Want to become an expert on ethical hacking? OWASP Juice Shop is what you need. Björn Kimminich took audience members on a rapid-fire tour of this security training app. The original talk is here, and a summary of its content is below.
A lot of people who want to become (ethical!) hackers—including me—learn whatever we can from videos, blogs, and books. And after that, we’re in a state of doubt where we’re not sure if we can actually hack something.
Once you have theoretical knowledge, you need practical experience. And obviously, you can’t practice hacking on some random website that’s out there because that’s illegal and will get you in trouble.
That’s where OWASP Juice Shop comes in. It’s a web application that looks like any other shopping website, but it’s designed to be vulnerable on purpose so people can practice hacking.
What Does Juice Shop Look Like to an Ordinary Visitor?
Once you install Juice Shop and start using it, it’s just like any other shopping website. This site lets you order juice.
You see a menu with a list of juices that you can order, along with their prices. There’s a button that lets you add the juice to the basket. In the basket page, you can see all the juices you’ve chosen, and you can place the order.
You can consider this appearance as a “front” for the main reason this application was built. Now, let’s find out what that actually is.
What Does Juice Shop Look Like to a Hacker?
Juice Shop is an application filled with more than 88 web vulnerabilities. Once you install it and use it from a hacker’s perspective, you’ll see that there are various weak points where you can hack the application.
One of the best things about Juice Shop is that it not only lets you hack the application but also notifies you when you’ve succeeded! You also have a scoreboard where you can see the list of exploits you’ve completed and the ones you should work on.
You’ll find six difficulty levels, from beginner to expert. So it doesn’t matter if you’ve just started hacking or if you’ve been into it for some time now: Juice Shop will still be fun.
What if you’ve had enough of hacking that day and want to take a break? No problem. Juice Shop will save your status. So the next time you log in, all the previous hacks you’ve completed will be marked, and you don’t have to do them all over again.
What’s Good About Juice Shop?
A lot of people who want to practice hacking are beginners. So Juice Shop also has an interactive tutor called a “hacking instructor” that’ll help you figure out what to do.
One thing that may interest you as a hacker is the Capture the Flag (CTF) challenge. You can also use Juice Shop in the CTF mode by making some changes to the configuration.
CTF mode is great because you can set up Juice Shop with other CTF servers. Then you’ll have to create a logic to generate flags. In this case, you can hand out a separate instance of Juice Shop to each participant. (You can learn more about CTF here.)
If you get bored with how Juice Shop looks, you have an option to customize it. This comes in handy when you want to make the application look like it belongs to a particular domain.
Juice Shop allows you to have test automations. You can use application programming interfaces to test if the challenges work.
The Tech Side of Juice Shop
Juice Shop uses AngularJS for the front end and NodeJS and Express framework for backend development.
It uses Sequelize Database for login operations. It also has SQLite and an in-memory NoSQL database. This allows it to run on a single docker container, which helps keep things simple.
Installing Juice Shop
You can run Juice Shop on Docker, Vagrant, and various cloud platforms. You can read more about the run options here.
And if you’re interested, all you have to do is go to the Juice Shop site.
Photo by Aj Alao