Hacker News new | past | comments | ask | show | jobs | submit login
OWASP Juice Shop (owasp.org)
144 points by hyperific on Jan 23, 2023 | hide | past | favorite | 14 comments



We've been working on an example vulnerable app to showcase vulnerable dependencies in web apps. (Think a CVE in an NPM package.)

I've been wanting that so that I can test out different security scanning and patching tools, but also actually build a test playground to exploit vulnerable dependencies. (I want to accelerate exploit development for CVEs by making it more standardized.)

If you have a CVE that you'd like to write a POC exploit scenario for, you can add it to this project quickly and easily with pre-built templates[1]! (Wasp[2] is an awesome project that simplifies web dev tooling complexity.)

Are there any other projects with similar goals that anybody is aware of? Asking because I couldn't find any, but I'd love to merge efforts if somebody is already doing this!

0: https://github.com/lunasec-io/damn-vulnerable-js-sca

1: https://github.com/lunasec-io/damn-vulnerable-js-sca/tree/ma...

2: https://wasp-lang.dev/


I just want to say thanks for this, we used it for an internal workshop for our webdev department with very limited prior netsec experience and it was a big hit.

The AIO character and a little bit of gamification through the leaderboard made it an easy to setup but really fun event!

Edit: Damn, I should read before posting - was talking about the juice shop. Your project might be nice follow-up though!


From the TFA -

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.


This is awesome! Convenient for folks who use the Express/Angular stack but conceptual stuff should be pretty universal regardless.

Wasn't aware of this project at all but found the following links useful for context:

The actual Juice Shop website can be found at https://juice-shop.herokuapp.com/#/

and the github link for viewing code is https://github.com/juice-shop/juice-shop/releases/


This been around a while, but I used it with success teaching students all about pesky web app vulns. There's one thing reading about them in a book, it's a whole other level getting students to find them.


Are there any similar CTF projects that you can download and run offline?


If you look at https://owasp.org/www-project-vulnerable-web-applications-di... and click the "offline" tab you'll see a load of apps there.


I think https://www.vulnhub.com/ has quite a few.


You can download and run Juice Shop offline locally.


At a job I had, we had a big CTF event where people broke into groups and attempted to capture flags in the Juice Shop. I thought it was a lot of fun.


On mobile, I only see an "Accept" button for the cookie banner. How can I dismiss it?


> On mobile, I only see an "Accept" button for the cookie banner.

Seems like there is an "X" button to close the dialog, but the element (#close-disclaimer) is only visible on screens approx. over 700px in width and it gets pushed off screen on anything smaller.

> How can I dismiss it?

Personally I didn't even see it on my phone, perhaps due to any of the following:

  - browser: Firefox
  - setting: tracking protection turned on
  - addon: uBlock Origin
  - something else?
Well, either it was one of those, or it broke in a way that it wasn't shown altogether.


Can you edit prices client side? If not, I’ve seen worse in the wild.


I hope OWASP can fix their janky toaster/banner when I open the site.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: