{"id":117,"date":"2017-04-17T21:44:44","date_gmt":"2017-04-17T19:44:44","guid":{"rendered":"http:\/\/testhexen.de\/?p=117"},"modified":"2017-04-19T08:12:45","modified_gmt":"2017-04-19T06:12:45","slug":"learning-application-security-fun-with-the-juice-shop","status":"publish","type":"post","link":"https:\/\/testhexen.de\/?p=117","title":{"rendered":"Learning Application Security &#8211; Fun with the Juice Shop"},"content":{"rendered":"<p>Learning to hack a website is not as difficult as I thought. It acually is quite easy, even for me, a not so very technical person. Maybe you have read my <a href=\"http:\/\/testhexen.de\/?p=80\" target=\"_blank\">post about my adventures in learning application security<\/a>. While that was rather theoretical, this time I tried a more practical approach. I wanted to break something.<\/p>\n<h2>The Juice Shop<\/h2>\n<figure id=\"attachment_119\" aria-describedby=\"caption-attachment-119\" style=\"width: 300px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-119 size-medium\" src=\"http:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0276_resized_20170417_051052501-300x168.jpg\" alt=\"\" width=\"300\" height=\"168\" srcset=\"https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0276_resized_20170417_051052501-300x168.jpg 300w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0276_resized_20170417_051052501-768x429.jpg 768w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0276_resized_20170417_051052501-1024x572.jpg 1024w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0276_resized_20170417_051052501-1440x805.jpg 1440w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><figcaption id=\"caption-attachment-119\" class=\"wp-caption-text\">The challenge board, marking the challenges you have mastered<\/figcaption><\/figure>\n<p>Bj\u00f6rn Kimmich published some time ago his <a href=\"http:\/\/bkimminich.github.io\/juice-shop\/#\/\">OWASP juice shop project<\/a>, giving an opportunity to learn basics of hacking (and a bit more) while providing<\/p>\n<ul>\n<li><span style=\"text-decoration: line-through;\">an intentionally insecure Javascript Web Application<\/span>, The most trustworthy online shop out there, written entirely in Javascript listed in the <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Vulnerable_Web_Applications_Directory_Project\">OWASP VWA Directory<\/a>. It also seems to be the first broken webapp that uses the currently popular architecture of an <a href=\"http:\/\/en.wikipedia.org\/wiki\/Single-page_application\">SPA<\/a>\/<a href=\"http:\/\/en.wikipedia.org\/wiki\/Rich_Internet_application\">RIA<\/a> frontend with a <a href=\"http:\/\/en.wikipedia.org\/wiki\/Representational_state_transfer\">RESTful<\/a> backend. (<a href=\"http:\/\/bkimminich.github.io\/juice-shop\/#\/\">See intro pages on the workshop<\/a>)<\/li>\n<li>a hacking learning challenge with 38+ security issues and infrastructure to execute the website to be hacked in a docker or in the cloud so that you have you own &#8220;target&#8221;<\/li>\n<li>a workshop for not so experienced people to learn in a group with the help of others<\/li>\n<\/ul>\n<p>The challenges range from executing some sql script injection, cross site scripting and via some session misuse to &#8211; well I did not get there. There have been way more advanced challenges. Try it yourself!<\/p>\n<h2>Just another StugHH Event?<\/h2>\n<p>Well, it was not just another <a href=\"https:\/\/www.xing.com\/events\/juice-shop-hacking-session-1771555\">StugHH event<\/a>.<\/p>\n<p>First, we had a great location at <a href=\"https:\/\/www.oose.de\/\">OOSE <\/a>(Thanks Georg Haupt) in their caf\u00e9, thus giving an atmosphere of a good old LAN party. Everybody brought his laptop and then started the challenge. Our speaker <a href=\"https:\/\/www.xing.com\/profile\/Jens_Hausherr?sc_o=da980_e\">Jens Hausherr<\/a> from XING gave a short intro and then we started. Well, most of us. Some first had the challenge to get the stuff installed. Others had the challenge not to spill beer onto the keyboard. I guess, installing was the hurdle to see if you are technical enough to start the challenge.<img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-120\" src=\"http:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0273_resized_20170417_051053247-168x300.jpg\" alt=\"Lan Party\" width=\"168\" height=\"300\" srcset=\"https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0273_resized_20170417_051053247-168x300.jpg 168w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0273_resized_20170417_051053247-768x1374.jpg 768w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0273_resized_20170417_051053247-572x1024.jpg 572w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0273_resized_20170417_051053247-805x1440.jpg 805w, https:\/\/testhexen.de\/wp-content\/uploads\/2017\/04\/IMAG0273_resized_20170417_051053247.jpg 1368w\" sizes=\"auto, (max-width: 168px) 100vw, 168px\" \/><\/p>\n<p>Second, the audience was different than usual. We were less people (very sad), and partially also other people than usual. One person came already to his second juice shop session, in order to tackle the more difficult challenges.<\/p>\n<p>I wonder if the usual crowd did not like the topic or thought is was too technical. Because it was technical. At least for me and some others this posed an issue. I was ok with the first 2 or 3 challenges, but then I had to do a very old trick: social engineering&#8230; i.e. I asked my fellow hackers for advice. But then I managed to master 7 challenges, &#8230; I was very proud! (Even if quite a few of the audience did way more, some did less) And the technical issues I had would be easy to learn within a few days, just a bit of website specialities, rest service call mechanism, and tools&#8230; Nothing too exciting. Anybody could learn that! I for example hacked the admin password of the site, I faked recommendations and entered the shopping cart of anther person. Scary!<\/p>\n<p>As organizer of the event, I should have pushed more for pairing as an opportunitiy to participate: that way, maybe even less technical people could enjoy\/endure to feel how easy it is to hack. To get hacked. Some came for that reason anyways, but I fear, for them it was a bit frustrating (sorry for that, but great that you came in the first place!).<\/p>\n<h2>OWASP is your best friend. Learn it!<\/h2>\n<p>It was a very good learning for me to get my theoretical basis extended. &#8220;OWASP is your best friend&#8221;. This is just very true, you can learn so much from there. But for me, just reading was not successfull. The workshop makes a difference with respect to the point to get people playing!<\/p>\n<p>Obviously the website contained the top 10 typical errors OWASP reports. So those are the errors that are prominent! And it would be so easy to avoid those. Just get your team to learn them, for example by executing this Juice Shop Workshop. Have it at work, in university, or even in school! Just for everybody who develops or controls quality. There are plans to make team challenges out of it, I guess that would be a great opportunity for further gamification at quality assurance.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learning to hack a website is not as difficult as I thought. It acually is quite easy, even for me, a not so very technical person. Maybe you have read my post about my adventures in learning application security. While that was rather theoretical, this time I tried a more &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,12],"tags":[17,18],"class_list":["post-117","post","type-post","status-publish","format-standard","hentry","category-knowledgesharing","category-stughh","tag-application-security","tag-juice-shop-hacking"],"_links":{"self":[{"href":"https:\/\/testhexen.de\/index.php?rest_route=\/wp\/v2\/posts\/117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testhexen.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testhexen.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testhexen.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testhexen.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=117"}],"version-history":[{"count":8,"href":"https:\/\/testhexen.de\/index.php?rest_route=\/wp\/v2\/posts\/117\/revisions"}],"predecessor-version":[{"id":127,"href":"https:\/\/testhexen.de\/index.php?rest_route=\/wp\/v2\/posts\/117\/revisions\/127"}],"wp:attachment":[{"href":"https:\/\/testhexen.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testhexen.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testhexen.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}