OWASP Juice Shop Vulnerable Webapp

A couple of weeks ago Björn Kimminich released the Juice Shop Vulnerable Web Application at the OWASP AppSec Europe conference in Belfast.

Why another vulnerable webapp for target practice? This from Github:

Main Selling Points:

  • Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux
  • Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
  • Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup
  • Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board
  • CTF-support: Challenge notifications optionally show a flag code for your own Capture-The-Flag events
  • Re-branding: Fully customizable business context and look & feel
  • Free and Open source: Licensed under the MIT license with no hidden costs or caveats

“easy-to-install” in an understatement if you utilise the free Heroku application hosting option (see Github).

It took me just a few minutes to install and the app sits online for me to attack. You may be surprised (like me) that Heroku would allow hosting a deliberately vulnerable web app, but as long as there’s no DDoS funny-business, they’re good with it.

Another MAJOR selling point is this app utilises modern & realistic web application technology:

Juice Shop is written in Node.js, Express and AngularJS. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.

Björn furnishes us with a comprehensive GitBook detailing: Installation, challenges, hints and full walk-through solutions. I love this guide as Björn leads us gently through the wonders of Chrome-Developer Tools. He also advises watching a free short course on Chrome DevTools if you’re not familiar with it, which I encourage you to do.

The other element is this is GREAT FUN. You will thoroughly enjoy this and probably learn loads in the process:

I’ll say no more as below is Bjorn’s introductory talk.

If you’re short on time here’s a link to 7min intro from the OWASP 24/7 podcast.

And below is Björn’s Owasp Appsec talk in Belfast: