Now Reading
OWASP Juice Store | OWASP Basis

OWASP Juice Store | OWASP Basis

2023-01-22 21:25:24


Juice Shop Logo

OWASP Flagship
GitHub release
GitHub stars
Twitter Follow

CII Best Practices Contributor Covenant

OWASP Juice Store might be essentially the most fashionable and complex insecure
net software! It may be utilized in safety trainings, consciousness demos,
CTFs and as a guinea pig for safety instruments! Juice Store encompasses
vulnerabilities from your complete
OWASP Top Ten together with many different safety
flaws present in real-world purposes!

Slideshow

Description

Juice Store is written in Node.js, Specific and Angular. It was the primary
software written completely in JavaScript listed within the
OWASP VWA Directory.

The appliance comprises an enormous variety of hacking challenges of various
issue the place the person is meant to take advantage of the underlying
vulnerabilities. The hacking progress is tracked on a rating board.
Discovering this rating board is definitely one of many (straightforward) challenges!

Aside from the hacker and consciousness coaching use case, pentesting
proxies or safety scanners can use Juice Store as a “guinea
pig”-application to verify how properly their instruments address
JavaScript-heavy software frontends and REST APIs.

Translating “dump” or “ineffective outfit” into German yields “Saftladen”
which might be reverse-translated phrase by phrase into “juice store”. Therefore
the mission title. That the initials “JS” match with these of
“JavaScript” was purely coincidental!

Testimonials

The most trustworthy online shop out there.
(
@dschadow) —
The best juice shop on the whole internet!
(
@shehackspurple) —
Actually the most bug-free vulnerable application in existence!
(
@vanderaj) —
First you ????????then you ????
(
@kramse) —
But this doesn’t have anything to do with juice.
(
@coderPatros’ wife)

Contributors

GitHub contributors
Crowdin

The OWASP Juice Store has been created by
Björn Kimminich and is developed,
maintained and translated by a
team of volunteers.
A
live update of the project contributors
is discovered right here.

Licensing

license

This program is free software program: You possibly can redistribute it and/or modify it
underneath the phrases of the
MIT License.
OWASP Juice Store and any contributions are Copyright © by Bjoern
Kimminich & the OWASP Juice Store contributors 2014-2023.








Principal Promoting Factors

Screenshots

Screenshot 1

Screenshot 2

Screenshot 3

Screenshot 4

Screenshot 5

Software Structure

Architecture diagram








Newest Releases

GitHub release
GitHub release
SourceForge
SourceForge
Docker Pulls

  • 2023-01-04T05:43:07Z: juice-shop v14.4.0
  • 2022-11-12T10:07:13Z: juice-shop v14.3.1
  • 2022-09-24T13:49:03Z: juice-shop v14.3.0
  • 2022-09-07T18:25:04Z: juice-shop v14.2.1
  • 2022-08-24T08:42:14Z: juice-shop v14.2.0
  • 2022-07-04T16:02:07Z: juice-shop v14.1.1
  • 2022-07-03T20:56:12Z: juice-shop v14.1.0
  • 2022-05-22T12:59:21Z: juice-shop v14.0.1
  • 2022-05-07T15:50:38Z: juice-shop v14.0.0
  • 2022-03-29T17:02:44Z: juice-shop v13.3.0
  • 2022-02-08T22:42:32Z: juice-shop v13.2.2
  • 2022-01-31T21:39:31Z: juice-shop v13.2.1

CTF Extension

GitHub release
npm
npm
Docker Pulls

  • 2022-08-23T16:13:55Z: juice-shop-ctf v9.1.2
  • 2022-08-03T04:31:18Z: juice-shop-ctf v9.1.1
  • 2022-07-31T20:52:39Z: juice-shop-ctf v9.1.0
  • 2022-01-16T20:18:28Z: juice-shop-ctf v9.0.0
  • 2021-09-26T18:28:42Z: juice-shop-ctf v8.2.3
  • 2021-06-08T14:05:51Z: juice-shop-ctf v8.2.2
  • 2021-05-03T15:24:19Z: juice-shop-ctf v8.2.1
  • 2021-04-12T21:28:53Z: juice-shop-ctf v8.2.0
  • 2020-12-14T19:43:09Z: juice-shop-ctf
    v8.1.3

Roadmap

GitHub issues by-label
GitHub issues by-label








Problem Classes

The vulnerabilities discovered within the OWASP Juice Store are categorized into
a number of completely different lessons. Most of them cowl completely different threat or
vulnerability sorts from well-known lists or paperwork, corresponding to
OWASP Top 10,
OWASP ASVS,
OWASP Automated Threat Handbook
and
OWASP API Security Top 10
or MITRE’s
Common Weakness Enumeration.

Class # Challenges
Damaged Entry Management 10 Admin Part, CSRF, Easter Egg, 5-Star Suggestions, Cast Suggestions, Cast Evaluate, Manipulate Basket, Product Tampering, SSRF, View Basket
Damaged Anti Automation 4 CAPTCHA Bypass, Additional Language, A number of Likes, Reset Morty’s Password
Damaged Authentication 9 Bjoern’s Favourite Pet, Change Bender’s Password, GDPR Information Erasure, Login Bjoern, Password Energy, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password, Two Issue Authentication
Cryptographic Points 5 Cast Coupon, Imaginary Problem, Nested Easter Egg, Premium Paywall, Bizarre Crypto
Improper Enter Validation 10 Admin Registration, Deluxe Fraud, Expired Coupon, Lacking Encoding, Payback Time, Poison Null Byte, Repetitive Registration, Add Measurement, Add Kind, Zero Stars
Injection 11 Christmas Particular, Database Schema, Ephemeral Accountant, Login Admin, Login Bender, Login Jim, NoSQL DoS, NoSQL Exfiltration, NoSQL Manipulation, SSTi, Person Credentials
Insecure Deserialization 2 Blocked RCE DoS, Profitable RCE DoS
Miscellaneous 5 Bully Chatbot, Mass Dispel, Privateness Coverage, Rating Board, Safety Coverage
Safety Misconfiguration 4 Cross-Web site Imaging, Deprecated Interface, Error Dealing with, Login Assist Workforce
Safety by way of Obscurity 3 Blockchain Hype, Privateness Coverage Inspection, Steganography
Delicate Information Publicity 16 Entry Log, Confidential Doc, E-mail Leak, Uncovered Metrics, Forgotten Developer Backup, Forgotten Gross sales Backup, GDPR Information Theft, Leaked Entry Logs, Leaked Unsafe Product, Login Amy, Login MC SafeSearch, Meta Geo Stalking, Misplaced Signature File, Reset Uvogin’s Password, Retrieve Blueprint, Visible Geo Stalking
Unvalidated Redirects 2 Allowlist Bypass, Outdated Allowlist
Weak Elements 9 Arbitrary File Write, Cast Signed JWT, Frontend Typosquatting, Kill Chatbot, Legacy Typosquatting, Native File Learn, Provide Chain Assault, Unsigned JWT, Weak Library
XSS 9 API-only XSS, Bonus Payload, CSP Bypass, Shopper-side XSS Safety, DOM XSS, HTTP-Header XSS, Mirrored XSS, Server-side XSS Safety, Video XSS
XXE 2 XXE Information Entry, XXE DoS
Whole Σ 101

Tags don’t characterize vulnerability classes however function further
meta info for challenges. They mark sure commonalities or
particular sorts of challenges – like these missing seriousness or ones
that in all probability want some scripting/automation and many others.

Tag # Challenges
Brute Drive 6
Bully Chatbot, CAPTCHA Bypass, Additional Language, Login Assist Workforce, Password Energy, Reset Morty’s Password
Code Evaluation 10
Blockchain Hype, Cast Coupon, Imaginary Problem, Kill Chatbot, Login Bjoern, Login Assist Workforce, Outdated Allowlist, SSRF, SSTi, Rating Board
Contraption 8
Blockchain Hype, Cross-Web site Imaging, Deprecated Interface, Easter Egg, Forgotten Developer Backup, Forgotten Gross sales Backup, Misplaced Signature File, SSTi
Hazard Zone 16
API-only XSS, Arbitrary File Write, Blocked RCE DoS, CSP Bypass, Shopper-side XSS Safety, HTTP-Header XSS, Native File Learn, NoSQL DoS, NoSQL Exfiltration, Mirrored XSS, SSTi, Server-side XSS Safety, Profitable RCE DoS, Video XSS, XXE Information Entry, XXE DoS
Good Follow 4
Uncovered Metrics, Misplaced Signature File, Privateness Coverage, Safety Coverage
Good for Demos 12
Admin Part, Confidential Doc, DOM XSS, Easter Egg, Cast Coupon, Forgotten Developer Backup, Login Admin, Nested Easter Egg, Privateness Coverage, Privateness Coverage Inspection, Mirrored XSS, View Basket
OSINT 15
Bjoern’s Favourite Pet, Leaked Entry Logs, Leaked Unsafe Product, Native File Learn, Login Amy, Login MC SafeSearch, Meta Geo Stalking, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password, Reset Morty’s Password, Reset Uvogin’s Password, Provide Chain Assault, Visible Geo Stalking, Weak Library
Prerequisite 6
Allowlist Bypass, Arbitrary File Write, Deprecated Interface, Error Dealing with, Forgotten Developer Backup, Poison Null Byte
Shenanigans 11
Bonus Payload, Bully Chatbot, Easter Egg, Imaginary Problem, Leaked Unsafe Product, Login MC SafeSearch, Lacking Encoding, Nested Easter Egg, Premium Paywall, Privateness Coverage Inspection, Steganography
Tutorial 10
Bonus Payload, DOM XSS, Cast Suggestions, Login Admin, Login Bender, Login Jim, Password Energy, Privateness Coverage, Rating Board, View Basket








Hacking Teacher Tutorials

Juicy Bot

Click on on a hyperlink within the desk beneath to launch a
step-by-step tutorial
for that specific problem on our public
https://demo.owasp-juice.shop occasion. If you’re completely new to the
Juice Store, we suggest doing them within the listed order. With the
(non-obligatory)
Tutorial Mode
you may even implement that the ten tutorial challenges
should be carried out progressively in an effort to unlock the opposite 91 challenges.

Coding Challenges

For 26 challenges an extra coding challenge is obtainable. Of their “Discover It” part they educate
recognizing vulnerabilities within the precise codebase of the Juice Store. Within the “Repair It” part the person then chooses essentially the most acceptable
repair from a listing. Remedy any of the hacking challenges beneath to allow a button on the Rating Board that launches the corresponding
coding problem:

Class # Challenges
Damaged Entry Management 3 Admin Part, Cast Evaluate, Product Tampering
Damaged Anti Automation 1 Reset Morty’s Password
Damaged Authentication 4 Bjoern’s Favourite Pet, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password
Improper Enter Validation 1 Admin Registration
Injection 6 Database Schema, Login Admin, Login Bender, Login Jim, NoSQL Manipulation, Person Credentials
Miscellaneous 1 Rating Board
Safety by way of Obscurity 1 Blockchain Hype
Delicate Information Publicity 4 Entry Log, Confidential Doc, Uncovered Metrics, Reset Uvogin’s Password
Unvalidated Redirects 2 Allowlist Bypass, Outdated Allowlist
XSS 3 API-only XSS, Bonus Payload, DOM XSS
Whole Σ 26

For a lot of solved challenges hyperlinks to mitigation methods are offered on the Rating Board by providing a hyperlink
to a corresponding OWASP Cheat Sheet explaining find out how to keep away from that sort of vulnerability within the first place. The
following cheat sheets are referred to by OWASP Juice Store as mitigation hyperlinks:








CTF Extension

Juice Shop CTF Logo

GitHub release
GitHub stars

The Node bundle
juice-shop-ctf-cli
lets you put together
Capture the Flag
occasions with the OWASP Juice Store challenges for various standard CTF
frameworks. This interactive utility means that you can populate a CTF recreation
server in a matter of minutes.

See Also

Juice Shop CLI in Powershell

Supported CTF Frameworks

The next open supply CTF frameworks are supported by
juice-shop-ctf-cli:








Official Companion Information

Write Goodreads Review

Pwning OWASP Juice Shop is the
official companion information for this mission. It gives you a whole
overview of the vulnerabilities discovered within the software together with hints
find out how to spot and exploit them. Within the appendix you’ll even discover
full step-by-step options to each problem.

Pwning OWASP Juice Shop cover
Pwning OWASP Juice Shop back cover

The book is revealed underneath
CC BY-NC-ND 4.0
and is online-readable at no cost at
https://pwning.owasp-juice.shop. The newest formally launched
version can be obtainable at no cost at
https://leanpub.com/juice-shop in PDF, Kindle and ePub format.

Official Jingle

Official
OWASP Juice Shop Jingle
written and carried out by
Brian Johnson

Endorsed Open Supply Tasks

Undertaking Description
MultiJuicer Logo Multi Person Juice Store Platform to run separate Juice Store situations for coaching or CTF members on a central Kubernetes cluster
https://github.com/wurstbrot/shake-logger Demo to indicate the risks of XSS holes mixed with unhealthy Content material Safety Coverage utilizing Harlem Shake and a Keylogger towards the Juice Store (????YouTube)

The instruments listed above are supplied by third events outdoors of the
OWASP Juice Store mission scope. For help or characteristic requests please
use the help channels or concern trackers talked about by these tasks.








Undertaking Supporters

You possibly can attribute your donation to the OWASP Juice Store mission by
utilizing
this link
or the inexperienced “Donate”-button whereas on any tab of the Juice Store
mission web page!

Prime Supporters

New Work SE

To be able to be acknowledged as a “Prime Supporter” an organization
should have donated $1000 or extra a) to OWASP whereas attributing it to
Juice Store or b) as a restricted reward to OWASP Juice Store within the final 12
months.

All Company Supporters

All Particular person Supporters

To be able to be acknowledged as a “Company-sponsored Code
Contribution” an offical written affirmation of waiving all IP to the
contributed code should be formally submitted to the OWASP
Basis.

LeanPub Royalties

Pwning OWASP Juice Shop

$1,251.68 of royalties from
Björn Kimminich’s eBook have been donated to the
mission between 09/2017 and 07/2019.


The OWASP Basis may be very grateful for the help by the
people and organizations listed. Nonetheless please observe, the OWASP
Basis is strictly vendor impartial and doesn’t endorse any of its
supporters.




Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top