OWASP Juice Shop

From Embedded Lab Vienna for IoT & Security
Revision as of 12:10, 4 January 2023 by GHuebner (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

At first glance, the OWASP Juice Shop looks like an inconspicuous online shop for fruit juices. In 2014 Björn Kimminich designed the latest and most privileged vulnerable web service [[1]] from OWASP. Two years after its foundation, Juice Shop was submitted and accepted as an OWASP tool project In a short time, Juice Shop generate a large community. The application is an intentionally insecure Web Service, and it look like an normal online shop. It is used to improve and test your hacking skills to avoid possible security lacks. Security enthusiastic can test and simulate different vulnerabilities in a safe environment without causing major damage to the network. Here the application includes vulnerabilities of the entire OWASP Top Ten, but also many other Vulnerabilities are found in this tool. There is enough documentation and further material on the official homepage to get a bigger overview.[[2]]


OWASP Juice Shop is a pure web application, which is implemented in JavaScript and TypeScript. In the frontend, Angular Framework is used to create a Single Page Application. The layout of the user interface is the implementation of Google's material design using Angular Material Components. In order to achieve responsiveness, the Angular Flex layout is used. All symbols which were used are from the Font Awesome library. Javascript is also used as a programming language in the backend. An Express Application is hosted on a Node.js server and provides the client-side code to the browser. The client is also provided with the required backend functionality via a RESTful API. SQLite was selected as the database. Sequelize and Finale-Rest are used as abstraction levels from the database. A MarsDB is part of the OWASP Juice Shops as additional data storage. It is a JavaScript derivative of the popular MongoDB NoSQL database and compatible with most query and change operations. Push notifications that appear when a challenge is successfully hacked are implemented via a WebSocket Protocol. The application also offers users a comfortable way of registration via OAuth 2.0. This give users the possibility to sign in using their Google accounts.



For a successful installation, the following steps must be observed:

  • Node.js must be installed on the device. Then you can download the application from the official Git repository from OWASP (https://github.com/bkimminich/juice-shop). There you will also find a detailed instructions and further information.
  • The downloaded file will be extracted to any path.
  • To install all necessary dependencies you first need to run the command "npm install"
  • To start the Juice Shop, open the terminal and switch to the path where you extracted the file. Then you start the program with the command "npm start"
JS Terminal.PNG

  • Then you can see which port is open, and open any browser and enter “localhost: [port]“
JS Homepage.PNG


In this example an attempt is made to log in to the website without having any credential. So, here we are using a SQL command instead of an email and a randomly selected password should suffice in this case. You can log in as an administrator with the following query because the result is always ‘True’ and the administrator appears to be the first in the selection list.

  • 'or 1 = 1; --
JS sqllogin.PNG

It is even possible to log in as a different user, for example as Jim or Bender. If you have successfully completed these challenges, it will lead to displayed on the page.

  • 'or 1 = 1 and email not like ('% admin% '); --
  • 'or 1 = 1 and email like ('% bender% '); --
JS loggedin.PNG

NoSQL Manipulation challenge

As another example, we can look at the NoSQL Manipulation (also known as NoSQL Injection) challenge, where all of the product reviews, in the OWASP Juice Shop, have to be updated at the same time.

The first step is to create an account. Then we can log in with the created data.

After we are authenticated to the site, we can leave a review under a product, to analyse the sites behaviour. In this example, we leave the review "Best Juice in Town".

OWASP JuiceShop NoSQL Mani Put.png

If we look at the inspector, we can see that the review was successfully created. Now we can edit the previously created review by hovering over the review, clicking "edit" and writing "Worst Juice in Town". After we submit the patch-request, we can analyse it.

OWASP JuiceShop NoSQL Mani Patch.png

Here we can see the payload, which contains an "id" as well as a "message". We will now try to update all reviews at the same time, by changing the request payload. To achieve this, we can use the MongoDB operand $ne, which stands for "not equal to". This operand is then nested into the payload and the value is set to an id which (likely) none of the reviews in the Juice Shop has. It now looks like this: {”id”:{”$ne”:-1},”message”:”Hurray for the NoSQL Injection”}.

We can now copy this request into postman [3]. As a header, we need to set the "Authorization Bearer" and the endpoint of the request is "http://localhost:3000/rest/products/reviews".

OWASP JuiceShop NoSQL Mani Postman.png

After we send the request, we have sucessfully solved the challenge and updated the reviews.

OWASP JuiceShop NoSQL Mani ChallengeSolved.png

Such an exploit can be prevented, by sanitizing the user-input/ the endpoints. In this case, this can be achieved by using the module "express-mongo-sanitize" [4].