OWASP Juice Shop
An intentionally insecure Javascript Web Application
The most trustworthy online shop out there (@dschadow)
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Presentation by Björn Kimminich / @bkimminich
Why the name "Juice Shop"?!?
Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
That the initials "JS" match with those of "Javascript" was purely coincidental!
Why another broken webapp?!?
OWASP Juice Shop is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.
Technology Stack
Javascript all the way from UI to REST API
Simple Installation
Comes with cloud, local and containerized run options
Over 30 Challenges
Covering various vulnerabilities and serious design flaws
OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.
Challenge Difficulty
Contains low-hanging fruits & hard-to-crack nuts
Score Board
Challenge progress is tracked on server-side
Immediate Feedback
Solved challenges are announced as push notifications
Sorry, this is a Lightning Talk
I will not live-hack even a single challenge for you!
E2E Hacking Testsuite Video
I will instead show you a prerecorded execution of the testsuite automatically hacking all 27 challenges !
For details on the testsuite implementation and CI-integration check out my Guest Post: Proving that an application is as broken as intended on The SauceLabs Blog.
Do you accept the challenge?
Breakers Try to hack all the challenges!
Defenders Let loose all your fancy tools!
Builders Learn from my silly mistakes!
Bonus challenge: Contribute to OWASP Juice Shop with a chance for free stickers and other swag!
Copyright (c) 2014-2016 Björn Kimminich
Licensed under the MIT license.
Created with reveal.js - The HTML Presentation Framework
