How to install OWASP Juice Shop – OWASP Top 10 training

Welcome back to the OWASP Top 10 training series. Today, we are going to install OWASP Juice Shop using both Heroku and Docker. This is the last step in our OWASP Top 10 lab setup. Last time, we installed OWASP WebGoat.

I’ve chosen to add it in this application so that we can experiment with attacking Nodejs backend targets with AngularJs front-end. 

After this tutorial, we will start practicing the exploitation of the OWASP Top 10 vulnerabilities.If you haven’t been following along from the beginning, it’s not too late. All you have to do is follow the instructions on OWASP Zap or Burp Suite setup blog posts. Then install OWASP WebGoat and WebWolf. Or, if you prefer videos, I created the OWASP Top 10 video training series just for you.

In order to stay updated when new episodes are available, make sure to subscribe to the Friday newsletter below!

Why OWASP Juice Shop for this OWASP Top 10 training?

OWASP Juice Shop is a deliberately vulnerable modern web application built on the current single web application stacks. Besides, it has a front-end based on AngularJs and a backend in NodeJs. Moreover, it uses both sqlite and NoSQL MongoDB databases. It also has a rest API.

Juice Shop is an awesomely well maintained project. Therefore, it is a great target to hone your skills, whether you are a beginner or an experienced pentester. 

A public instance is already available at https://juice-shop.herokuapp.com. However, I don’t recommend you directly test against it. In fact, you will often find some challenges already solved. Besides, it is a shared instance with others who might be malicious. Finally, it is especially not intended for brute forcing or automated testing. So be responsible and use it just to get a feel of Juice Shop features.

You can learn more on the Juice Shop architecture and its many features here.

Disclaimer: this is a deliberately vulnerable Web application. I strongly discourage running it on your host machine. For this reason, I a m going to continue working on my Debian 9 VM. For now, I’ll assume that you already have a Debian 9 VM running on your favorite Virtualization software. I am using VirtualBox.

How to Install OWASP Juice Shop on Heroku

Heroku is a cloud platform as a service (PaaS) supporting several programming languages. This means that you can deploy your code directly on the cloud and have a link to your web application. This is very convenient because it lets you deploy Juice Shop without any local setup.

  1. First, you need to have a Heroku account, which is free. Go to the signup page and register a new account.
  2. Go to the OWASP Juice Shop Github page and scroll down until you see the Heroku deploy button.OWASP Juice Shop Heroku button
  3. Click on Deploy to Heroku, you will be redirected to your Heroku account.
  4. Give your app a unique name, and click on Deploy app button.
  5. Grab a cup of coffee 🙂
  6. After a while, you will have a brand new instance up and running.
  7. Click on the View button at the bottom to visit your instance.

How to Install OWASP Juice Shop locally using Docker

If you’d like to reduce network latency, or even not depend on the internet, working locally would be the way to go. We are going to use Docker to avoid installing all the dependencies. If you don’t have Docker installed yet, you can install it using the instructions on how to install Docker in the OWASP WebGoat tutorial.

  1. Connect to your Debian 9 VM that we created earlier.
ssh thehackerish@your-debian-ip-address
  1. Download and run OWASP Juice Shop
docker run -d -p 3000:3000 bkimminich/juice-shop
  1. Go to: http://your-debian-9-vm-ip-address:3000
  2. You should see the same web page as https://juice-shop.herokuapp.com

Install Juice shop from source code

Some challenges are not available in neither Docker nor Heroku. For this reason, you have no choice but installing Juice shop from source code.

Some OWASP Juice shop challenges are not available neither on Docker nor on Heroku
Some OWASP Juice shop challenges are not available neither on Docker nor on Heroku

Step 1: NodeJS installation

  1. Download the Linux64 bit binaries
wget https://nodejs.org/dist/v12.14.1/node-v12.14.1-linux-x64.tar.xz
  1. Extract it to a destination of yours, mine is /home/thehackerish/nodejs
mkdir /home/thehackerish/nodejs && tar xvf node-v12.14.1-linux-x64.tar.xz --directory /home/thehackerish/nodejs
  1. Update your PATH variable
echo “PATH=$PATH:/home/thehackerish/nodejs/bin” >> ~/.bashrc
echo “source ~/.bashrc” >> ~/.profile

Step 2: Juice Shop from source

  1. Go to Juice Shop’s release page and choose the archive you would like. Because I am using a Debian VM with a nodejs version 12, I am going to choose this one.
  2. Extract the archive
tar xzvf juice-shop-9.3.1_node12_linux_x64.tgz
  1. Change directory to the folder and run the application
cd juice-shop_9.3.1 && npm install
  1. Now all you have to do is visit your browser to verify that your challenges are available.
OWASP Juice Shop challenges are now available
OWASP Juice Shop challenges are now available

Testing our installation

Now that Juice Shop is up and running, let’s see if we can capture HTTP requests using our previously installed web proxies.

  1. Make sure you have either Burp Suite or Zaproxy up and running on your host machine.
  2. Using the FoxyProxy add-on, choose a web proxy.
  3. Go to the URL of Juice Shop.
  4. Verify that you can capture HTTP traffic.

The following screenshots demonstrate that my local Juice Shop instance is well configured with Burp Suite.

OWASP Juice Shop with Burp

The following screenshots demonstrate that my local and Heroku Juice Shop instances are well configured with OWASP Zap.

OWASP Juice Shop with OWASP ZAP

Congratulations! You’ve finished setting up the lab for the OWASP Top 10 training! In the next episode, we are going to start exploiting our first vulnerability. Stay tuned!

A video is available on Youtube if you enjoy learning by watching!