OWASP Juice Shop
OWASP Juice Shop is an intentionally insecure web app for security training written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
For a detailed introduction, full list of features and architecture overview please visit the official project page here.
Setup
Deploy on Heroku (free ($0/month) dyno)
- Click the button below and follow the instructions
This is the quickest way to get a running instance of Juice Shop! If you have forked this repository, the deploy button will automatically pick up your fork for deployment! As long as you do not perform any DDoS attacks you are free to use any tools or scripts to hack your Juice Shop instance on Heroku!
From Sources
- Install node.js
- Run
git clone https://github.com/bkimminich/juice-shop.git
(or clone your own fork of the repository) - Go into the cloned folder with
cd juice-shop
- Run
npm install
(only has to be done before the first start or when you change the source code) - Run
npm start
- Browse to http://localhost:3000
Docker Container
- Install Docker
- Run
docker pull bkimminich/juice-shop
- Run
docker run -d -p 3000:3000 bkimminich/juice-shop
- Browse to http://localhost:3000 (on macOS and Windows browse to http://192.168.99.100:3000 if you are using docker-machine instead of the native docker installation )
Even easier: Run Docker Container from Docker Toolbox (Kitematic)
- Install and launch Docker Toolbox
- Search for juice-shop and click Create to download image and run the container
- Click on the Open icon next to Web Preview to browse to OWASP Juice Shop
Changelog v9.3
? Challenges
- Added Cross-Site Imaging challenge which is all about ?es and ?s
? Features
- Added three super “secure” new security questions to choose from
? Customization
- Added distinct section
hackingInstructor
with properties
isEnabled
to turn it on/off (true
by default)avatarImage
to configure the avatar presenting the speech bubbles (juicyBot.png
by default)- Deprecated
application.showHackingInstructor
in favor of abovementionedhackingInstructor.isEnabled
- Removed
deluxePage
section as Deluxe Membership now reuses the configuredapplication.logo
- Fixed static “OWASP Juice Shop” showing on Deluxe Membership page regardless of
application.name
? Bugfixes
- Recycling requests are now associated to their user’s address via DB relationship properly
- #1217: Switched to
bkimminich/i18n-node
to prevent regression until mashpie/i18n-node#420 is merged? I18N
- Completed ?? translation for frontend and backend texts
- Extended translations for ??, ??, ?? and ??
- Added ?? as new language
? Miscellaneous
- Cookie for dismissing welcome banner is now stored for 1 year (instead of using session-scope)
Download
Copyright (c) 2014-2018 Bjoern Kimminich
The post OWASP Juice Shop v9.3 releases: intentionally insecure webapp for security trainings appeared first on Penetration Testing.