OWASP Juice Shop

From Embedded Lab Vienna for IoT & Security
Revision as of 12:40, 13 December 2020 by CEberhart (talk | contribs) (Created page with "The name is a bit misleading, and its is not a real online Juice Shop. In 2014 Björn Kimminich designed the latest and most privileged vulnerable web service from OWASP. In a...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The name is a bit misleading, and its is not a real online Juice Shop. In 2014 Björn Kimminich designed the latest and most privileged vulnerable web service from OWASP. In a short time, Juice Shop generate a large community. The application is an intentionally insecure Web Service, and it look like an online shop. It is used to improve and test your hacking skills to avoid possible security lacks. Security enthusiastic can test and simulate different vulnerabilities in a safe environment without causing major damage to the network. Here the application includes vulnerabilities of the entire OWASP Top Ten, but also many other Vulnerabilities are found in this tool. There is enough documentation and further material on the official homepage to get a bigger overview.

Architecture:

OWASP Juice Shop is a web app that is implemented in JavaScript and TypeScript. The Angular Framework is used to implement a single-page application. Angular FlexLayout is responsible that a certain responsiveness of the application is achieved. Node.js is necessary, so that the Express application can be used on Node.js server is hosted so that the client-side code can be transmitted to it. SQLite is used as a database and via a RESTful API some backend functionality is enabled. Sequelize and Finale-Rest are used for the abstraction layer from the database. So, you have API endpoints, which allow easy interaction with the resources from the database, during the execution of custom SQL for more complex queries subsequently be executed. Another component of OWASP Juice Shop is the MarsDB which acts as an additional data store. Via the WebSocket protocol the so-called push notifications are implemented, which appear, when you have successfully completed a task. Juice Shop has OAuth 2.0, so that users can log in with their Google accounts. 500px|center

Installation

For a successful installation, the following steps must be observed:
Node.js must be installed on the device. Then you can download the application on the official Git repository from OWASP (https://github.com/bkimminich/juice-shop). There you will also find a detailed instructions and further information.
The downloaded file will be extracted to any path.
To start the Juice Shop, Open the terminal and switch to the path where you extracted the file. Then you start the program with the command "npm start"

JS Terminal.PNG


Then you can see which port is open, and open any browser and enter “localhost: [port]“<(br>

JS Homepage.PNG

Example

In this example an attempt is made to log in to the website without having any credential. So, here we are using a SQL command instead of an email and a randomly selected password should suffice in this case. You can log in as an administrator with the following query because the result is always ‘True’ and the administrator appears to be the first in the selection list.
'or 1 = 1; --

JS sqllogin.PNG


It is even possible to log in as a different user, for example as Jim or Bender. If you have successfully completed these challenges, it will lead to displayed on the page.
'or 1 = 1 and email not like ('% admin% '); --
'or 1 = 1 and email like ('% bender% '); --

JS loggedin.PNG
Retrieved from "https://wiki.elvis.science/index.php?title=OWASP_Juice_Shop&oldid=4990"