Juice Shop

Juice Shop is an intentionally insecure web application that is available on GitHub under MIT license. You might ask now: “Why would anyone create a broken application on purpose?”

Basically it is a controlled environment to do web security related exercises in or demonstrate certain vulnerability types. Possible use cases for Juice Shop include:

  • security awareness trainings for business and IT staff
  • pentesting trainings for security staff (or students)
  • application security trainings for software developers
  • target dummy for open source and commercial security scanners

A typical follow-up question might now be: “Why create such an application when there are already dozens of those available?”

Indeed, there are. But at that time most of those were built using server-side rendering technology such as JSP, PHP or ASP. There were virtually none using a pure Javascript frontend. There were absolutely none that used Javascript full-stack, so even in the backend. As heavy reliance on Javascript can add a whole new layer of security problems to a web application, I figured it might be a good idea to have one to play with.

I hope that by now you’ve gone like: “Hm, sounds interesting! Where can I get it and how do I make it run?”

That’s an easy one: Just visit http://bkimminich.github.io/juice-shop and flip through the info deck provided there. It contains the links to the source code on GitHub and links to installation instructions in all kinds of flavors:

  • Local installation and execution with node.js
  • Running as a fully prepared Docker container
  • Using a pre-packaged ZIP (on Windows machines only)
  • Deploying it on an Amazon EC2 instance

Should the FAQ and Readme not be sufficient to get Juice Shop running in your environment, feel free to ask a question in the GitterIM chat channel or open an issue on GitHub!

If you just want to have a look, you can also visit the demo instance on Heroku: https://juice-shop.herokuapp.com

Enjoy!

JuiceShop_Logo

Web Application Security Introduction

This is the minified introduction talk to Web Application Security derived from my Training Workshop slides (https://de.slideshare.net/BjrnKimminich/web-application-security-21684264) – It gives a short motivation why Web Application Security is a high priority today and then goes through three of the most prominent vulnerabilities of web apps: 
– SQL Injection 
– Cross Site Scripting (XSS) 
– Cross Site Request Forgery (CSRF) 
It will be explained how each of these technically work, what damage they can cause and how to avoid them in your own applications. The talk concludes with a summary of existing measures to increase application security and explains why none of these is a 100% solution. To keep you on the topic for a while after the talk, a “hacking homework” is presented where a vulnerable local web shop is supposed to be hacked in various ways. 

For a full-grown coverage of the topic feel free to check out my Web Application Security Training Workshop slide deck: https://de.slideshare.net/BjrnKimminich/web-application-security-21684264. 

/!\ Performing attacks on any website or server you do not own yourself is a crime in most countries!