Ever wanted to see the simple concepts hackers use to break into your web application, even without a technical background? In this blog, we take a look at some free and open source security education that puts you in the driver’s seat to use these attacks in a safe and – most importantly – legal way via OWASP.
What is OWASP?
The Open Web Application Security Project® is a non-profit organisation whose mission is to educate everyone possible about Web Application Security.
OWASP is probably best known for its publication on the 10 most common web application vulnerabilities being used on the internet today. This foundation has provided numerou
s open source projects to enable security for the masses.
Some of my favourite projects include:
- Zed Attack Proxy (ZAP) Project – A tool that can easily replace Burp Suite or similar nefarious proxy software specialised for dealing in Web App Security.
- WebGoat and Juice Shop – The main purpose of this article, a tool for teaching the art of Web App Security.
- ModSecurity Core Rule Set – A well maintained list of attack signatures that can be imported to take the burden of InfoSec teams.
What is the Juice Shop
As mentioned above, Juice Shop is designed to be a highly customisable web application with deliberate mistakes coded into it to enable a user to practice the attacks used by real hackers and gain knowledge of how Web Application attacks are performed. It is in a similar style to other projects like DVWA.
Juice Shop succeeds another vulnerable web application project, Web Goat, which has warnings that it may make the underlying host system also vulnerable to attack and require securing to limit any damage potential.
To get started, there are numerous walkthroughs provided with the Juice Shop project as well as a trainer’s manual that enables classes to be run with very little experience.
In addition to a copy of Juice Shop available for free on the internet, you are also given access to the source code that allows you to explore and edit it for your requirements.
Some customisations for Juice Shop
The best part of Juice Shop is that there are so many customisations possible. A lot of the content has been set out in easy to read YAML files that allow you to change the look and feel of the site as well as many underlying aspects of the Shop.
On top of this, there are modules installed that allow you to plug your instance of the Juice Shop into some popular Capture the Flag frameworks with dynamic flag generation so you cannot just Google for the answer.
From the items listed on the site, the rules of your Capture the Flag event enable you to warp the Shop to ensure a truly unique experience – even after many deployments.
Some extra Juice Shop applications
Not only can this be used as a teaching tool, but because of its inherently insecure nature, you can even use it as a safe target against which to test your WAF rules or other Web App protections to ensure their suitability.
If security scanners are unable to exploit flaws within any of the Vulnerability Web Applications mentioned in this article, then you have evidently proven the depth of your security defense and the controls in place before traffic even touches the application layer.
————-
Give Juice Shop a try
Give it a go for yourself! There is no excuse not to educate yourself on the subject of computer security and Testing Web Applications can be a great gateway into the field! Just head on over to the free Juice Shop hosted application and use its search to find:
<iframe src=”javascript:alert(‘I WIN’)”>.
Yes! It’s THAT easy!
————-
Bio
Paul Hardy is a Principal Systems Developer at Cloudreach with a passion for Offensive Security. Having worked with Cloudreach for almost a decade, he has built up expertise over a wide range of technologies, often finding new and creative ways to improve the security for Cloudreach’s customers.
