The most trustworthy online shop out there (@dschadow)
— The best juice shop on the whole internet! (@shehackspurple)
Actually the most bug-free vulnerable application in existence! (@vanderaj)
OWASP BeNeLux Days 2018 presentation by Björn Kimminich / @bkimminich
Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
That the initials "JS" match with those of "JavaScript" was purely coincidental!
Unsuspectingly browse the Juice Shop like Average Joe!
Comes with cloud, local and containerized run options
Covering various vulnerabilities and serious design flaws
OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.
Contains low-hanging fruits & hard-to-crack nuts
Challenge progress is tracked on server-side
Solved challenges are announced as push notifications
Auto-saves your hacking progress and restores on server restart
Flag codes can optionally be displayed for solved challenges
All participants use individual Juice Shop instances anywhere, sharing only the flag code-ctfKey
and a central score server.
Utility project to help you host a hacking event on CTFd 1.x or FBCTF
Locally via npm i -g juice-shop-ctf-cli
or as Docker container
Run juice-shop-ctf
on the command line and let a wizard create a data-backup archive to conveniently import into CTFd 1.x or FBCTF
Run juice-shop-ctf --config myconfig.yml
to use non-interactive mode passing in configuration via YAML file
ctfFramework: CTFd | FBCTF
juiceShopUrl: https://juice-shop.herokuapp.com
ctfKey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key
countryMapping: https://raw.githubusercontent.com/bkimminich/juice-shop/master/config/fbctf.yml
insertHints: none | free | paid
insertHintUrls: none | free | paid
Your CTFd instance will be ready-to-hack in <5min
Hide ribbon & toasts for 0% distraction e.g. in awareness trainings
Simply start application with NODE_ENV=quiet
environment variable defined!
Fully customizable business context and look & feel
Customize the application via a simple YAML
file
application:
domain: juice-sh.op
name: 'OWASP Juice Shop'
logo: JuiceShop_Logo.png
favicon: favicon_v2.ico
numberOfRandomFakeUsers: 0
showChallengeSolvedNotifications: true
showCtfFlagsInNotifications: false
showChallengeHints: true
showVersionNumber: true
theme: bluegrey-lightgreen
gitHubRibbon: true
twitterUrl: 'https://twitter.com/owasp_juiceshop'
facebookUrl: 'https://www.facebook.com/owasp.juiceshop'
slackUrl: 'http://owaspslack.com'
planetOverlayMap: orangemap2k.jpg
planetName: Orangeuze
[...]
challenges:
safetyOverride: false
The YAML
configuration allows you to override all products
products:
-
name: 'Product Name'
price: 100
description: 'Product Description'
image: '(https://somewhe.re/)image.png'
useForProductTamperingChallenge: false
useForChristmasChallenge: false
fileForRetrieveBlueprintChallenge: ~
reviews:
- { text: 'Customer review', author: jim }
-
name: 'Product with Lorem Ipsum description, filler image and random price'
Your config is validated on server startup to prevent broken or unsolvable challenges!
JavaScript all the way from UI to REST API
Complete UI translation available for
Partial translation available for
Maximizing Test Automation & Code Coverage
Automated Build, CI/CD & Code Analysis
If FAQ & README don't help, ask in the chat or open an issue
Yes, definitely! Use whatever pentesting tools you like the most!
Proxies like OWASP ZAP or BurpSuite Free Edition can definitely be useful. Automatic tools like Arachni or Nikto might find some vulnerabilities but will obviously not be able to get the Score Board to 100% for you.
No! The code from GitHub would spoiler all challenge solutions!
You can of course use everything that the application hands to you in the browser, so use its DevTools
!
Yes! Feel free to look for ideas, clues & hints everywhere!
Again: Except for the application's own GitHub repository & the logs of its Travis-CI build jobs!
Please carefully follow the instructions in the README
If Setup & Troubleshooting docs don't help, you can always ask the community or open an issue!
The application is cleanly reset on every startup
Your Score Board progress is saved automatically and will restore after server restart!
Find helpful hints in the free official companion guide on Leanpub
The eBook can also be read online on GitBook. You can always ask for hints in the community chat as well!
Please report untracked vulnerabilities by opening an issue
Of course you can also contribute directly by opening a pull request. Just stick to the contribution guide!
Some challenges are actually harmful in containerized or cloud environments and are deliberately disabled there
This affects the XXE challenges (because they can lead to instance death by segfault
error)
and the SSTI challenge (as it could have unforeseeable side effects) on the hosting platform.
Of course! Visit our backlog on Waffle.io & translations on Crowdin
Stories or issues labelled with ready and good first issue / help wanted are the best starting point!
For your 1st merged pull request you'll get some stickers from us
Serial contributors might even get t-shirts, mugs and other glorious merchandise for free!
Some amazing facts & stats about the project
Timeline? When it's done!
Web Application Security in a Nutshell (CC-BY-SA) | http://webappsec-nutshell.kimminich.de |
IT Security Lecture (CC-BY-SA) | https://github.com/bkimminich/it-security-lecture |
Licensed under the MIT license.
Created with reveal.js - The HTML Presentation Framework
In front of live audience for the first second time exclusively at OWASP BeNeLux Days 2018!
(Naturally, finding this soundfile and its lyrics will become two new challenges very soon!)
Licensed under the MIT license.
Created with reveal.js - The HTML Presentation Framework