Juice Shop

Juice Shop is an intentionally insecure web application that is available on GitHub under MIT license. You might ask now: “Why would anyone create a broken application on purpose?”

Basically it is a controlled environment to do web security related exercises in or demonstrate certain vulnerability types. Possible use cases for Juice Shop include:

  • security awareness trainings for business and IT staff
  • pentesting trainings for security staff (or students)
  • application security trainings for software developers
  • target dummy for open source and commercial security scanners

A typical follow-up question might now be: “Why create such an application when there are already dozens of those available?”

Indeed, there are. But at that time most of those were built using server-side rendering technology such as JSP, PHP or ASP. There were virtually none using a pure Javascript frontend. There were absolutely none that used Javascript full-stack, so even in the backend. As heavy reliance on Javascript can add a whole new layer of security problems to a web application, I figured it might be a good idea to have one to play with.

I hope that by now you’ve gone like: “Hm, sounds interesting! Where can I get it and how do I make it run?”

That’s an easy one: Just visit http://bkimminich.github.io/juice-shop and flip through the info deck provided there. It contains the links to the source code on GitHub and links to installation instructions in all kinds of flavors:

  • Local installation and execution with node.js
  • Running as a fully prepared Docker container
  • Using a pre-packaged ZIP (on Windows machines only)
  • Deploying it on an Amazon EC2 instance

Should the FAQ and Readme not be sufficient to get Juice Shop running in your environment, feel free to ask a question in the GitterIM chat channel or open an issue on GitHub!

If you just want to have a look, you can also visit the demo instance on Heroku: https://juice-shop.herokuapp.com

Enjoy!

JuiceShop_Logo

Advertisements

One thought on “Juice Shop

  1. It’s fun to try to catch all challenges. It’s a really useful application to learn about web application security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s