Juice Shop is an intentionally vulnerable web site supported and maintained by OWASP. It’s available publicly at:
https://demo.owasp-juice.shop/
Most exercises can be completed against the Juice Shop. More invasive exploit challenges require a local installation.
Running Juice Shop locally requires docker and Windows Subsystem for Linux.
To install Juice Shop a local docker container, see Juice Shop Install which creates a local running instance at https://localhost:88 and http://localhost:88 hosted on docker on Ubuntu.
Intelligence can be gathered from public APIs and websites using public information. This is typically referred to as OSINT.
| Tool | Description |
|---|---|
| nmap | network scanning |
| amass | Find registered subdomains |
| nikto | Find vulnerable headers and directories |
| Kiterunner | Find vulnerable routes |
| securityheaders.com | Validate security headers |
Penetration testing can be performed manually; however, tools ease the effort. These exercises use ZAP and Burp Suite Community Edition
Zed Attack Proxy is used for these exercises. Please follow these instructions to install and configure ZAP:
Burp Suite is a common tool used by professional penetration testers. A free version is available and can be used for these exercises as well. Please follow the instructions to Install and Configure Burp Suite Community Edition.
These exercises can use the public Juice Shop site or the local docker instance. The local instance is preferred as other users may compromise or take down the public site.
In the Architecture overview you were told that the Juice Shop uses a modern Single Page Application frontend. That was not entirely true.
CSP Header Vulnerability solution
Use ZAP or browser network inspection to find an endpoint that is vulnerable to SQL injection. Compromise the endpoint to exfiltrate user data.
The SQL Injection exercise exposed details about user accounts. Use the exposed information to log as the admin@juice-sh.op user.
Mass assignment occurs when a property of a JSON or request payload is available in an unintended security context.
Review the requests and responses that are generate when creating a user. There may be a mass assignment vulnerability that allows a new user to elevate their permissions.