Vulnerabilities in Web applications are one of the key issues to consider in a penetration test or security assessment. While some security areas require a home network or a computer for testing, creating a test website to learn about web application security requires a slightly different approach. To get a secure environment for hacking web applications, the OWASP Juice Shop can help.
The depth and variety of web technologies provide a large and complex attack surface. There are a variety of markup languages that make up graphical components of Web sites, scripting languages for interacting with front-end Web sites, back-end languages that manipulate data, database management systems that manage those data, and server technologies that keep the Web sites online. Each of these vulnerabilities has its own vulnerabilities, and each of these vulnerabilities can be exploited.
Reference to the OWASP Top 1
The OWASP Top 10 Project is a document from the Open Web Application Security Project. It aims to list and archive the most common errors in web applications. As of version 2017, the list items are as follows:
- broken authentication
- sensitive data exposure
- external XML entities (XXE)
- access control violated
- security misconfiguration  cross-site Scripting (XSS)
- Unsafe deserialization
- Use of components with known vulnerabilities
- Insufficient logging and monitoring
Each of these vulnerabilities can be present on all kinds of websites and often leads to abuse such as phishing, database filtering, spam, Malware distribution and other privacy and security violations. As a web developer, it is important to recognize and understand these attacks in order to prevent them. For a penetration tester, understanding these vulnerability categories can improve your own web application hacking capabilities.
To begin these attacks, you can first install the OWASP Juice Shop, which contains vulnerabilities from all OWASP Top 10
Step 1: Install Docker
According to the project's website Docker offers " a way to run applications safely isolated in a container packed with all its dependencies and libraries. " This means that for a tool like the OWASP Juice Shop, a whole artificial server-like stack can be easily packaged and distributed.
While OWASP Juice Shop offers some installation options, including Node.js and Vagrant, I found that under Linux and Mac OS Docker is the easiest option.
If you have problems with the Docker installation or your operating system does not support Docker, you may find that Node.js is also a convenient option. The installation instructions for other platforms can also be found in the Juice Shop documentation.
Docker supports Windows, macOS, and Linux with downloads for packages available on the Docker installation page. Installation instructions vary by platform, but for this example, we will go through Docker installation on a Debian-based system such as Ubuntu or Kali.
To begin the installation, first install the packages required to allow apt-get to use a repository over HTTPS by running the following command in a terminal emulator.
sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
Next Docker's GPG add key, which can be used to verify the integrity of packages.
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
Now you can add the Docker repository to your system. If the following command fails, you can also use the text editor of your choice to manually edit the /etc/apt/sources.list file. This file is the repository list on systems that use the APT Package Manager. Just add the component of the command enclosed in quotation marks to a new line in this file and replace "$ (lsb_release -cs)" with the output of the command lsb_release -cs if you click on Your running system. Otherwise, it is sufficient to run this command alone to update your repository list.
sudo add-apt repository "deb [arch=amd64] https://download.docker.com/linux/debian $ (lsb_release -cs) stable"
If this repository has been added, you can install Docker by You first update your repositories, and then use apt-get install to install the tool. This can be achieved by executing the following command.
sudo apt-get update && sudo apt-get install docker-ce
If you are using a Systemd-based system, you can now start the Docker service with the command
sudo systemctl start docker  Step 2: Install the OWASP Juice Shop
As soon as Docker is installed and running, we first create a copy of the OWASP Juice Shop files locally. To do this, run the following command.
docker pull bkimminich / juice-shop
Next we can start the Juice Shop by executing the following command and binding the service to Port 3000.
docker run - rm -p 3000: 3000 bkimminich / juice-shop
When the Docker command line prints "server horing on port 3000", the service should be ready for use.
root @ navi ~ # systemctl start docker root @ navi ~ # docker drag bkimminich / juice shop Using the default tag: Current currently: Pulling from bkimminich / juice-shop Digest: sha256: 056aa33f600adb143a1128e2ae42f4021f15d726347155ae4bdd37fba4e0c486 Status: Picture is currently for bkimminich / juice-shop: current root @ navi ~ # docker run --rm -p 3000: 3000 bkimminich / juice-shop > firstname.lastname@example.org start / juice-shop > Node app Server listens for port 3000
After running, the Juice Shop, like any other website, can be opened in a web browser. Under Linux, the shop is located at http: // localhost: 3000 . On macOS and Windows, it may be located at http://192.168.99.100:3000 .