OWASP Juice Shop
At first glance, the OWASP Juice Shop looks like an inconspicuous online shop for fruit juices. In 2014 Björn Kimminich designed the latest and most privileged vulnerable web service [] from OWASP. Two years after its foundation, Juice Shop was submitted and accepted as an OWASP tool project In a short time, Juice Shop generate a large community. The application is an intentionally insecure Web Service, and it look like an normal online shop. It is used to improve and test your hacking skills to avoid possible security lacks. Security enthusiastic can test and simulate different vulnerabilities in a safe environment without causing major damage to the network. Here the application includes vulnerabilities of the entire OWASP Top Ten, but also many other Vulnerabilities are found in this tool. There is enough documentation and further material on the official homepage to get a bigger overview.[]
For a successful installation, the following steps must be observed:
- Node.js must be installed on the device. Then you can download the application from the official Git repository from OWASP (https://github.com/bkimminich/juice-shop). There you will also find a detailed instructions and further information.
- The downloaded file will be extracted to any path.
- To start the Juice Shop, open the terminal and switch to the path where you extracted the file. Then you start the program with the command "npm start"
- Then you can see which port is open, and open any browser and enter “localhost: [port]“
In this example an attempt is made to log in to the website without having any credential. So, here we are using a SQL command instead of an email and a randomly selected password should suffice in this case. You can log in as an administrator with the following query because the result is always ‘True’ and the administrator appears to be the first in the selection list.
- 'or 1 = 1; --
It is even possible to log in as a different user, for example as Jim or Bender. If you have successfully completed these challenges, it will lead to displayed on the page.
- 'or 1 = 1 and email not like ('% admin% '); --
- 'or 1 = 1 and email like ('% bender% '); --