OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.
We've been working on an example vulnerable app to showcase vulnerable dependencies in web apps. (Think a CVE in an NPM package.)
I've been wanting that so that I can test out different security scanning and patching tools, but also actually build a test playground to exploit vulnerable dependencies. (I want to accelerate exploit development for CVEs by making it more standardized.)
If you have a CVE that you'd like to write a POC exploit scenario for, you can add it to this project quickly and easily with pre-built templates[1]! (Wasp[2] is an awesome project that simplifies web dev tooling complexity.)
Are there any other projects with similar goals that anybody is aware of? Asking because I couldn't find any, but I'd love to merge efforts if somebody is already doing this!
I just want to say thanks for this, we used it for an internal workshop for our webdev department with very limited prior netsec experience and it was a big hit.
The AIO character and a little bit of gamification through the leaderboard made it an easy to setup but really fun event!
Edit: Damn, I should read before posting - was talking about the juice shop. Your project might be nice follow-up though!
> On mobile, I only see an "Accept" button for the cookie banner.
Seems like there is an "X" button to close the dialog, but the element (#close-disclaimer) is only visible on screens approx. over 700px in width and it gets pushed off screen on anything smaller.
> How can I dismiss it?
Personally I didn't even see it on my phone, perhaps due to any of the following:
This been around a while, but I used it with success teaching students all about pesky web app vulns. There's one thing reading about them in a book, it's a whole other level getting students to find them.
15 comments
[ 3.1 ms ] story [ 49.2 ms ] threadOWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.
Wasn't aware of this project at all but found the following links useful for context:
The actual Juice Shop website can be found at https://juice-shop.herokuapp.com/#/
and the github link for viewing code is https://github.com/juice-shop/juice-shop/releases/
I've been wanting that so that I can test out different security scanning and patching tools, but also actually build a test playground to exploit vulnerable dependencies. (I want to accelerate exploit development for CVEs by making it more standardized.)
If you have a CVE that you'd like to write a POC exploit scenario for, you can add it to this project quickly and easily with pre-built templates[1]! (Wasp[2] is an awesome project that simplifies web dev tooling complexity.)
Are there any other projects with similar goals that anybody is aware of? Asking because I couldn't find any, but I'd love to merge efforts if somebody is already doing this!
0: https://github.com/lunasec-io/damn-vulnerable-js-sca
1: https://github.com/lunasec-io/damn-vulnerable-js-sca/tree/ma...
2: https://wasp-lang.dev/
The AIO character and a little bit of gamification through the leaderboard made it an easy to setup but really fun event!
Edit: Damn, I should read before posting - was talking about the juice shop. Your project might be nice follow-up though!
Seems like there is an "X" button to close the dialog, but the element (#close-disclaimer) is only visible on screens approx. over 700px in width and it gets pushed off screen on anything smaller.
> How can I dismiss it?
Personally I didn't even see it on my phone, perhaps due to any of the following:
Well, either it was one of those, or it broke in a way that it wasn't shown altogether.