Learning Application Security – Fun with the Juice Shop

Learning to hack a website is not as difficult as I thought. It acually is quite easy, even for me, a not so very technical person. Maybe you have read my post about my adventures in learning application security. While that was rather theoretical, this time I tried a more practical approach. I wanted to break something.

The Juice Shop

The challenge board, marking the challenges you have mastered

Björn Kimmich published some time ago his OWASP juice shop project, giving an opportunity to learn basics of hacking (and a bit more) while providing

  • an intentionally insecure Javascript Web Application, The most trustworthy online shop out there, written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend. (See intro pages on the workshop)
  • a hacking learning challenge with 38+ security issues and infrastructure to execute the website to be hacked in a docker or in the cloud so that you have you own “target”
  • a workshop for not so experienced people to learn in a group with the help of others

The challenges range from executing some sql script injection, cross site scripting and via some session misuse to – well I did not get there. There have been way more advanced challenges. Try it yourself!

Just another StugHH Event?

Well, it was not just another StugHH event.

First, we had a great location at OOSE (Thanks Georg Haupt) in their café, thus giving an atmosphere of a good old LAN party. Everybody brought his laptop and then started the challenge. Our speaker Jens Hausherr from XING gave a short intro and then we started. Well, most of us. Some first had the challenge to get the stuff installed. Others had the challenge not to spill beer onto the keyboard. I guess, installing was the hurdle to see if you are technical enough to start the challenge.Lan Party

Second, the audience was different than usual. We were less people (very sad), and partially also other people than usual. One person came already to his second juice shop session, in order to tackle the more difficult challenges.

I wonder if the usual crowd did not like the topic or thought is was too technical. Because it was technical. At least for me and some others this posed an issue. I was ok with the first 2 or 3 challenges, but then I had to do a very old trick: social engineering… i.e. I asked my fellow hackers for advice. But then I managed to master 7 challenges, … I was very proud! (Even if quite a few of the audience did way more, some did less) And the technical issues I had would be easy to learn within a few days, just a bit of website specialities, rest service call mechanism, and tools… Nothing too exciting. Anybody could learn that! I for example hacked the admin password of the site, I faked recommendations and entered the shopping cart of anther person. Scary!

As organizer of the event, I should have pushed more for pairing as an opportunitiy to participate: that way, maybe even less technical people could enjoy/endure to feel how easy it is to hack. To get hacked. Some came for that reason anyways, but I fear, for them it was a bit frustrating (sorry for that, but great that you came in the first place!).

OWASP is your best friend. Learn it!

It was a very good learning for me to get my theoretical basis extended. “OWASP is your best friend”. This is just very true, you can learn so much from there. But for me, just reading was not successfull. The workshop makes a difference with respect to the point to get people playing!

Obviously the website contained the top 10 typical errors OWASP reports. So those are the errors that are prominent! And it would be so easy to avoid those. Just get your team to learn them, for example by executing this Juice Shop Workshop. Have it at work, in university, or even in school! Just for everybody who develops or controls quality. There are plans to make team challenges out of it, I guess that would be a great opportunity for further gamification at quality assurance.






One Comment

  1. Hi Ursula,

    good blog post, nice to read, how other groups experienced the JuiceShop workshop.

    We ran this with Bjoern himself in the english speaking testers meetup group https://www.meetup.com/de-DE/Software-Tester-Group-Hamburg-English-speaking/).

    The timebox was roughly 2 hours and a bit. We got a short introduction into security (~20 min) and then we started.

    Even if pairing was encouraged, afais most people dived right into it and went solo. Me included.

    Reflecting, I think it was somewhat the “competing” solution; might not have helped, that Bjoern offered a JuiceShop scarf as a “winner” goodie. 😉

    But that is (given the chance) my approach as well; get into it, figure stuff out myself and after it, have a list of questions in my mind which I can’t figure out.

    Then I would switch to collaboration, aka looking for help or experts, who know more about it than me.

    I feel, that way I am not “wasting” someones time with “obvious” questions; which can be figured out by oneself.

    In the workshop we did a kind of small break after some time to have a group talk and sharing, who found what, which are the things, where people got stuck, etc.

    Bjoern guided us through one of the more challenging tasks; I liked that, it showed me the complexity of attack vectors.

    He also got us unstuck on one task, where we knew what we wanted, but didn’t have the (handwerklichen) skills to do it.
    Keyword: Poison Null Byte (even that I still remember that, shows that learning has happened, yeah.).

    The audience was mixed for us, we had maybe a dozen attendees, with a ration of ~40% developer; which for a Testing event is surprising. Topic is king.

    The Juiceshop workshop is often run as a halfday, maybe even one day session.

    Due to the limited timebox (event after work, etc.) some of the comments afterwards where, that some still would like another session to continue to work on challenges, maybe more in a group setup and in self-organisation style.


Leave a Reply

Your email address will not be published. Required fields are marked *