OWASP Juice Shop invites you to chop


The world’s most insecure online shop OWASP Juice Shop invites you to hack

“What a juice shop”, one would like to think: the OWASP Juice Shop is a platform with vulnerabilities – a lot of them. As a developer or IT security expert you should definitely install it.

Companies on the topic

Ostensibly a normal online shop: the OWASP Juice Shop.Ostensibly a normal online shop: the OWASP Juice Shop.

(Image: Lang / OWASP)

The Open Web Application Security Project (https://owasp.org/ OWASP) provides a fairly comprehensive range of information and Tools related to the security of web services. One of the most exciting projects is certainly the OWASP Juice Shop, which aims to give web developers and security specialists a completely new perspective-that of an attacker.

At the Juice Shop, the name first of all says it all: it is an online shop with various juices on offer. Of course, the online marketplace is free software, so you can run a clone of the web application yourself.

Ostensibly a normal online shop: the OWASP Juice Shop.Ostensibly a normal online shop: the OWASP Juice Shop.

(Image: Lang / OWASP)

The special thing about the shop: it contains dozens of security vulnerabilities, 95 tasks related to their exploitation and serves only to be hacked. So you take on the role of a cracker and try to get into administration, capture and decode password hashes, get to user content, take over accounts or cause mischief via injection attack.

How useful such a change of perspective is can probably be understood by anyone who has ever carried out a brute force or dictionary attack on a simple test password. Tools like John the Ripper try all possible character combinations or entries of a word list as a password for an encrypted ZIP file-and passwords like “123456”, “password” or “schatzi1” usually do not last a minute. Once practically experienced, everyone will probably use reasonable passwords afterwards, at least for important ones.

With the Juice Shop, however, it does not stick to pure aha experiences. Due to the multitude of real challenges and security gaps, just as many very practical lessons can be learned for your own development work. Anyone who sees how easy the password “test” can be cracked will never use it as a password again – and anyone who can understand how easy it is to find supposedly hidden areas of a web application will no longer simply “hide”them by omitting links.

Hacking becomes a game-this is certainly good for motivation.Hacking becomes a game-this is certainly good for motivation.

(Image: Lang / OWASP)

Finding hidden areas is also the first challenge of the Juice Shop and shows another special feature: the keyword here is gameification. The juice shop is not only a shop perforated with gaps, but also a playful educational software. In the shop itself you will find all the tasks to cope with, hints on solutions and partly also whole tutorials.

The progress is beautifully documented with dots and asterisks – on a scoreboard. Now this scoreboard is not linked in the interface and finding the URL is the first challenge after the Juice shop start. As a beginner-friendly, playful tool, a small assistant helps you to find a URL in the JavaScript base of the shop.

In general, Juice Shop rarely leaves you in the rain. In addition to the instructions in the program itself, there are precise solutions for the individual tasks in the appendix of the documentation. And of course there are also hints to the security gaps, in case of doubt simply as links to the respective CVEs. This makes Juice Shop certainly one of the best ways to bridge hacking theory to hacking practice: safe, legal, guided, playful, practice-relevant and definitely also simply fun.

Set up Juice Shop

Perhaps you know it from IT security software, hacking projects and other applications for the target group Developers, hackers, admins & Co.: Even the beginning is usually difficult, setting up dependencies and tools quickly devours hours. Juice Shop makes it very easy here and offers a whole handful of methods to operate the software.

The easiest option is the recommended standard version: Juice Shop can be operated directly from the associated GitHub repository on the cloud platform Heroku as a separate instance. Heroku is a Platform as a Service (PaaS) through which you can develop and deploy applications for non-commercial purposes, including through a free account.

The whole setup is actually limited to the registration with Heroku and a click on the deploy-to-Heroku link in the Juice Shop repo or, of course, in a repo forked on GitHub. Alternatively, you can use Juice Shop via node.install js and its package manager as Docker containers, Vagrant + VirtualBox, Amazon EC2, Azure and Google Compute Engine.

An introduction to Juice Shop

The scoreboard address from the source code leads to a successful challenge.The scoreboard address from the source code leads to a successful challenge.

(Image: Lang / OWASP)

To get started, you should go the intended way and solve the challenge mentioned above: find the scoreboard, which offers more information and tasks in the first place. The way there is quite simple: you call the developer tools of the browser with F12, open the file in the Sources tab “main-es2015.js” and simply searches for “score” or ” board – – in a listing of all areas of the shop, the entry “path: “score board “brings” the solution, which can then be found here, for example, in the URL “https://juiceshop-ml.herokuapp.com/#/score-board” reflects.

Once this first simple challenge is solved, the wizard says goodbye and you can start as you wish with open world games. Juice Shop itself recommends the introduction via a “happy Path”, i.e. the normal, intended use of the shop as a normal shop visitor-in order to understand how the application basically works. Tip: You should keep an eye on the JavaScript console in the developer tools.

To show an interesting, simple and obvious example entry: you want to go to the backend, to the admin area. Here it becomes minimally more complex than with the scoreboard, but shows well how all other challenges can be solved – with assistance. First of all, you need a URL again, because the admin area is also not linked. The source insight spits out here very quickly “administration”.

Of course, the admin area is password protected. Now there are all sorts of ways to still gain access. A variant runs via SQL injection and password hashes. The shop’s own search in the interface is – of course-not to be used for such concerns. But there is an Endpoint for searching in the Form “https://juiceshop-ml.herokuapp.com/rest/products/search?q= something”. Instead of” something”, you can now place a ‘; here – which produces an error message that suggests that SQL injection is possible.

And it looks like this, for example:

qwert')) UNION SELECT id, email, password, '4', '5', '6', '7', '8', '9' FROM Users—

This simple SQL query produces the username and password hashes. And the hash of the admin, “0192023a7bbd73250516f069df18b500”, can then be decoded on a page like CrackStation. And now you can log in as admin with the password “admin123”.

How exactly the SQL string results, of course, is also clear from the docu – ultimately, all steps can be mastered via the docu, the appendix, the linked CVEs or more or less debauched Google searches. The learning effect also occurs if you only hack through predefined solutions without getting creative yourself – but it is certainly more fun to find your own way into the shop internals.

For all its fun, however, Juice Shop is more than just a gimmick and is rather recommended to every developer, admin and prospective hacker to learn essential lessons regarding IT security. And of course: Juice Shop is open source – so you can also customize the project for your own purposes, for example to give training courses or to train new employees in the security area. Or perhaps to present your own security products as a countermeasure.


Ready to see us in action:

More To Explore

Enable registration in settings - general
Have any project in mind?

Contact us: