Learning to hack a website is not as difficult as I thought. It acually is quite easy, even for me, a not so very technical person. Maybe you have read my post about my adventures in learning application security. While that was rather theoretical, this time I tried a more practical approach. I wanted to break something.
The Juice Shop
Björn Kimmich published some time ago his OWASP juice shop project, giving an opportunity to learn basics of hacking (and a bit more) while providing
- a hacking learning challenge with 38+ security issues and infrastructure to execute the website to be hacked in a docker or in the cloud so that you have you own “target”
- a workshop for not so experienced people to learn in a group with the help of others
The challenges range from executing some sql script injection, cross site scripting and via some session misuse to – well I did not get there. There have been way more advanced challenges. Try it yourself!
Just another StugHH Event?
Well, it was not just another StugHH event.
First, we had a great location at OOSE (Thanks Georg Haupt) in their café, thus giving an atmosphere of a good old LAN party. Everybody brought his laptop and then started the challenge. Our speaker Jens Hausherr from XING gave a short intro and then we started. Well, most of us. Some first had the challenge to get the stuff installed. Others had the challenge not to spill beer onto the keyboard. I guess, installing was the hurdle to see if you are technical enough to start the challenge.
Second, the audience was different than usual. We were less people (very sad), and partially also other people than usual. One person came already to his second juice shop session, in order to tackle the more difficult challenges.
I wonder if the usual crowd did not like the topic or thought is was too technical. Because it was technical. At least for me and some others this posed an issue. I was ok with the first 2 or 3 challenges, but then I had to do a very old trick: social engineering… i.e. I asked my fellow hackers for advice. But then I managed to master 7 challenges, … I was very proud! (Even if quite a few of the audience did way more, some did less) And the technical issues I had would be easy to learn within a few days, just a bit of website specialities, rest service call mechanism, and tools… Nothing too exciting. Anybody could learn that! I for example hacked the admin password of the site, I faked recommendations and entered the shopping cart of anther person. Scary!
As organizer of the event, I should have pushed more for pairing as an opportunitiy to participate: that way, maybe even less technical people could enjoy/endure to feel how easy it is to hack. To get hacked. Some came for that reason anyways, but I fear, for them it was a bit frustrating (sorry for that, but great that you came in the first place!).
OWASP is your best friend. Learn it!
It was a very good learning for me to get my theoretical basis extended. “OWASP is your best friend”. This is just very true, you can learn so much from there. But for me, just reading was not successfull. The workshop makes a difference with respect to the point to get people playing!
Obviously the website contained the top 10 typical errors OWASP reports. So those are the errors that are prominent! And it would be so easy to avoid those. Just get your team to learn them, for example by executing this Juice Shop Workshop. Have it at work, in university, or even in school! Just for everybody who develops or controls quality. There are plans to make team challenges out of it, I guess that would be a great opportunity for further gamification at quality assurance.