OWASP Juice Shop

An intentionally insecure Javascript Web Application
The most trustworthy online shop out there (@dschadow)

https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

Project Summit 2017 intro by Björn Kimminich / @bkimminich

Why the name "Juice Shop"?!?

Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
That the initials "JS" match with those of "Javascript" was purely coincidental!

Simple Installation

Comes with cloud, local and containerized run options


Multi-language support

Full UI translation available for 16+ languages


38+ Hacking Challenges

Covering various vulnerabilities and serious design flaws

OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.

Challenge Difficulty

Contains low-hanging fruits & hard-to-crack nuts

Score Board

Challenge progress is tracked on server-side

Immediate Feedback

Solved challenges are announced as push notifications

Your Hacking Session

Conveniently save your hacking progress to restore it later

CTF Extension

Utility project to help you host a hacking event on CTFd

Install from NPM

npm i -g juice-shop-ctf-cli

Setup Wizard

Run juice-shop-ctf on the command line and let a wizard create SQL statements to apply to CTFd's database

CTFd for OWASP Juice Shop

Your CTFd instance will be ready-to-hack in minutes

Re-branding

Fully customizable business context and look & feel

Configurative Customization

Customize the application via a simple YAML file


server:
  port: 3000
application:
  domain: juice-sh.op
  name: "OWASP Juice Shop"
  logo: JuiceShop_Logo.png
  favicon: favicon_v2.ico
  numberOfRandomFakeUsers: 0
  showChallengeSolvedNotifications: true
  showCtfFlagsInNotifications: false
  showGitHubRibbon: true
  theme: "slate"
  twitterUrl: "https://twitter.com/owasp_juiceshop"
  facebookUrl: "https://www.facebook.com/owasp.juiceshop"
products: []
				
Eat your own dog food: The Juice Shop default look & feel is declared in default.yml

Choose your own inventory

The YAML configuration allows you to override all products


products:
  - name: "Product Name"
    price: 100
    description: "Product Description"
    image: "(https://somewhe.re/)image.png"
    useForProductTamperingChallenge: false
    useForChristmasChallenge: false
				
Too much effort? Just declare the name and the app will generate the rest randomly!

Modern Web-Architecture

Javascript all the way from UI to REST API

Test Pyramid

Maximizing Test Automation & Code Coverage

Build Process

Automated Continuous Integration & Demo Deployment


Roadmap

Timeline? When it's done!

Project Summit Agenda

  • Finalize the promotion to  Lab  Project 
  • Open discussion and brainstorming
    • Hacking challenge candidates
    • CTF extension sub-project
    • Enterprise-readiness, gamification, ...
  • (Hands-on coding, hacking, ...)

Timeline? Today & tomorrow!

Copyright (c) 2014-2017 Björn Kimminich

Licensed under the MIT license.


Created with reveal.js - The HTML Presentation Framework