Table of Contents Preface Introduction 1.1 Why OWASP Juice Shop exists 1.2 Architecture overview 1.3 Part I - Hacking preparations Hacking preparations 2.1 Running OWASP Juice Shop 2.2 Vulnerability categories 2.3 Challenge tracking 2.4 Hacking exercise rules 2.5 Walking the "happy path" 2.6 Customization 2.7 Hosting a CTF event 2.8 Part II - Challenge hunting Challenge hunting 3.1 Finding the Score Board 3.2 Injection 3.3 Broken Authentication 3.4 Forgotten Content 3.5 Roll your own Security 3.6 Sensitive Data Exposure 3.7 XML External Entities (XXE) 3.8 Improper Input Validation 3.9 Broken Access Control 3.10 Security Misconfiguration 3.11 2 Cross Site Scripting (XSS) 3.12 Insecure Deserialization 3.13 Vulnerable Components 3.14 Security through Obscurity 3.15 Race Condition 3.16 Part III - Getting involved Getting involved 4.1 Provide feedback 4.2 Contribute to development 4.3 Codebase 101 4.4 Help with translation 4.5 Donations 4.6 Appendix Appendix A - Challenge solutions 5.1 Appendix B - Trainer's guide 5.2 Postface About this book 6.1 3 Introduction Pwning OWASP Juice Shop Written by Björn Kimminich 4 Introduction 5 Introduction This is the official companion guide to the OWASP Juice Shop application. Being a web application with a vast number of intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The OWASP Juice Shop is an open-source project hosted by the non-profit Open Web Application Security Project (OWASP) and is developed and maintained by volunteers. The content of this book was written for v8.1.1 of OWASP Juice Shop. A major rewrite for version 8.x is currently ongoing! Several hints and solutions are still for the 7.x version and might not work as-is on 8.x! The content will be incrementally updated for 8.x only on GitBook! To download the last edition of this book that is fully compatible with 7.x, please visit https://leanpub.com/juice-shop. LeanPub will not be re-published before the transition to 8.x is completed. The book is divided into three parts: Part I - Hacking preparations Part one helps you to get the application running and to set up optional hacking tools. Part II - Challenge hunting Part two gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application. Part III - Getting involved Part three shows up various ways to contribute to the OWASP Juice Shop open source project. Please be aware that this book is not supposed to be a comprehensive introduction to Web Application Security in general. For every category of vulnerabilities present in the OWASP Juice Shop you will find a brief explanation - typically by quoting and referencing to existing content on the given topic. Download a .pdf, .epub, or .mobi file from: https://leanpub.com/juice-shop (official release) 6 Introduction https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop Read the book online at: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content Contribute content, suggestions, and fixes on GitHub: https://github.com/bkimminich/pwning-juice-shop Official OWASP Juice Shop project homepage: http://owasp-juice.shop This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. 7 Why OWASP Juice Shop exists Why the Juice Shop exists To the unsuspecting user the Juice Shop just looks like a small online shop which sells surprise! - fruit & vegetable juice and associated products. Except for the entirely overrated payment and delivery aspect of the e-commerce business, the Juice Shop is fully functional. But this is just the tip of the iceberg. The Juice Shop contains 73 challenges of varying difficulty where you are supposed to exploit underlying security vulnerabilities. These vulnerabilities were intentionally planted in the application for exactly that purpose, but in a way that actually happens in "real-life" web development as well! Your hacking progress is tracked by the application using immediate push notifications for successful exploits as well as a score board for progress overview. Finding this score board is actually one of the (easiest) challenges! The idea behind this is