latest and more.OWASP Top 10

OPEN CHAT

CHALLENGE DIFFICULTYContains low-hanging fruits & hard-to-crack nuts

OPEN CHAT

DIRECT ROUTE TO VICTORYFor some challenges it actually works like this

OPEN CHAT

INFORMATION GATHERING PAYS OFFMost challenges are easier to solve a er some research

OPEN CHAT

MULTI-STAGE ATTACK CHALLENGESThe toughest challenges require multiple preparation steps

OPEN CHAT

SCORE BOARDChallenge progress is tracked on server-side

OPEN CHAT

FAQIf & don't help, or FAQ README ask in the chat open an issue

Can I use my Pentesting toys?Can I do a white box pentest?Can I look at the server log?Can I use the internet?Installation does not work!What if I crash the server?I'm stuck with a challenge!I found another vulnerability!Are there other ways to contribute?Is there a contribution reward?

OPEN CHAT

CAN I USE MY PENTESTING TOYS?Yes, definitely! Use whatever tools you like the most!

Proxies like or can be useful, but most automated scanners won't help much.ZAP Burp

OPEN CHAT

CAN I DO A WHITE BOX PENTEST?No! The code would spoiler all challenge solutions!

OPEN CHAT

CAN I LOOK AT THE SERVER LOG?No! The console would reveal several challenge solutions!

OPEN CHAT

CAN I USE THE INTERNET?Yes! Feel free to look for ideas & hints everywhere...

...except in the GitHub repository and the logs of the Travis-CI & SauceLabs build jobs!

OPEN CHAT

INSTALLATION DOES NOT WORK!Please carefully follow the instructions in the README

If & docs don't help, you should or .

Setup Troubleshooting seek help in the community chat open anissue

OPEN CHAT

WHAT IF I CRASH THE SERVER?The application is cleanly reset on every startup

Warning: This includes the challenge tracking and Score Board progress!

OPEN CHAT

I'M STUCK WITH A CHALLENGE!Feel free to ask for hints in the community chat

challengechallenge unsolvedunsolved

Please do not ask for solutions. You can find executable solutions for all challenges in the . You can also .

end-to-endtestsuite watch the running e2e-suite on Youtube

OPEN CHAT

I FOUND ANOTHER VULNERABILITY!Please by opening an issuereport untracked vulnerabilities

challengechallenge not foundnot found

Of course you can also contribute directly by . Just don't break any tests.opening a pull request

OPEN CHAT

ARE THERE OTHER WAYS TO CONTRIBUTE?Glad that you're asking! You can

*. You can also into other languages!

help implementing newfeatures or bugfixes help translating the

application

*Especially those !tagged with "help wanted"

OPEN CHAT

IS THERE A CONTRIBUTION REWARD?For your first accepted pull request you will receive some

and a pin-back button for free!official Juice Shop stickers

For core project team members, there's even t-shirts, mugs and other glorious merchandise!

OPEN CHAT

ROADMAPgithub.com/bkimminichOWASP/juice‐shopTechnical Evolution (Angular, Sequelize, Jasmine/Frisby)CTF-mode (earliest in 3.x release)

Timeline? When it's done!

OPEN CHAT

ADDITIONAL INFORMATIONOfficial Site

Sourcecode

https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

https://github.com/bkimminich/juice-shop

BJOERN'S MATERIAL ON WEB APPLICATION SECURITYWeb Application Security in a Nutshell

Web Application Security Introduction

Web Application Security Training Workshop

http://webappsec-nutshell.kimminich.de

http://slideshare.net/BjrnKimminich/web-application-security-introduction

http://slideshare.net/BjrnKimminich/web-application-security-21684264

OPEN CHAT

COPYRIGHT (C) 2014-2016 BJÖRN KIMMINICHLicensed under the .MIT license

Created with - The HTML Presentation Frameworkreveal.js

OPEN CHAT