If you didn’t have the chance to be at the AppSecEU 2017 conference in Belfast or you didn’t make it to my talk there, here’s the official recording:
OWASP Juice Shop is a “shooting star” among broken web applications. To make sure it does not end as a “one-hit wonder”, the project embraces principles and techniques that enhance its sustainability, e.g. Clean Code, TDD, CI/CD, Quality Metrics and Mutation Testing.
In this session you will see how
– a complete and reliable test suite eliminates the “fear of change”
– automation is a key to increased productivity – even for small open source projects
– free-for-open-source SaaS tools can improve your development process
Where is light, there is shadow! You will also learn
– about some limitations in the automation processes
– why some 3rd party services had to be dropped
If the Internet gods are with us, we will even perform a production release of OWASP Juice Shop during the session!
You can find the original HTML5 slide deck at http://bkimminich.github.io/juice-shop/appseceu_2017.html. The slightly less fancy PDF-version is available on SlideShare:
During the AppSecEU 2017 conference I was interviewed by Mark Miller for the Less than 10 Minutes Series of the OWASP 24/7 Podcast:
I recommend to subscribe to the podcast, even though Mark deliberately butchers the project’s name as “Juice Box” in this and at least one other episode…
Juice Shop is an intentionally insecure web application that is available on GitHub under MIT license. You might ask now: “Why would anyone create a broken application on purpose?”
Basically it is a controlled environment to do web security related exercises in or demonstrate certain vulnerability types. Possible use cases for Juice Shop include:
- security awareness trainings for business and IT staff
- pentesting trainings for security staff (or students)
- application security trainings for software developers
- target dummy for open source and commercial security scanners
A typical follow-up question might now be: “Why create such an application when there are already dozens of those available?”
I hope that by now you’ve gone like: “Hm, sounds interesting! Where can I get it and how do I make it run?”
That’s an easy one: Just visit http://bkimminich.github.io/juice-shop and flip through the info deck provided there. It contains the links to the source code on GitHub and links to installation instructions in all kinds of flavors:
- Local installation and execution with node.js
- Running as a fully prepared Docker container
- Using a pre-packaged ZIP (on Windows machines only)
- Deploying it on an Amazon EC2 instance
Should the FAQ and Readme not be sufficient to get Juice Shop running in your environment, feel free to ask a question in the GitterIM chat channel or open an issue on GitHub!
If you just want to have a look, you can also visit the demo instance on Heroku: https://juice-shop.herokuapp.com
I created this presentation for two purposes: On the one hand it can be used as an ultra-compact introduction to Web Application Security. It is best combined with a live-demo, e.g. using my own Juice Shop vulnerable webapp.
On the other hand it turns out to be useful for refresher sessions, e.g. with former participants of my Web Application Security Training Workshop. Here I usually just walk through the presentation and afterwards let the participants have a hands-on-hacking-session on the Juice Shop for reinforcing their knowledge.
You can view or download the PDF version on Slideshare or you can view the original HTML-based presentation here:
This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) – It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps:
– SQL Injection
– Cross Site Scripting (XSS)
– Cross Site Request Forgery (CSRF)
It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a “hacking homework” is presented where a vulnerable local web shop is supposed to be hacked in various ways.
For a full-grown coverage of the topic feel free to check out my Web Application Security Training Workshop slide deck: https://de.slideshare.net/BjrnKimminich/web-application-security-21684264.
/!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!
These are the slides to my 2-day “Web Application Security Training Workshop”. The workshop is intended for all IT staff involved in web application development, e.g. software engineers, system analysts, quality engineers or application administrators.
The goals of the workshop are:
- Build security awareness for web applications
- Get to know attack methods of hackers
- Learn ways to discover security vulnerabilities
- Learn the basics of secure web development
Day one starts with a motivation of the topic and then covers the most severe vulnerabilities of web applications based on the OWASP Top 10 list. The attacks on those vulnerabilities are discussed and can be tried out in several examples.
Day two starts with a two hour hacking contest where each participant attacks the locally installed BodgeIt store and tries to get as many points on the score card as possible. Next the Secure Software Development Lifecycle is briefly discussed in order to prevent security flaws as early as possible.
Performing attacks on any website or server you do not own yourself is a crime in most countries!