How To Hunt for Web App Vulnerabilities Hands-on!
I’ve said it again and again, and I think most members of the technical community would agree that the fastest, most effective, most fun way to build any new IT skill is to dive in and “do IT yourself”!
As mentioned in our Introduction to Application Security course, for those beginning in their development or AppSec careers, understanding the OWASP Top 10 is an important building block in your foundation of skills. Not only does this list of Top 10 Web Application Vulnerabilities serve as the inspiration for much of our current and upcoming content and courses, OWASP Top 10 resources provide basic techniques to protect against these high-risk attacks and give guidance about what to do next. In addition, OWASP provides you with a safe place to do some hands-on hunting for these high-risk web application vulnerabilities in a legal manner by using the OWASP Juice Shop!
We want you to be aware of these resources, the value they provide, and where and how to access them to start building your web application security skills. Here’s a quick run-down!
What is OWASP?
OWASP is an organization, a foundation that works to improve the security of software through its community-led open source software projects, chapters and members. OWASP exists to raise awareness and understanding of software security. They are a global non-profit with chapters all over the world and a plethora of projects and documents to help developers, DevOps, and security people up their web application security game.
What is the OWASP Top 10?
Owasp Top 10 is an Open Web Application Security Project. The primary goal of this project [and its associated resources] is to educate developers, architects, managers, organizations, and designers about the consequences of the most common and most important web application security weakness. It is important because it helps organisations prioritize risks, which risks to focus on first and helps them understand, identify, mitigate, and fix vulnerabilities in their web application environments. Each identified risk is prioritised according to prevalence, detectability, impact and exploitability.
What is the OWASP Juice Shop?
The OWASP Juice Shop is an open-sourced, intentionally insecure javascript web application that can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools!
Juice Shop has built a wide range of security vulnerabilities into the application from the OWASP Top Ten and many other security flaws found in real-world applications. Your goal is to hunt for [and find] those security vulnerabilities and mark complete on the scoreboard. Being a web application with a vast number of intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The OWASP Juice Shop is an open-source project hosted by the non-profit Open Web Application Security Project® (OWASP) and is developed and maintained by volunteers.
The application environment includes numerous hacking challenges [at varying levels of difficulty] where the user is challenged to identify and exploit a set of underlying vulnerabilities. The vulnerabilities found in the OWASP Juice Shop are categorized into several different classes. Right now, the application includes 95 individual vulnerabilities for you to find. Your success / progress is tracked on a scoreboard, and finding the score board is actually one of your first [and easiest] challenges!
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a “guinea pig” application to check how well their tools cope with JavaScript-heavy application front ends and REST APIs. Equally as awesome as the skills it allows you to build through experience, it is FREE! So, you can redistribute it and/or modify it under the terms of the MIT License to build your own custom interactive learning activities and capture the flag challenges.
Check out this awesome OWASP Juice Shop Demo by the CREATOR of the Juice Shop…BJorn Kimminich. [25 Minutes]
Why is it called “Juice Shop”?
Per Bjorn’s explanation in his online guide, in German there is a dedicated word for dump, i.e. a store that sells lousy wares and does not exactly have customer satisfaction as a priority: Saftladen. Reverse-translating this separately as Saft and Laden yields juice and shop in English. That is where the project name comes from. The fact that the initials JS match with those commonly used for JavaScript was purely coincidental and not related to the choice of implementation technology.
What do learners like best about the OWASP Juice Shop?
Apparently it’s main selling poitns are as follows:
- Free and Open source: Licensed under the MIT license with no hidden costs or caveats
- Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux
- Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
- Beginner-friendly: Hacking Instructor tutorial scripts guide users through several of the easier challenges while explaining the underlying vulnerabilities
- Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board
- Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup
- Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements
- CTF-support: Challenge notifications optionally contain a flag code for your own Capture-The-Flag events
What sort of hands-on learning challenges are available right now in the OWASP Juice Shop?
The vulnerabilities found in the OWASP Juice Shop are categorized into several different classes. There are currently 95 individual vulnerabilities available for you to identify, exploit and address in a hand-on fashion – across 15 different vulnerability categories – all available to you for FREE within the Juice Shop environment. How cool is that? Pretty awesome, right!
Most of them cover different risk or vulnerability types from well-known lists or documents, such as OWASP Top 10, OWASP ASVS, OWASP Automated Threat Handbook and OWASP API Security Top 10 or MITRE’s Common Weakness Enumeration.
| Category | # | Challenges |
|---|---|---|
| Broken Access Control | 10 | Admin Section, CSRF, Easter Egg, Five-Star Feedback, Forged Feedback, Forged Review, Manipulate Basket, Product Tampering, SSRF, View Basket |
| Broken Anti Automation | 4 | CAPTCHA Bypass, Extra Language, Multiple Likes, Reset Morty’s Password |
| Broken Authentication | 10 | Bjoern’s Favorite Pet, Change Bender’s Password, GDPR Data Erasure, Login Bjoern, Login CISO, Password Strength, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password, Two Factor Authentication |
| Cryptographic Issues | 5 | Forged Coupon, Imaginary Challenge, Nested Easter Egg, Premium Paywall, Weird Crypto |
| Improper Input Validation | 9 | Admin Registration, Deluxe Fraud, Expired Coupon, Missing Encoding, Payback Time, Repetitive Registration, Upload Size, Upload Type, Zero Stars |
| Injection | 11 | Christmas Special, Database Schema, Ephemeral Accountant, Login Admin, Login Bender, Login Jim, NoSQL DoS, NoSQL Exfiltration, NoSQL Manipulation, SSTi, User Credentials |
| Insecure Deserialization | 2 | Blocked RCE DoS, Successful RCE DoS |
| Miscellaneous | 3 | Privacy Policy, Score Board, Security Policy |
| Security Misconfiguration | 4 | Cross-Site Imaging, Deprecated Interface, Error Handling, Login Support Team |
| Security through Obscurity | 3 | Blockchain Hype, Privacy Policy Inspection, Steganography |
| Sensitive Data Exposure | 14 | Access Log, Confidential Document, Email Leak, Exposed Metrics, Forgotten Developer Backup, Forgotten Sales Backup, GDPR Data Theft, Leaked Access Logs, Leaked Unsafe Product, Login Amy, Login MC SafeSearch, Misplaced Signature File, Reset Uvogin’s Password, Retrieve Blueprint |
| Unvalidated Redirects | 2 | Outdated Whitelist, Whitelist Bypass |
| Vulnerable Components | 7 | Arbitrary File Write, Forged Signed JWT, Frontend Typosquatting, Legacy Typosquatting, Supply Chain Attack, Unsigned JWT, Vulnerable Library |
| XSS | 9 | API-only XSS, Bonus Payload, CSP Bypass, Client-side XSS Protection, DOM XSS, HTTP-Header XSS, Reflected XSS, Server-side XSS Protection, Video XSS |
| XXE | 2 | XXE Data Access, XXE DoS |
| Total | 95 |
And that’s not all…
A lot of people who want to practice hacking are beginners. So, OWASP’s Juice Shop offers a resource called the Hacking Instructor. This is an interactive tutor that’ll help you figure out what to do by walking you through what to do in each challenge using step-by-step tutorials. If you are entirely new to the Juice Shop, we recommend doing them in the order they are listed!
To get started, just click on a link in the table below to launch a step-by-step tutorial for that particular challenge in the public instance of the Juice Shop. With their (optional) Tutorial Mode you can even enforce that the 10 tutorial challenges have to be performed gradually in order to unlock the other 85 challenges. This is a pretty cool teaching feature for instructors looking to structure the concepts they are teaching to their students and want to issue associated challenges!
| Challenge | Category | Difficulty |
|---|---|---|
| Score Board | Miscellaneous | ⭐ |
| DOM XSS | XSS | ⭐ |
| Bonus Payload | XSS | ⭐ |
| Privacy Policy | Miscellaneous | ⭐ |
| Login Admin | Injection | ⭐⭐ |
| Password Strength | Broken Authentication | ⭐⭐ |
| View Basket | Broken Access Control | ⭐⭐ |
| Forged Feedback | Broken Access Control | ⭐⭐⭐ |
| Login Jim | Injection | ⭐⭐⭐ |
| Login Bender | Injection | ⭐⭐⭐ |
OWASP Juice Shop Hacking Handbook
The OWASP Juice Shop creator also created what appears to be one of the best guides I have ever seen to help you get maximum value from his creation! It’s called Pwning OWASP Juice Shop [written by Bjorn Kimminish].
It is the official companion guide to the OWASP Juice Shop application. Being a web application with a vast number of intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The OWASP Juice Shop is an open-source project hosted by the non-profit Open Web Application Security Project® (OWASP) and is developed and maintained by volunteers. The content of this book was written for v11.1.1 of OWASP Juice Shop.
The book is divided into three parts:
- Part I – Hacking preparations – Part one helps you to get the application running and to set up optional hacking tools.
- Part II – Challenge hunting – Part two gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application.
- Part III – Getting involved
Capture The Flag Resources
In the cybersecurity arena, a CTF consists of gamified challenges where you uncover “flags” that represent different vulnerabilities. You get points for finding them and teams compete against each other by earning more points / finding flags first / etc.
The Node package juice-shop-ctf-cli helps you to prepare Capture the Flag events with the OWASP Juice Shop challenges for different popular CTF frameworks. This interactive utility allows you to populate a CTF game server in a matter of minutes.
The following open source CTF frameworks are supported by juice-shop-ctf-cli:
- FBCTF
The Facebook CTF is a platform to host Jeopardy and “King of the Hill” style Capture the Flag competitions.
- RootTheBox
Root the Box is a real-time capture the flag (CTF) scoring engine for computer wargames where hackers can practice and learn. The application can be easily configured and modified for any CTF style game. The platform allows you to engage novice and experienced players alike by combining a fun game-like environment with realistic challenges that convey knowledge applicable to the real-world, such as penetration testing, incident response, digital forensics and threat hunting.
Like traditional CTF games, each team or player can target challenges of varying difficulty and sophistication, attempting to collect flags. But Root the Box brings additional options to the game. It has built-in support for “botnets”, allowing players to upload a small bot program to target machines that grant periodic rewards for each bot in the botnet. You have the option to use a banking system, where (in-game) money can be used instead of points to unlock new levels, buy hints to flags, download a target’s source code, or even “SWAT” other players. Password hashes for player bank accounts can also be publicly displayed, allowing competitors to crack them and steal each other’s money.
- TryHackMe also has some OWASP Juice Shop “hacktivities” designed for beginners that can be found here.
Other Resources
Documentation
- Online Demo
- Introduction Slides
- Companion Guide (LeanPub/Online)
Responses