15 comments

[ 3.1 ms ] story [ 49.2 ms ] thread
From the TFA -

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.

Can you edit prices client side? If not, I’ve seen worse in the wild.
I hope OWASP can fix their janky toaster/banner when I open the site.
(comment deleted)
We've been working on an example vulnerable app to showcase vulnerable dependencies in web apps. (Think a CVE in an NPM package.)

I've been wanting that so that I can test out different security scanning and patching tools, but also actually build a test playground to exploit vulnerable dependencies. (I want to accelerate exploit development for CVEs by making it more standardized.)

If you have a CVE that you'd like to write a POC exploit scenario for, you can add it to this project quickly and easily with pre-built templates[1]! (Wasp[2] is an awesome project that simplifies web dev tooling complexity.)

Are there any other projects with similar goals that anybody is aware of? Asking because I couldn't find any, but I'd love to merge efforts if somebody is already doing this!

0: https://github.com/lunasec-io/damn-vulnerable-js-sca

1: https://github.com/lunasec-io/damn-vulnerable-js-sca/tree/ma...

2: https://wasp-lang.dev/

I just want to say thanks for this, we used it for an internal workshop for our webdev department with very limited prior netsec experience and it was a big hit.

The AIO character and a little bit of gamification through the leaderboard made it an easy to setup but really fun event!

Edit: Damn, I should read before posting - was talking about the juice shop. Your project might be nice follow-up though!

On mobile, I only see an "Accept" button for the cookie banner. How can I dismiss it?
> On mobile, I only see an "Accept" button for the cookie banner.

Seems like there is an "X" button to close the dialog, but the element (#close-disclaimer) is only visible on screens approx. over 700px in width and it gets pushed off screen on anything smaller.

> How can I dismiss it?

Personally I didn't even see it on my phone, perhaps due to any of the following:

  - browser: Firefox
  - setting: tracking protection turned on
  - addon: uBlock Origin
  - something else?
Well, either it was one of those, or it broke in a way that it wasn't shown altogether.
At a job I had, we had a big CTF event where people broke into groups and attempted to capture flags in the Juice Shop. I thought it was a lot of fun.
This been around a while, but I used it with success teaching students all about pesky web app vulns. There's one thing reading about them in a book, it's a whole other level getting students to find them.