If you are new to the OWASP Juice Shop this recording from OWASP BeNeLux Day 2018 gives you a good overview of the project and its capabilities!
For those who did not participate in the German OWASP Day 2017 but still want to have a brief and emojiful overview of what happened in the OWASP Juice Shop project over the course of 2017, here are the slides for you!
This year OWASP Juice Shop saw several significant enhancements and extensions that you will learn all about in this talk: 2x NoSQL injection and 2x typosquatting challenges! Customization and re-branding of the shop to your own corporate look & feel! Juice Shop CTF extension makes setting up hacking events fast & easy! Free “Pwning the OWASP Juice Shop” eBook surpasses 150 pages of in-depth information, hints and solutions for all challenges and more! At AppSecEU the project was promoted into OWASP’s “Lab Projects” maturity stage! You can now 3D-print your own Juice Shop merchandise! And much, much more – actually more than can be demonstrated in this 15min session, so best install the Juice Shop yourself afterwards and explore its capabilities yourself!
Basically it is a controlled environment to do web security related exercises in or demonstrate certain vulnerability types. Possible use cases for Juice Shop include:
- security awareness trainings for business and IT staff
- pentesting trainings for security staff (or students)
- application security trainings for software developers
- target dummy for open source and commercial security scanners
A typical follow-up question might now be: “Why create such an application when there are already dozens of those available?”
I hope that by now you’ve gone like: “Hm, sounds interesting! Where can I get it and how do I make it run?”
That’s an easy one: Just visit http://bkimminich.github.io/juice-shop and flip through the info deck provided there. It contains the links to the source code on GitHub and links to installation instructions in all kinds of flavors:
- Local installation and execution with node.js
- Running as a fully prepared Docker container
- Using a pre-packaged ZIP (on Windows machines only)
- Deploying it on an Amazon EC2 instance
If you just want to have a look, you can also visit the demo instance on Heroku: https://juice-shop.herokuapp.com
I created this presentation for two purposes: On the one hand it can be used as an ultra-compact introduction to Web Application Security. It is best combined with a live-demo, e.g. using my own Juice Shop vulnerable webapp.
On the other hand it turns out to be useful for refresher sessions, e.g. with former participants of my Web Application Security Training Workshop. Here I usually just walk through the presentation and afterwards let the participants have a hands-on-hacking-session on the Juice Shop for reinforcing their knowledge.
You can view or download the PDF version on Slideshare or you can view the original HTML-based presentation here: