https://wiki.owasp.org/api.php?action=feedcontributions&user=Bjoern+Kimminich&feedformat=atomOWASP - User contributions [en]2024-03-19T08:11:25ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=255468OWASP Juice Shop Project2019-10-15T09:45:29Z<p>Bjoern Kimminich: Replace entire content with link to new website at https://www2.owasp.org/www-project-juice-shop</p>
<hr />
<div>We have fully migrated to the new OWASP Website! Please visit our new project page at<br />
= https://www2.owasp.org/www-project-juice-shop =</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=255459OWASP Juice Shop Project2019-10-14T19:55:13Z<p>Bjoern Kimminich: /* Official Companion Guide */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' and alway up-to-date [http://pwning.owasp-juice.shop in online-readable format]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[http://pwning.owasp-juice.shop Online])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
=== Corporate-sponsored code contributions ===<br />
<br />
{|<br />
|style="text-align:center;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=255458OWASP Juice Shop Project2019-10-14T19:52:35Z<p>Bjoern Kimminich: /* Documentation */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[http://pwning.owasp-juice.shop Online])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
=== Corporate-sponsored code contributions ===<br />
<br />
{|<br />
|style="text-align:center;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=255198OWASP Juice Shop Project2019-10-03T08:49:23Z<p>Bjoern Kimminich: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
=== Corporate-sponsored code contributions ===<br />
<br />
{|<br />
|style="text-align:center;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254989OWASP Juice Shop Project2019-09-27T09:38:03Z<p>Bjoern Kimminich: remove corporate code contrib section (see https://github.com/bkimminich/juice-shop/pull/1221#issuecomment-535868802)</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254955OWASP Juice Shop Project2019-09-25T20:28:56Z<p>Bjoern Kimminich: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
=== Corporate-sponsored code contributions ===<br />
<br />
{|<br />
|style="text-align:center;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254954OWASP Juice Shop Project2019-09-25T20:28:17Z<p>Bjoern Kimminich: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
=== Corporate-sponsored code contributions ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 50px;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254946OWASP Juice Shop Project2019-09-25T08:52:17Z<p>Bjoern Kimminich: /* Long-term Goals */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|style="text-align:center; padding-left: 50px;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur JuiceShop.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254945OWASP Juice Shop Project2019-09-25T08:51:35Z<p>Bjoern Kimminich: /* Long-term Goals */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|style="text-align:center; padding-left: 50px;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Decouple Hacking Instructor better from frontend code<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254941OWASP Juice Shop Project2019-09-25T06:56:26Z<p>Bjoern Kimminich: /* Other Corporate Sponsors */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|style="text-align:center; padding-left: 50px;"|[https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Smoke tests for Docker images and pre-packaged distributions<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254921OWASP Juice Shop Project2019-09-24T14:50:54Z<p>Bjoern Kimminich: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|style="text-align:center; padding-left: 50px;"|[https://is-c.panasonic.co.jp/en/ Panasonic Information Systems Company Europe]<sup>[https://github.com/bkimminich/juice-shop/pull/1221]</sup><br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Smoke tests for Docker images and pre-packaged distributions<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254304OWASP Juice Shop Project2019-08-29T04:02:53Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[29.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.1 v9.0.1]<br />
<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Smoke tests for Docker images and pre-packaged distributions<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254234OWASP Juice Shop Project2019-08-27T09:12:18Z<p>Bjoern Kimminich: /* Roadmap */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* Challenges in the pristine features added during GSoC 2019<br />
* More Hacking Instructor scripts for the easier challenges<br />
* Smoke tests for Docker images and pre-packaged distributions<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254211OWASP Juice Shop Project2019-08-26T19:21:28Z<p>Bjoern Kimminich: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[26.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v9.0.0 v9.0.0]<br />
<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=254062OWASP Juice Shop Project2019-08-22T12:16:00Z<p>Bjoern Kimminich: Remove related projects due to lack of them linking back</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=253814OWASP Juice Shop Project2019-08-17T05:32:40Z<p>Bjoern Kimminich: /* LeanPub Royalties */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
$1,251.68 of royalties from [https://twitter.com/bkimminich Björn Kimminich]'s eBook have been donated to the project between 09/2017 and 07/2019!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=253813OWASP Juice Shop Project2019-08-17T05:20:17Z<p>Bjoern Kimminich: /* Project Sponsors */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|[http://www.7minsec.com Brian Johnson]<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=253542OWASP Juice Shop Project2019-08-05T20:42:07Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=253541OWASP Juice Shop Project2019-08-05T20:41:45Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[05.08.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.3 v8.7.3]<br />
<br />
[17.06.19] juice-shop-ctf ['''Bold text'''https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=252796OWASP Juice Shop Project2019-07-03T07:55:45Z<p>Bjoern Kimminich: Update transaction spreadsheet link</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.1 v8.6.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/14UWhT7SbJAmNBES1ZYdRk8N5f8S2jVkbQbLZz26eM0I/edit#gid=1346179950&range=C323 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=252438OWASP Juice Shop Project2019-06-17T20:47:27Z<p>Bjoern Kimminich: </p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[17.06.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.1 v6.1.1]<br />
<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.1 v8.6.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=252382OWASP Juice Shop Project2019-06-12T23:38:33Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
[13.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.2 v8.7.2]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.1 v8.7.1]<br />
<br />
[07.06.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.7.0 v8.7.0]<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.1 v8.6.1]<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251951OWASP Juice Shop Project2019-05-28T15:56:17Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[28.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.2 v8.6.2]<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.1 v8.6.1]<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.0 v8.6.0]<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251910OWASP Juice Shop Project2019-05-27T21:06:43Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.1 v8.6.1]<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.0 v8.6.0]<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251895OWASP Juice Shop Project2019-05-27T08:58:18Z<p>Bjoern Kimminich: /* Support */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.0 v8.6.0]<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251889OWASP Juice Shop Project2019-05-26T22:56:45Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[27.05.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.6.0 v8.6.0]<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=File:Architektur_JuiceShop.png&diff=251294File:Architektur JuiceShop.png2019-05-09T19:10:06Z<p>Bjoern Kimminich: Bjoern Kimminich uploaded a new version of File:Architektur JuiceShop.png</p>
<hr />
<div></div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251293OWASP Juice Shop Project2019-05-09T19:09:00Z<p>Bjoern Kimminich: /* Related Projects */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
[[OWASP SamuraiWTF Project|OWASP SamuraiWTF Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251156OWASP Juice Shop Project2019-05-07T17:09:22Z<p>Bjoern Kimminich: /* Other Corporate Sponsors */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|[https://silpion.de Silpion]<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=251069OWASP Juice Shop Project2019-05-06T09:56:57Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[06.05.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.1.0 v6.1.0]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=Germany&diff=250785Germany2019-04-29T22:41:55Z<p>Bjoern Kimminich: /* Open Security Summit 2019 Sponsoring */</p>
<hr />
<div>__NOTOC__<br />
=Willkommen=<br />
<div style="height:11em;">[[Image:OWASP_German_Chapter_WHITE_PNG.png|500px|right]]</div><br />
<!-- mediawiki ist zu dumm, um Bilder ordentlich darzustellen, darum das DIV mit style= --><br />
<br />
<div style="background:lightblue;text-align:center;font-weight:bold;padding:2em"><br />
OWASP <u>[[Germany/Chapter_Meetings|Germany Chapter Meeting]]</u> am 10.04.2019 ab 13:00 Uhr<br />
<br>in der Brauerstraße 48 in Karlsruhe<br />
</div><br />
<br />
== Über OWASP ==<br />
OWASP ist eine unabhängige, weltweite Community mit dem Ziel, die Bedeutung der Sicherheit von Webanwendungen »sichtbar zu machen« Know-How zur Entwicklung und den Betrieb sicherer Webanwendungen zu verbreiten und frei zur Verfügung zu stellen. Sämtliche OWASP-Instrumente, wie Dokumente, Videos, Slides, Podcasts etc. sind kostenlos unter einer freien Lizenz verwendbar.<br />
<br />
OWASP ist frei, offen und herstellerunabhängig. Alle Interessierten sind herzlich willkommen etwa in [[:Category:OWASP Project|Projekten]] mitzuarbeiten oder nur am Wissen zu partizipieren. Eine prima Gelegenheit sich einen Eindruck zu verschaffen, sind die [[OWASP_German_Chapter_Stammtisch_Initiative|OWASP Stammtische]], die regelmäßig in vielen deutschen Großstädten stattfinden. <br />
<br />
== OWASP German Chapter ==<br />
OWASP organisiert sich in sogenannten [[OWASP Chapter|Chaptern]]. Eines davon ist das deutsche Chapter, auf dessen Seite ihr euch gerade befindet. Der Chapter Lead wird jährlich im [[Germany/Chapter_Meetings|Chapter Meeting]] gewählt. Derzeitiger Chapter Lead ist [mailto:tobias.glemser@owasp.org Tobias Glemser].<br />
<br />
Mitglieder im Chapter Board sind (in alphabetischer Reihenfolge):<br />
[mailto:achim@owasp.org Achim Hoffmann],<br />
[mailto:alexios.fakos@owasp.org Alexios Fakos],<br />
[mailto:bastian.braun@owasp.org Bastian Braun],<br />
[mailto:bjoern.kimminich@owasp.org Bjoern Kimminich],<br />
[mailto:boris@owasp.org Boris Hemkemeier],<br />
[mailto:christian.becker@owasp.org Christian Becker],<br />
[mailto:christian.dresen@owasp.org Christian Dresen],<br />
[mailto:danielgora@owasp.org Daniel Gora],<br />
[mailto:henrik.willert@owasp.org Henrik Willert],<br />
[mailto:ingo.hanke@owasp.org Ingo Hanke],<br />
[mailto:ives.laaf@gmail.com Ives Laaf],<br />
[mailto:jan.wolff@owasp.org Jan Wolff],<br />
[mailto:johannes.schoenborn@owasp.org Johannes Schoenborn],<br />
[mailto:martin.johns@owasp.org Martin Johns],<br />
[mailto:michael.schaefer@owasp.org Michael Schäfer],<br />
[mailto:ralf.allar@owasp.org Ralf Allar],<br />
[mailto:sven.schlueter@owasp.org Sven Schlüter],<br />
[mailto:tobias.glemser@owasp.org Tobias Glemser],<br />
[mailto:torsten.gigler@owasp.org Torsten Gigler]<br />
<br />
<br />
=Projekte=<br />
== Projekte des German Chapter ==<br />
<br />
Das German Chapter initiiert oder beteiligt sich an [[:Category:OWASP_Project|OWASP Projekten]]. Was das deutsche Chapter auf die Beine gestellt hat, kann sich blicken lassen! Ein Ausschnitt:<br />
<br />
* OWASP SSL advanced forensic tool - O-Saft<br />
* OWASP Juice Shop<br />
* OWASP Top 10 Privacy Risks Project<br />
* OWASP Top 10 für Entwickler<br />
* OWASP Top 10 2013: Deutsche Übersetzung<br />
* Best Practices: Web Application Firewalls<br />
<br />
Details findet ihr auf der Liste der [[Germany/Projekte|deutschen Projekte]].<br />
<br />
=Treffen=<br />
== OWASP Stammtisch-Initiative ==<br />
<br />
In mehreren Städten gibt es [[Germany/Stammtisch_Initiative|OWASP-Stammtische]], bei denen man sich in lockerer Runde trifft, um sich auszutauschen, nette Leute kennenzulernen oder ernsthafte Sicherheitsthemen zu diskutieren -- meinstens mit Vortrag.<br />
<br />
Aktive Stammtische gibt es (Stand August 2017) in: <br />
[[OWASP_German_Chapter_Stammtisch_Initiative/München|München]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Frankfurt|Frankfurt]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Stuttgart|Stuttgart]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Köln|Köln]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Hamburg|Hamburg]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Karlsruhe|Karlsruhe]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Dresden|Dresden]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Ruhrpott|Ruhrpott]],<br />
<u>[http://lists.owasp.org/pipermail/owasp-germany/2017-August/001012.html Heilbronn-Franken <b>(neu)</b>]</u><br />
<br />
== German OWASP Day ==<br />
<br />
Der [[German OWASP Day]] ist die jährlich stattfindende Konferez des German OWASP Chapter.<br />
Die Zielgruppe sind Entwickler, IT-Sicherheitsverantwortliche, DV-Leiter und die klassische “security crowd”. Der German OWASP Day ist eine Security-Konferenz mit Fachvorträgen zu sicherer Entwicklung, Betrieb, Test und Management im Umfeld von (webbasierten) Anwendungen. Auch fachübergreifende, nicht-technische Themen sind willkommen. OWASP und OWASP-Konferenzen sind herstellerneutral und ohne Marketingvorträge. <br />
<br />
Der letzte German OWASP Day [https://god.owasp.de/archive/2018/ fand am 20.11.2018 in Münster statt]. Der nächste wird in Karlsruhe sein und befindet sich derzeit noch in Planung! Informationen werden (sobald verfügbar) über die Website bekanntgegeben: ''' https://god.owasp.de '''.<br />
<br />
== Chapter Meetings ==<br />
<br />
Das German Chapter trifft sich in unregelmäßigen Abständen, um die Arbeit innerhalb des German Chapter zu organisieren. Unser Chapter hat die Besonderheit, dass wir unter unserem Dach, die einzelnen Stammtische haben -- die in anderen Ländern als Chapter organisiert sind. Insofern sind<br />
unsere Chapter Meetings eine Mischung aus Vortrag und Organisation.<br />
<br />
Gemäß dem ''O'' in OWASP für ''open'' sind diese Treffen öffentlich. Jedermann kann daran teilnehmen und sich an der Arbeit im Chapter beteiligen. Der Termin zum Treffen -- Chapter Meeting -- wird auf dieser Seite bekannt gegeben, zusammen mit der Agenda. Selbstverständlich sind auch alle Ergebnisse der Treffen öffentlich. Was auf den vergangenen Treffen jeweils besprochen / beschlossen wurde ist auf der [[Germany/Chapter_Meetings|Chapter Meetings]]-Seite zu finden.<br />
<br />
Das nächste Chapter Meeting wird am 10. April in Karlsruhe stattfinden. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. Details zu Agenda und Ort sind [[Germany/Chapter_Meetings#OWASP_Germany_Chapter_Meeting_am_10.04.2019_in_Karlsruhe|hier auf der Chapter Meeting Seite zu finden]].<br />
<br />
=Aktionen=<br />
== Open Security Summit 2019 Sponsoring ==<br />
The OWASP German Chapter is offering stipends for up to two participants''[1]'' in the upcoming [https://open-security-summit.org Open Security Summit 2019]! Please read the following paragraphs carefully before applying!<br />
<br />
=== Stipend Scope === <br />
Each stipend includes<br />
* '''1 Standard Summit Ticket (with accomodation)''' worth up to 1,500 GBP''[2]''<br />
<br />
The stipends do '''not''' include<br />
* travel cost reimbursement<br />
* any other costs of the participant<br />
<br />
=== Rules ===<br />
To apply for one of the two stipends you must send a written application via email to [mailto:germany-chapter-leaders@owasp.org germany-chapter-leaders@owasp.org] with the following minimum content:<br />
# Name and short work-life and open source biography<br />
# Description of the working and/or user sessions you will ''host yourself'' at the summit<br />
# Other tracks and/or sessions you want ''to participate in'' during the summit<br />
# Description of the tangible outcome you plan to achieve for OWASP and the application security community from 2. and/or 3.<br />
<br />
=== Deadlines === <br />
We are looking forward to your applications! Please mind the following timeline for this offer:<br />
* '''Application deadline is May 12th 2019'''<br />
* Evaluation results will be delivered latest by May 19th 2019<br />
<br />
<br />
----<br />
<br />
''[1]'' = The OWASP German Chapter Board will pick the best applications that meet their minimum quality requirements by voting. The number of provided total stipends depends on the number of sufficiently convincing applications being submitted and might effectively range from 0 to 2.<br />
<br />
''[2]'' = The ticket will be purchased by the OWASP German Chapter and delivered to the participant via email. Previously purchased tickets are not eligible for reimbursement under any circumstances.<br />
<br />
=Archiv=<br />
=== Aktuelleres / Historisches ===<br />
;19-20.11.2018: [https://god.owasp.de/archive/2018/ German OWASP Day 2018 in Münster]<br />
;14.11.2017: [[German_OWASP_Day_2017|9ter German OWASP Day in Essen]]<br />
;11./12.09.2017: [[Cheat Sheet Workshop|Cheat Sheet Workshop in Frankfurt]]<br />
;29.11.2016: [[German_OWASP_Day_2016|8ter German OWASP Day in Darmstadt]]<br />
;01.12.2015: [[German_OWASP_Day_2015|7ter German OWASP Day in Frankfurt/Main]]<br />
;06.10.2015: Das OWASP German Chapter wird auch in diesem Jahr dank der Unterstützung der Nürnberg Messe auf der it-sa mit einem eigenen Stand (12.0-123) vertreten sein. Wir freuen uns auf spannende Gespräche am Stand. <br />
;13.04.2015: <u>[https://lists.owasp.org/pipermail/owasp-germany/2015-March/000758.html German OWASP Chapter Meeting]</u> in Frankfurt <br />
;23.01.2015: Übesetzung der '''OWASP Top 10 von 2013''' in Deutsch [[Germany/Projekte/Top_10|OWASP Top 10: Deutsche Übersetzung]]<br />
;09.12.2014: [[German_OWASP_Day_2014|6ter German OWASP Day in Hamburg]]<br />
;14.03.2014: OWASP Germany Chapter Meeting in Frankfurt; Details und Agenda sind [[Germany/Chapter_Meetings|hier]] zu finden.<br />
;20. - 23.08.2013: Das German Chapter veranstaltete die [[AppSecEU2013|OWASP AppSec Europe Research 2013]].<br />
;10.08.2013: Partnerschaft mit dem [http://www.isaca.de/ ISACA Germany Chapter e.V.]: Zum Nutzen für Mitgleider beider Seiten wurde mit dem ISACA Germany Chapter e.V. eine Partnerschaft geschlossen. Die Partnerschaft ermöglicht es Mitgliedern des ISACA Germany Chapter e.V. an der OWASP AppSec Research 2013 zu vergünstigten Konditionen teilzunehmen. Das OWASP German Chapter erhält Gelegenheit auf ISACA Konferenzen präsent zu sein. Wir freuen uns sehr auf die Partnerschaft.<br />
;01.07.2013: Programm für AppSec Research EU 2013 ist [http://owaspappseceu2013.sched.org/ online] <!-- http://sched.appsec.eu/ ist Tracking-Seite, grrrr --><br />
;10.06.2013: Registrierung für AppSec Research EU 2013 ist hier <u>https://appsec.eu/registration/</u> .<br />
;17.05.2013: OWASP Germany Chapter Meeting in Frankfurt; Details und Agenda sind [[Germany/Chapter_Meetings|hier]] zu finden.<br />
;22.02.2013: German Chapter Meeting findet am '''17.05.2013''' in Frankfurt statt.<br />
;5.12.2012: Das German Chapter veranstaltet die [[AppSecEU2013|OWASP AppSec Europe Research 2013]].<br />
: The German Chapter is proud announcing [[AppSecEU2013|date and location]] of AppSecEU 2013.<br />
;10.11.2012: [[German_OWASP_Day_2012|German OWASP Day 2012]]: Die hochrangige Websicherheitskonferenz war ein voller Erfolg: Dank gilt allen Besuchern -- gut ein Drittel mehr als letztes Jahr -- Sprechern und Sponsoren.<br />
;07.11.2012: [[Germany/Chaptersponsor|Chapter Sponsoring]] möglich.<br />
;03.11.2012: Webseite des [[Germany|OWASP German Chapter]] neu strukturiert.<br />
;10.09.2012: [[German_OWASP_Day_2012/Programm|Programm]] für [[German_OWASP_Day_2012|German OWASP Day 2012]] in München am 7.11.2012 steht<br />
;13.07.2012: Am Ende der AppSecEU 2012 wurde offiziell verkündet, dass das Deutsche Chapter die AppSec Research 2013 hostet. Ort Hamburg, Zeit: Juli <br />
;02.05.2012: Call for Presentations eröffnet für [[German_OWASP_Day_2012|German OWASP Day 2012]]. Ort: München<br />
<br />
Weitere Nachrichten sind [[Germany/Aktuelles|im Archiv]].<br />
<br />
=== Unsere Konferenzen ===<br />
<br />
;19.11.2018: [https://god.owasp.de/archive/2018/ 10ter German OWASP Day 2018 in Münster]<br />
;14.11.2017: [[German_OWASP_Day_2017|9ter German OWASP Day in Essen]]<br />
;29.11.2016: [[German_OWASP_Day_2016|8ter German OWASP Day in Darmstadt]]<br />
;01.12.2015: [[German_OWASP_Day_2015|7ter German OWASP Day in Frankfurt/Main]]<br />
;09.12.2014: [[German_OWASP_Day_2014|6ter German OWASP Day in Hamburg]]<br />
;20-23.08.2013: Das German Chapter organisierte die (europäische) [[AppSecEU2013|OWASP AppSec Europe Research 2013]].<br />
;7.11.2012: [[German_OWASP_Day_2012|German OWASP Day 2012]] in München<br />
<br />
Eine Liste aller vom OWASP German Chapter durchgeführten Konferenzen ist [[Germany/Konferenzen|hier]] zu finden.<br />
<br />
=Kontakt=<br />
=== So erreichen Sie uns ===<br />
<br />
;E-Mail: [mailto:germany-chapter-leaders@owasp.org germany-chapter-leaders@owasp.org]<br />
;Twitter: [https://twitter.com/#!/search/OWASP_de Twitter: @OWASP_de]<br />
;<u>[https://groups.google.com/a/owasp.org/group/germany-chapter/ Mailingliste]</u>: [mailto:germany-chapter@owasp.org germany-chapter@owasp.org] (<u>[https://lists.owasp.org/pipermail/owasp-germany/ Mailarchiv der alten Liste]</u>)<br />
<br />
Mitarbeit am OWASP German Chapter ist willkommen. Wir freuen uns auf Beiträge in unserer <u>[https://groups.google.com/a/owasp.org/group/germany-chapter/ Mailingliste]</u>. Diese sollten natürlich einen Bezug zu Anwendungssicherheit haben. Denkbar sind also u. A. Fragen, Tipps, aktuelle Hinweise, Stellenangebote oder Projektgesuche. Es gibt auch ein <u>[https://lists.owasp.org/pipermail/owasp-germany Mailarchiv]</u> der *alten* Liste, die nicht mehr genutzt wird. Wenn Sie nicht an den Meetings teilnehmen können, kontaktieren Sie einfach einen der [[Germany|German Chapter Board Member]] oder schreiben Sie eine E-Mail an unsere Mailingliste [mailto:germany-chapter@owasp.org germany-chapter@owasp.org].<br />
<br />
=== Presse ===<br />
<br />
Informationen für die Presse finden sich [[Germany/press|hier]].<br />
<br />
=Sponsoren=<br />
=== Sponsoren des German OWASP Chapters ===<br />
<br />
<!-- Sponsoren: bitte 3-spaltige Tabelle benutzen, damit genuegend Abstand zwischen den Bildern --><br />
{| style="background-color:inherit;" width="99%"<br />
| [[Image:Schutzwerk-300x29.png|link=http://www.schutzwerk.com|www.schutzwerk.com]]<br />
| [[Image:secuvera_8700px.png|link=https://www.secuvera.de|www.secuvera.de]]<br />
|-<br />
| [[Image:sicsec_logo_was_OWASP_20121218_small.png|link=http://www.sicsec.de|www.sicsec.de]]<br />
| [[Image:Logo-bitinspect.png|160px|link=https://bitinspect.de|bitinspect.de]]<!--[[Image:Cyberday-logo_8700px_square.png|link=https://www.cyberday-gmbh.de|www.cyberday-gmbh.de]]--><br />
|-<br />
| <!--[[Image:Banner_TUViT.png|link=https://www.tuvit.de/de|www.tuvit.de]]--><br />
| <!--[[Image:binsec.png|link=http://www.binsec.de/|www.binsec.de]]--><br />
|-<br />
| [[Image:xing_logo.png|120px|link=https://corporate.xing.com/english/company/security-at-xing/|www.xing.com]]<br />
| <!--[[Image:acunetix_max_8700px.png|link=https://www.acunetix.com/|www.acunetix.com]]--><br />
|- |<br />
|-<br />
|<br />
| <br />
|- |<br />
|<br />
|<br />
|}<br />
<br />
Unser Angebot an Sponsoren / Offer for Chapter Sponsors: [[Germany/Chaptersponsor|OWASP German Chapter Sponsorship]].<br />
<br />
<headertabs></headertabs><br />
<br />
<small>(Kleines [[Germany/Website_HowTo|HowTo]] für die deutschen wiki-Seiten)</small><br />
<br />
[[Category:Germany]] <br />
[[Category:Europe]]<br />
[[Category:OWASP Chapter]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=Germany&diff=250784Germany2019-04-29T22:37:57Z<p>Bjoern Kimminich: Add OSS'19 stipend event</p>
<hr />
<div>__NOTOC__<br />
=Willkommen=<br />
<div style="height:11em;">[[Image:OWASP_German_Chapter_WHITE_PNG.png|500px|right]]</div><br />
<!-- mediawiki ist zu dumm, um Bilder ordentlich darzustellen, darum das DIV mit style= --><br />
<br />
<div style="background:lightblue;text-align:center;font-weight:bold;padding:2em"><br />
OWASP <u>[[Germany/Chapter_Meetings|Germany Chapter Meeting]]</u> am 10.04.2019 ab 13:00 Uhr<br />
<br>in der Brauerstraße 48 in Karlsruhe<br />
</div><br />
<br />
== Über OWASP ==<br />
OWASP ist eine unabhängige, weltweite Community mit dem Ziel, die Bedeutung der Sicherheit von Webanwendungen »sichtbar zu machen« Know-How zur Entwicklung und den Betrieb sicherer Webanwendungen zu verbreiten und frei zur Verfügung zu stellen. Sämtliche OWASP-Instrumente, wie Dokumente, Videos, Slides, Podcasts etc. sind kostenlos unter einer freien Lizenz verwendbar.<br />
<br />
OWASP ist frei, offen und herstellerunabhängig. Alle Interessierten sind herzlich willkommen etwa in [[:Category:OWASP Project|Projekten]] mitzuarbeiten oder nur am Wissen zu partizipieren. Eine prima Gelegenheit sich einen Eindruck zu verschaffen, sind die [[OWASP_German_Chapter_Stammtisch_Initiative|OWASP Stammtische]], die regelmäßig in vielen deutschen Großstädten stattfinden. <br />
<br />
== OWASP German Chapter ==<br />
OWASP organisiert sich in sogenannten [[OWASP Chapter|Chaptern]]. Eines davon ist das deutsche Chapter, auf dessen Seite ihr euch gerade befindet. Der Chapter Lead wird jährlich im [[Germany/Chapter_Meetings|Chapter Meeting]] gewählt. Derzeitiger Chapter Lead ist [mailto:tobias.glemser@owasp.org Tobias Glemser].<br />
<br />
Mitglieder im Chapter Board sind (in alphabetischer Reihenfolge):<br />
[mailto:achim@owasp.org Achim Hoffmann],<br />
[mailto:alexios.fakos@owasp.org Alexios Fakos],<br />
[mailto:bastian.braun@owasp.org Bastian Braun],<br />
[mailto:bjoern.kimminich@owasp.org Bjoern Kimminich],<br />
[mailto:boris@owasp.org Boris Hemkemeier],<br />
[mailto:christian.becker@owasp.org Christian Becker],<br />
[mailto:christian.dresen@owasp.org Christian Dresen],<br />
[mailto:danielgora@owasp.org Daniel Gora],<br />
[mailto:henrik.willert@owasp.org Henrik Willert],<br />
[mailto:ingo.hanke@owasp.org Ingo Hanke],<br />
[mailto:ives.laaf@gmail.com Ives Laaf],<br />
[mailto:jan.wolff@owasp.org Jan Wolff],<br />
[mailto:johannes.schoenborn@owasp.org Johannes Schoenborn],<br />
[mailto:martin.johns@owasp.org Martin Johns],<br />
[mailto:michael.schaefer@owasp.org Michael Schäfer],<br />
[mailto:ralf.allar@owasp.org Ralf Allar],<br />
[mailto:sven.schlueter@owasp.org Sven Schlüter],<br />
[mailto:tobias.glemser@owasp.org Tobias Glemser],<br />
[mailto:torsten.gigler@owasp.org Torsten Gigler]<br />
<br />
<br />
=Projekte=<br />
== Projekte des German Chapter ==<br />
<br />
Das German Chapter initiiert oder beteiligt sich an [[:Category:OWASP_Project|OWASP Projekten]]. Was das deutsche Chapter auf die Beine gestellt hat, kann sich blicken lassen! Ein Ausschnitt:<br />
<br />
* OWASP SSL advanced forensic tool - O-Saft<br />
* OWASP Juice Shop<br />
* OWASP Top 10 Privacy Risks Project<br />
* OWASP Top 10 für Entwickler<br />
* OWASP Top 10 2013: Deutsche Übersetzung<br />
* Best Practices: Web Application Firewalls<br />
<br />
Details findet ihr auf der Liste der [[Germany/Projekte|deutschen Projekte]].<br />
<br />
=Treffen=<br />
== OWASP Stammtisch-Initiative ==<br />
<br />
In mehreren Städten gibt es [[Germany/Stammtisch_Initiative|OWASP-Stammtische]], bei denen man sich in lockerer Runde trifft, um sich auszutauschen, nette Leute kennenzulernen oder ernsthafte Sicherheitsthemen zu diskutieren -- meinstens mit Vortrag.<br />
<br />
Aktive Stammtische gibt es (Stand August 2017) in: <br />
[[OWASP_German_Chapter_Stammtisch_Initiative/München|München]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Frankfurt|Frankfurt]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Stuttgart|Stuttgart]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Köln|Köln]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Hamburg|Hamburg]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Karlsruhe|Karlsruhe]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Dresden|Dresden]],<br />
[[OWASP_German_Chapter_Stammtisch_Initiative/Ruhrpott|Ruhrpott]],<br />
<u>[http://lists.owasp.org/pipermail/owasp-germany/2017-August/001012.html Heilbronn-Franken <b>(neu)</b>]</u><br />
<br />
== German OWASP Day ==<br />
<br />
Der [[German OWASP Day]] ist die jährlich stattfindende Konferez des German OWASP Chapter.<br />
Die Zielgruppe sind Entwickler, IT-Sicherheitsverantwortliche, DV-Leiter und die klassische “security crowd”. Der German OWASP Day ist eine Security-Konferenz mit Fachvorträgen zu sicherer Entwicklung, Betrieb, Test und Management im Umfeld von (webbasierten) Anwendungen. Auch fachübergreifende, nicht-technische Themen sind willkommen. OWASP und OWASP-Konferenzen sind herstellerneutral und ohne Marketingvorträge. <br />
<br />
Der letzte German OWASP Day [https://god.owasp.de/archive/2018/ fand am 20.11.2018 in Münster statt]. Der nächste wird in Karlsruhe sein und befindet sich derzeit noch in Planung! Informationen werden (sobald verfügbar) über die Website bekanntgegeben: ''' https://god.owasp.de '''.<br />
<br />
== Chapter Meetings ==<br />
<br />
Das German Chapter trifft sich in unregelmäßigen Abständen, um die Arbeit innerhalb des German Chapter zu organisieren. Unser Chapter hat die Besonderheit, dass wir unter unserem Dach, die einzelnen Stammtische haben -- die in anderen Ländern als Chapter organisiert sind. Insofern sind<br />
unsere Chapter Meetings eine Mischung aus Vortrag und Organisation.<br />
<br />
Gemäß dem ''O'' in OWASP für ''open'' sind diese Treffen öffentlich. Jedermann kann daran teilnehmen und sich an der Arbeit im Chapter beteiligen. Der Termin zum Treffen -- Chapter Meeting -- wird auf dieser Seite bekannt gegeben, zusammen mit der Agenda. Selbstverständlich sind auch alle Ergebnisse der Treffen öffentlich. Was auf den vergangenen Treffen jeweils besprochen / beschlossen wurde ist auf der [[Germany/Chapter_Meetings|Chapter Meetings]]-Seite zu finden.<br />
<br />
Das nächste Chapter Meeting wird am 10. April in Karlsruhe stattfinden. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. Details zu Agenda und Ort sind [[Germany/Chapter_Meetings#OWASP_Germany_Chapter_Meeting_am_10.04.2019_in_Karlsruhe|hier auf der Chapter Meeting Seite zu finden]].<br />
<br />
=Aktionen=<br />
=== Open Security Summit 2019 Sponsoring ===<br />
The OWASP German Chapter is offering stipends for up to two participants''[1]'' in the upcoming [https://open-security-summit.org Open Security Summit 2019]! Please read the following paragraphs carefully before applying!<br />
<br />
Each stipend includes<br />
* '''1 Standard Summit Ticket (with accomodation)''' worth up to 1,500 GBP''[2]''<br />
<br />
The stipends do '''not''' include<br />
* travel cost reimbursement<br />
* any other costs of the participant<br />
<br />
To apply for one of the two stipends you must send a written application via email to [mailto:germany-chapter-leaders@owasp.org germany-chapter-leaders@owasp.org] with the following minimum content:<br />
# Name and short work-life and open source biography<br />
# Description of the working and/or user sessions you will ''host yourself'' at the summit<br />
# Other tracks and/or sessions you want ''to participate in'' during the summit<br />
# Description of the tangible outcome you plan to achieve for OWASP and the application security community from 2. and/or 3.<br />
<br />
We are looking forward to your applications! Please mind the following timeline for this offer:<br />
* '''Application deadline is May 12th 2019'''<br />
* Evaluation results will be delivered latest by May 19th 2019<br />
<br />
''[1]''=The OWASP German Chapter Board will pick the best applications that meet their minimum quality requirements by voting. The number of provided total stipends depends on the number of sufficiently convincing applications being submitted and might effectively range from 0 to 2.<br />
<br />
''[2]''=The ticket will be purchased by the OWASP German Chapter and delivered to the participant via email. Previously purchased tickets are not eligible for reimbursement under any circumstances.<br />
<br />
=Archiv=<br />
=== Aktuelleres / Historisches ===<br />
;19-20.11.2018: [https://god.owasp.de/archive/2018/ German OWASP Day 2018 in Münster]<br />
;14.11.2017: [[German_OWASP_Day_2017|9ter German OWASP Day in Essen]]<br />
;11./12.09.2017: [[Cheat Sheet Workshop|Cheat Sheet Workshop in Frankfurt]]<br />
;29.11.2016: [[German_OWASP_Day_2016|8ter German OWASP Day in Darmstadt]]<br />
;01.12.2015: [[German_OWASP_Day_2015|7ter German OWASP Day in Frankfurt/Main]]<br />
;06.10.2015: Das OWASP German Chapter wird auch in diesem Jahr dank der Unterstützung der Nürnberg Messe auf der it-sa mit einem eigenen Stand (12.0-123) vertreten sein. Wir freuen uns auf spannende Gespräche am Stand. <br />
;13.04.2015: <u>[https://lists.owasp.org/pipermail/owasp-germany/2015-March/000758.html German OWASP Chapter Meeting]</u> in Frankfurt <br />
;23.01.2015: Übesetzung der '''OWASP Top 10 von 2013''' in Deutsch [[Germany/Projekte/Top_10|OWASP Top 10: Deutsche Übersetzung]]<br />
;09.12.2014: [[German_OWASP_Day_2014|6ter German OWASP Day in Hamburg]]<br />
;14.03.2014: OWASP Germany Chapter Meeting in Frankfurt; Details und Agenda sind [[Germany/Chapter_Meetings|hier]] zu finden.<br />
;20. - 23.08.2013: Das German Chapter veranstaltete die [[AppSecEU2013|OWASP AppSec Europe Research 2013]].<br />
;10.08.2013: Partnerschaft mit dem [http://www.isaca.de/ ISACA Germany Chapter e.V.]: Zum Nutzen für Mitgleider beider Seiten wurde mit dem ISACA Germany Chapter e.V. eine Partnerschaft geschlossen. Die Partnerschaft ermöglicht es Mitgliedern des ISACA Germany Chapter e.V. an der OWASP AppSec Research 2013 zu vergünstigten Konditionen teilzunehmen. Das OWASP German Chapter erhält Gelegenheit auf ISACA Konferenzen präsent zu sein. Wir freuen uns sehr auf die Partnerschaft.<br />
;01.07.2013: Programm für AppSec Research EU 2013 ist [http://owaspappseceu2013.sched.org/ online] <!-- http://sched.appsec.eu/ ist Tracking-Seite, grrrr --><br />
;10.06.2013: Registrierung für AppSec Research EU 2013 ist hier <u>https://appsec.eu/registration/</u> .<br />
;17.05.2013: OWASP Germany Chapter Meeting in Frankfurt; Details und Agenda sind [[Germany/Chapter_Meetings|hier]] zu finden.<br />
;22.02.2013: German Chapter Meeting findet am '''17.05.2013''' in Frankfurt statt.<br />
;5.12.2012: Das German Chapter veranstaltet die [[AppSecEU2013|OWASP AppSec Europe Research 2013]].<br />
: The German Chapter is proud announcing [[AppSecEU2013|date and location]] of AppSecEU 2013.<br />
;10.11.2012: [[German_OWASP_Day_2012|German OWASP Day 2012]]: Die hochrangige Websicherheitskonferenz war ein voller Erfolg: Dank gilt allen Besuchern -- gut ein Drittel mehr als letztes Jahr -- Sprechern und Sponsoren.<br />
;07.11.2012: [[Germany/Chaptersponsor|Chapter Sponsoring]] möglich.<br />
;03.11.2012: Webseite des [[Germany|OWASP German Chapter]] neu strukturiert.<br />
;10.09.2012: [[German_OWASP_Day_2012/Programm|Programm]] für [[German_OWASP_Day_2012|German OWASP Day 2012]] in München am 7.11.2012 steht<br />
;13.07.2012: Am Ende der AppSecEU 2012 wurde offiziell verkündet, dass das Deutsche Chapter die AppSec Research 2013 hostet. Ort Hamburg, Zeit: Juli <br />
;02.05.2012: Call for Presentations eröffnet für [[German_OWASP_Day_2012|German OWASP Day 2012]]. Ort: München<br />
<br />
Weitere Nachrichten sind [[Germany/Aktuelles|im Archiv]].<br />
<br />
=== Unsere Konferenzen ===<br />
<br />
;19.11.2018: [https://god.owasp.de/archive/2018/ 10ter German OWASP Day 2018 in Münster]<br />
;14.11.2017: [[German_OWASP_Day_2017|9ter German OWASP Day in Essen]]<br />
;29.11.2016: [[German_OWASP_Day_2016|8ter German OWASP Day in Darmstadt]]<br />
;01.12.2015: [[German_OWASP_Day_2015|7ter German OWASP Day in Frankfurt/Main]]<br />
;09.12.2014: [[German_OWASP_Day_2014|6ter German OWASP Day in Hamburg]]<br />
;20-23.08.2013: Das German Chapter organisierte die (europäische) [[AppSecEU2013|OWASP AppSec Europe Research 2013]].<br />
;7.11.2012: [[German_OWASP_Day_2012|German OWASP Day 2012]] in München<br />
<br />
Eine Liste aller vom OWASP German Chapter durchgeführten Konferenzen ist [[Germany/Konferenzen|hier]] zu finden.<br />
<br />
=Kontakt=<br />
=== So erreichen Sie uns ===<br />
<br />
;E-Mail: [mailto:germany-chapter-leaders@owasp.org germany-chapter-leaders@owasp.org]<br />
;Twitter: [https://twitter.com/#!/search/OWASP_de Twitter: @OWASP_de]<br />
;<u>[https://groups.google.com/a/owasp.org/group/germany-chapter/ Mailingliste]</u>: [mailto:germany-chapter@owasp.org germany-chapter@owasp.org] (<u>[https://lists.owasp.org/pipermail/owasp-germany/ Mailarchiv der alten Liste]</u>)<br />
<br />
Mitarbeit am OWASP German Chapter ist willkommen. Wir freuen uns auf Beiträge in unserer <u>[https://groups.google.com/a/owasp.org/group/germany-chapter/ Mailingliste]</u>. Diese sollten natürlich einen Bezug zu Anwendungssicherheit haben. Denkbar sind also u. A. Fragen, Tipps, aktuelle Hinweise, Stellenangebote oder Projektgesuche. Es gibt auch ein <u>[https://lists.owasp.org/pipermail/owasp-germany Mailarchiv]</u> der *alten* Liste, die nicht mehr genutzt wird. Wenn Sie nicht an den Meetings teilnehmen können, kontaktieren Sie einfach einen der [[Germany|German Chapter Board Member]] oder schreiben Sie eine E-Mail an unsere Mailingliste [mailto:germany-chapter@owasp.org germany-chapter@owasp.org].<br />
<br />
=== Presse ===<br />
<br />
Informationen für die Presse finden sich [[Germany/press|hier]].<br />
<br />
=Sponsoren=<br />
=== Sponsoren des German OWASP Chapters ===<br />
<br />
<!-- Sponsoren: bitte 3-spaltige Tabelle benutzen, damit genuegend Abstand zwischen den Bildern --><br />
{| style="background-color:inherit;" width="99%"<br />
| [[Image:Schutzwerk-300x29.png|link=http://www.schutzwerk.com|www.schutzwerk.com]]<br />
| [[Image:secuvera_8700px.png|link=https://www.secuvera.de|www.secuvera.de]]<br />
|-<br />
| [[Image:sicsec_logo_was_OWASP_20121218_small.png|link=http://www.sicsec.de|www.sicsec.de]]<br />
| [[Image:Logo-bitinspect.png|160px|link=https://bitinspect.de|bitinspect.de]]<!--[[Image:Cyberday-logo_8700px_square.png|link=https://www.cyberday-gmbh.de|www.cyberday-gmbh.de]]--><br />
|-<br />
| <!--[[Image:Banner_TUViT.png|link=https://www.tuvit.de/de|www.tuvit.de]]--><br />
| <!--[[Image:binsec.png|link=http://www.binsec.de/|www.binsec.de]]--><br />
|-<br />
| [[Image:xing_logo.png|120px|link=https://corporate.xing.com/english/company/security-at-xing/|www.xing.com]]<br />
| <!--[[Image:acunetix_max_8700px.png|link=https://www.acunetix.com/|www.acunetix.com]]--><br />
|- |<br />
|-<br />
|<br />
| <br />
|- |<br />
|<br />
|<br />
|}<br />
<br />
Unser Angebot an Sponsoren / Offer for Chapter Sponsors: [[Germany/Chaptersponsor|OWASP German Chapter Sponsorship]].<br />
<br />
<headertabs></headertabs><br />
<br />
<small>(Kleines [[Germany/Website_HowTo|HowTo]] für die deutschen wiki-Seiten)</small><br />
<br />
[[Category:Germany]] <br />
[[Category:Europe]]<br />
[[Category:OWASP Chapter]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GoogleSeasonOfDocs2019&diff=250285GoogleSeasonOfDocs20192019-04-18T14:15:35Z<p>Bjoern Kimminich: /* "Pwning OWASP Juice Shop" Companion Guide */</p>
<hr />
<div>= Overview =<br />
<br />
OWASP is going to apply to participate in the inaugural [https://developers.google.com/season-of-docs/ Google Season of Docs]<br />
We will be requesting project ideas to help us complete our organization application which is due April 23rd.<br />
<br />
= OWASP Project Documentation Requests =<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/season-of-docs/docs/project-ideas Google Season of Docs Project Ideas]'''<br />
'''* Read [https://developers.google.com/season-of-docs/terms/program-rules Program Rules]'''<br />
<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== The API ===<br />
ZAP has an extremely powerful API that allows you to do nearly everything that possible via the desktop interface. It is considered on of ZAPs strengths and is heavily used for automation.<br />
Unfortunately is also not particularly well documented and we get many queries about it on the support groups.<br />
<br />
Existing documentation includes:<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiDetails<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index<br />
<br />
This project would:<br />
# Explain the concepts behind the UI<br />
# Explain how it can be used at a high level<br />
# Detail all of the API calls<br />
<br />
The documentation should be suitable for publishing as web pages and for printing on paper.<br />
<br />
=== Zest ===<br />
Zest is an experimental specialized scripting language developed by the ZAP team and is intended to be used in web oriented security tools.<br />
While it is tool independent it is heavily used by ZAP.<br />
<br />
Existing documentation includes:<br />
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Zest<br />
* https://github.com/mozilla/zest/wiki<br />
<br />
This project would:<br />
# Explain the concepts behind the Zest<br />
# Explain how to write Zest scripts<br />
# Document the ZAP Desktop UI provided relating to Zest<br />
<br />
The documentation should be suitable for publishing as web pages and ideally the parts relating to the ZAP Desktop UI should be able to be included within the UI as context sensitive help.<br />
<br />
==OWASP Juice Shop==<br />
[[OWASP Juice Shop Project]] is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!<br />
<br />
==="Pwning OWASP Juice Shop" Companion Guide===<br />
<br />
''[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].''<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop|100px]]<br />
<br />
''The book is divided into three parts:''<br />
# ''Part I - Hacking preparations (helps you to get the application running and to set up optional hacking tools)''<br />
# ''Part II - Challenge hunting (gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application)''<br />
# ''Part III - Getting involved (shows up various ways to contribute to the OWASP Juice Shop open source project)''<br />
<br />
Primary focus points of this project could be:<br />
# Migrate the eBook from (legacy) GitBook format to either latest GitBook or another suitable format ''(Mandatory requirement is the ability to generate PDF/ePub/Mobi versions of the book for LeanPub '''and''' to be able to host it in HTML online-readable form)''<br />
# Tackle the idea to [https://github.com/bkimminich/pwning-juice-shop/issues/21 generate a special "CTF Edition"] of the book from the same source content<br />
<br />
This project could additionally:<br />
* Add hints and solutions for currently undocumented challenges (marked with ''':wrench: **TODO**''')<br />
* Extend the "Codebase 101" chapter with more details and examples for new contributors<br />
* Review, curate and extend the other existing content<br />
<br />
==OWASP-Securetea Tools Project==<br />
The OWASP SecureTea Project is an application designed to help secure a person's laptop or computer / server with IoT (Internet Of Things) and notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows). The software is still under development, and will eventually have it's own IDS(Intrusion Detection System) / IPS(Instrusion Prevention System), firewall, anti-virus, intelligent log monitoring capabilities with web defacement detection, and support for much more communication medium. . - https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br><br />
This project would: <br><br />
1. Review, curate and extend the other existing content of [https://github.com/OWASP/SecureTea-Project/blob/master/README.md#target-user User Guide] and [https://github.com/OWASP/SecureTea-Project/blob/master/doc/en-US/dev_guide.md Developer Guide] <br><br />
<br />
2.Help to translate into many languages as you can do <br><br />
Example : [https://github.com/OWASP/SecureTea-Project/blob/master/doc/ja-JP/README.md Japanese Translate] <br><br />
3. As Content Writer we need your best ideas for improve The SecureTea Project Documentation. <br><br />
4. Help Our Programmer/Contributors to create their Documentation such as <br />
Website content,wiki,user docs and developer docs, etc which not yet publish/completed. <br></div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=250202OWASP Juice Shop Project2019-04-16T17:40:10Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.1 v8.5.1]<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=250191OWASP Juice Shop Project2019-04-16T13:56:08Z<p>Bjoern Kimminich: Bump to v8.5.0</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[16.04.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.5.0 v8.5.0]<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=Germany/Chapter_Meetings&diff=249927Germany/Chapter Meetings2019-04-10T11:04:58Z<p>Bjoern Kimminich: /* OWASP Germany Chapter Meeting am 10.04.2019 in Karlsruhe */</p>
<hr />
<div>__NOTOC__<br />
<br />
[[Image:owasp_germany_logo.png|right]]<br />
<br />
{| style="background-color:inherit;border-bottom:1px solid black" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
In Deutschland haben wir als organisatorisches Dach ein Chapter, im Rahmen dessen alle Aktivitäten wie Konferenzen etc. stattfinden. Die Stammtische sind keine eigenständigen Chapter.<br />
<br />
Anders als die meisten OWASP Chapter auf der Welt, haben wir daher bislang Chapter Meetings für Treffen eher organisatorischer Natur gehabt, bei denen es am Rande auch Vorträge gab. Die Chapter-Meetings im globalen Sinne waren/sind unsere jährliche Konferenzen (German OWASP Day). <br />
<br />
=== Chapter Meetings ===<br />
Hier sind Informationen zu den Treffen des German Chapter -- Chapter Meeting -- zu finden. Die Agenda, Einladung sowie die erarbeiteten Ergebnisse werden hier veröffentlicht.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
<br />
=== Chapter Meetings ===<br />
This page contains everything you need to know about Chapter Meetings of the OWASP German Chapter. Please note that in Germany we have the so-called "Stammtische" in the metropolitan areas which serve the purpose of other chapters world-wide. '''The''' -- we only have one -- German Chapter is our roof organisation which helps us to promote OWASP and it's goals within Germany. <br />
<br />
Please note, most information is in German only.<br />
|}<br />
<br />
== OWASP Germany Chapter Meeting am 10.04.2019 in Karlsruhe ==<br />
<br />
Das nächste Chaptermeeting wird am '''10.04.2019''', ab '''13:00 Uhr''' in der '''Brauerstraße 48 in Karlsruhe''' stattfinden. <br />
<br />
Gemäß dem ''O'' in OWASP für ''open'' ist dieses Treffen öffentlich. Jedermann kann daran teilnehmen und sich an der Arbeit im Chapter beteiligen. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. Wir benötigen jedoch eine vorherige Anmeldung mit Klarnamen, um entsprechend Besucherausweise am Empfang hinterlegen lassen zu können. Anmeldung (sowie evtl Agendapunkte) bitte via E-Mail an [mailto:tobias.glemser@owasp.org Tobias Glemser] oder [mailto:henrik.willert@owasp.org Henrik Willert].<br />
<br />
'''Wegbeschreibung'''<br />
<br />
Vor dem Hauptbahnhof fahren alle 10 Minuten Straßenbahnen der '''Linie 2''' in Richtung '''Siemensallee'''. (Tickets kann man an den Ticketautomaten lösen und muss sie beim Fahrtantritt in der Straßenbahn entwerten.)<br />
Mit dieser Linie vier Stationen fahren und an der '''Haltestelle ZKM''' aussteigen. <br />
Dort ist dann direkt das Gebäude der 1&1 auf der linken Seite. (Achtung! Es gibt mehrere Gebäude der 1&1 in Karlsruhe. Wir treffen uns in der Brauerstraße 48.)<br />
Am Empfang melden und nach Henrik Willert bzw. OWASP fragen.<br />
<br />
'''Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* German OWASP Day Planung & Status (30min)<br />
* Open Security Summit Sponsoring (15min)<br />
* German Chapter Banner & Postcard (5min mit Option auf +20min)<br />
** Die aktuellen Vorschläge sind (Stand 15.02.) sehr dünn. Es stellt sich die Frage, ob man mit so wenig starten will (was quasi hieße, dass ich mir zumindest die Texte ausdenken muss) oder ob man es bleiben lässt. Eventuell längeren Zeitslot planen zum gemeinsamen Brainstorming, wenn das Vorhaben nicht sterben soll? https://docs.google.com/document/d/1UtUEFwvBTAnatqjqj5gCVUwx29auxHKm9kITiYRLOlQ<br />
* TweetDeck (10min)<br />
** Stammtisch-Vorsitzende dürften sich gerne noch mit Ihrem Twitter-Handle bei Björn melden, wenn sie Rechte für den @owasp_de Account haben möchten. Auch sollten wir vielleicht einmal festlegen, was wir standardmäßig für Like- und Retweet-würdig erachten.<br />
* Masterarbeit Redesign Juice Shop (5min)<br />
** Kleines Update zu der bis dann 1 Monat laufenden Masterarbeit eines Studenten der Hochschule der Medien Stuttgart, die über Kontakte von Tobias zustande kam und ein Redesign am Juice Shop vornehmen möchte. https://juice-shop-experimental.herokuapp.com vs. https://juice-shop-staging.herokuapp.com<br />
* Wie können wir den CFP/GOD für Speaker attraktiver gestalten? (10min)<br />
** Unkosten (Hotel/Bahn) von allen Speakern tragen, um die Veranstaltung für Speaker attraktiver zu machen.<br />
* Meetup Account aus dem deutschen Chapterbudget (15 Min, Christian Becker)<br />
* Google Groups/Technik (15 Min, Tobias)<br />
* it-sa 2019 und Swag (10 Min, Tobias)<br />
* Nächstes Chaptermeeting vor oder nach dem GOD? (5min)<br />
<br />
== OWASP Germany Chapter Meeting am 19.11.2018 in Münster == <br />
Das Chaptermeeting fand am 19.11.2018 in Münster statt und [https://lists.owasp.org/pipermail/owasp-germany/2018-October/001127.html wurde über die Mailingliste angekündigt].<br />
<br />
== OWASP Germany Chapter Meeting am 11.04.2018 in Frankfurt ==<br />
<br />
Das nächste Chapter Meeting wird [http://lists.owasp.org/pipermail/owasp-germany/2018-February/001064.html am 11. April in Frankfurt stattfinden]. Bitte meldet euch bei [mailto:tobias.glemser@owasp.org Tobias Glemser], falls ihr teilnehmen wollt. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. [https://www.owasp.org/images/c/c5/2018-04-11_German_Chapter_Meeting_Minutes.pdf Protokoll]<br />
* Uhrzeit: Mittwoch, den 11.04.2018, 13-18h<br />
* Ort: [https://www.saalbau.com/raumangebot/detail/?SAALBAU-Gutleut&objekt=78 SAALBAU Gutleut], FFM<br />
<br />
'''Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* Aktuelles zu OWASP Global, AppSec Verschiebung (Tobias, 15 Minuten)<br />
* Übersicht Finanzen (Ingo, 15 Minuten)<br />
* OWASP Summit (Björn, 15 Minuten)<br />
* OWASP TOP 10 2017 - Stand der Dinge (15 Minuten)<br />
*GOD 2018 - Stand der Dinge (Christian Dreesen, 15 Minuten)<br />
* Konkretes Vorgehen Chapter-Sponsoring (Alexios, 15 Minuten)<br />
*10 Jahre OWASP Germany (?) (Alexios, 10 Minuten)<br />
*Cheat Sheet Workshop mit Jim im Juli (??, 15 Minuten)<br />
* Ort nächstes Chapter-Meeting.<br />
<br />
== OWASP Germany Chapter Meeting am 13.11.2017 in Essen ==<br />
* Uhrzeit: Montag, den 13.11.2017, 14-18h, [https://www.owasp.org/images/6/62/20171113_Chapter_Meeting_German_OWASP_Chapter.pdf Protokoll]<br />
* Ort: Unperfekthaus in Essen ( <nowiki>http://www.unperfekthaus.de/anfahrt/</nowiki>)<br />
<br />
'''Agenda mit Minutes:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* Stand der Finanzen, German Chapter Budget at OWASP. (Ingo, 60 Minuten)<br />
** Support Projekte des German Chapter: benötigte Ressourcen / Budget<br />
*** OWASP on the move<br />
*** Cheat Sheet Workshop 2018<br />
*** OWASP TOP 10 2017 - DE Workshop<br />
*** Stammtische (assets)<br />
*** weitere<br />
** Support internationale Projekte<br />
*** OWASP Summit London 2018<br />
*** weitere<br />
* OWASP TOP 10 2017 - deutsche Übersetzung: Team und Workshop (15 Minuten)<br />
** Orga-Hut?<br />
** Wer macht mit?<br />
* Stand OWASP on the move Germany (Alexios, Torsten, Bastian, 15 Minuten))<br />
* Öffentlichkeitsarbeit: bessere Sichtbarkeit für das German Chapter (30 Minuten)<br />
** Einstiegsseite owasp.de (Stand der Dinge von Torsten und Henrik?) ([[User:Hwillert/sandbox/Germany|RC]])<br />
** Optionen (selbstgestrickt, Agentur, abwarten, ...)<br />
** Website GOD :-))<br />
* aus dem letzten Meeting: Henrik & Torsten: Kümmern sich um ein Konzept für freie (oder kostengünstige) Trainings am Tag nach dem GOD 2017 in Essen: Stand? (10 Minuten)<br />
* GODays 2018ff: Optimierungsmöglichkeiten Orga (30 Minuten)<br />
** Zusammenarbeit mit Foundation<br />
** Öffentlichkeitsarbeit<br />
** Standardisierungen in Arbeitsabläufen (cheat sheet 2.0)<br />
** Preisgestaltung (Henrik) [https://docs.google.com/a/owasp.org/spreadsheets/d/1bJWgYCvaUDfuI_54fhnobEOG-ylosZcQETwCd_KiXjg/edit?usp=sharing]<br />
** Wer macht Orga?<br />
* Umbennung der Stammtische? (Henrik, 15 Minuten)<br />
* Stand Chapter-Sponsoring (Michael in Vertretung von Alexios, 10 Minuten)<br />
*Wer möchte im neuen Chapter mitwirken? (15 Minuten)<br />
** Personen<br />
** Wahl eines neuen Chapter Lead (aktuell Tobias)<br />
** Kassenwart (aktuell Ingo)<br />
** Sponsorliason (aktuell Alexios)<br />
* Ort nächstes Chapter-Meeting<br />
==OWASP Germany Chapter Meeting am 31.03.2017 in München==<br />
* Uhrzeit: Montag, den 28.11.2016, 11-17h<br />
* Ort: "Stockwerk" Oppelner Str. 5 in 82194 Gröbenzell bei München<br />
<br />
'''Agenda mit Minutes:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias)<br />
* Stand der Finanzen, German Chapter Budget at OWASP. (Ingo)<br />
* Chapter Sponsoring (Alexios)<br />
** Tobias berichtet von Alexios’ (abwesend) Vorschlag, das Chapter Sponsoring einzustellen. Alexios wird gebeten ein Vorschlagspapier mit Pros und Cons und Alternativen zu erstellen. Dann Beschluß durch Board-Telko<br />
* Info Barter Deal mit it-sa (Tobias)<br />
** Abstimmung mit OWASP Global ist erfolgt.<br />
* 2-Tagesworkshop zu Cheat Sheet (Boris, Jan, Hartwig)<br />
** Boris (lead)+Jan+Hartwig: machen einen Vorschlag: dann in die Boardrunde, um Feedback einzusammeln. Achim auf cc halten, damit er auf dem Summit informiert ist. <br />
* Stand der Dinge Cheat Sheet zur Orga eines German OWASP Days (Ingo)<br />
** Ingo hat ein Excel-Sheet dazu erstellt mit ca 50 Punkten.<br />
** Kann für den den GOD 2017 verwendet werden und soll dann auch überarbeitet werden.<br />
** Ingo schickt einen Link auf das Google Drive Document<br />
* GOD 2017 (Christian)<br />
** Wir planen auf max 200 Teilnehmer (inkl. Staff, Speaker,...)<br />
** Christoph stellt Informationen zu Lokationen und Terminen zusammen.<br />
** Entscheidungs-telko im April (Termin, Lokation)<br />
** Anerkunng als Bildungsurlaub möglich?<br />
* Stand der Dinge owasp.de (Tobias)<br />
** Owasp.de bei Tobias “privat” (whois, DNS), Kai nicht mehr Owner<br />
** Owasp.de als redirect betreiben -> Henrik<br />
* Orga-Tools Stammtische wie Meetup (jeder, der dazu beitragen kann)<br />
* OWASP on the move Germany (Alexios, Torsten, Bastian)<br />
** Bastian: zwei Anfragen, aber keiner wollte am Ende Geld. <br />
** Stammtische wurden angefragt, aber kein Feedback<br />
** Alexios verläßt die Runde der “OWASP on the move Germany” Organisatoren<br />
** FAQ auf der Stammtischseite für “neuer Stammtisch” und “Wie nutze ich OontmG” -> Stammtisch CheatSheet<br />
** Stammtische sollen eine Liste auf owasp.org mit potentiellen Vortragenden pflegen. Achim legt die Seite an (done! https://www.owasp.org/index.php/Germany/Speaker ). <br />
* OWASP Germany Social Media und Webseite-Inhalte insb. Startseite (Tobias, Torsten)<br />
** Tobias: Die German Chapter Seite ist nicht “freundlich für Einsteiger”. <br />
** Torstens Vorschlag: Einstiegsseite soll zielgruppenspezifische Landingpage bieten (Informationssuchende, Stammtischeinteressierte, jemand der beitragen möchte,....)<br />
** Torsten und Henrik machen einen Vorschlag<br />
** Twitteraccount owasp.de liegt derzeit bei Dirk und Boris<br />
* Anfrage Mithilfe bei Orga "Large OWASP AppSec Trainings" der Foundation (Achim, Tobias)<br />
** Torsten berichtet von Erfahrungen vom Münchner Stammtisch.<br />
** Austausch zwischen den Stammtischen ist gewünscht, soll aber nicht formalisiert werden (keine Mailingliste)<br />
** Torsten schickt ein Template für eine Umfrage zu Stammtischen an.<br />
* Orga-Tools Stammtische wie Meetup, Mailingliste (auch Board)<br />
** Mails an owasp.de sollen in Zukunft bouncen (Tobias, done)<br />
** Für Board soll zukünftig die board-germany Liste auf mailman genutzt werden.<br />
** Liste eingerichtet, hidden Liste, Member sind informiert; Admin z.Zt. Achim und Bastian<br />
** Meetup: der Stammtisch Karlsruhe nutzt Meetup mit dem OWASP.org Beta Programm.<br />
** Tobias erfragt bei Kate, ob Meetup von owasp.org zur Verfügung gestellt wird (Anfrage gestellt)<br />
** Falls meetup nicht weiter unterstützt ist: Xing hatte bereits einen kostenfreien Pro-Account angeboten.<br />
* Wie kann das German Chapter beim Beantragen und Durchführen von OWASP-Projekten unterstützten?<br />
** Konkreter Painpoint: Review-Prozeß für Juice-Shop (oder allgemein für Projekte) hängt. Bei weiteren konkreten Problemen: Mail an Tobias. Tobias eskaliert an OWASP global.<br />
** Weiterer Painpoint: SecurityRAT. Henrik bittet Daniel, mit Tobias Kontakt aufzunehmen.<br />
* Anfrage Mithilfe bei Orga "Large OWASP AppSec Trainings" der Foundation (Achim, Tobias)<br />
** Generell bestehen Kontakte zu Universitäten.<br />
** Tobias erfragt Rahmendaten: Zielpublikum, Dauer, Sponsored, ...? (Anfrage läuft)<br />
* Summit: <br />
** Achim berichtet über den kommenden Summit im Juni in der Nähe von London.<br />
** Abstimmung: das Chapter sponsored die Entsendung von Achim und Björn zum Summit. Wenn ihre ** Kosten vom “Editors Fund” übernommen werden, dann spenden wir 3.600 EUR vom Chapter Budget an den Summit. Falls Ingo wg. Finanzen teilnimmt, dann werden seine Kosten von dieser Summe gedeckt (Rest Spende). Einstimmig bei zwei Enthaltungen.<br />
* Sonstiges<br />
** Henrik & Torsten: Kümmern sich um ein Konzept für freie (oder kostengünstige) Trainings am Tag nach dem GOD 2017 in Essen<br />
** Martin greift den “German OWASP Summer of Code” wieder auf.<br />
Nächstes Chaptermeeting am Vortag des GOD 2017.<br />
** Ingo: die Konferenzwebseite für den GOD muss professioneller ausschauen. Björn schaut sich an, ob man die appsec.eu Seite auf github “kopieren” kann.<br />
** Torsten fragt, ob das Chapter eine Leinwand (80 EUR) finanziert. Board stimmt zu (einstimmig bei einer Enthaltung.. Ingo pflegt eine “Assetliste”. Seite angelegt: https://www.owasp.org/index.php/Germany/Assets <br />
<br />
<br />
==OWASP Germany Chapter Meeting am 28.11.2016 in Darmstadt==<br />
Am Vortag des German OWASP Day 2016 fand ein Chapter-Meeting statt. [https://www.owasp.org/images/d/d2/Protokoll_OWASP_Chapter-Meeting_2016-11-26.pdf Protokoll]<br />
<br />
* Uhrzeit: Montag, den 28.11.2016, 15-18h<br />
* Ort: Seminarraum des CAST e.V., Rheinstraße 75, 64295 Darmstadt<br />
<br />
'''Draft Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (~10min)<br />
<br />
* Finanzen (~60min)<br />
** Ingo: Finanzübersicht und Status des Chapters <br />
** Dirk: Wofür wollen wir Geld ausgeben? Handlungszwang durch Foundation 60min (http://lists.owasp.org/pipermail/owasp-leaders/2016-November/017448.html)<br />
** Dirk: Finanzübersicht erarbeiten/abstimmen für 2017 (siehe Sheet)<br />
<br />
* Wer möchte im neuen Chapter mitwirken? (~45min)<br />
** Projekte (siehe Reiter 2 im Sheet)<br />
*** Vorstellen und Hand heben<br />
**** German Summer of Code (Martin/Bastian)<br />
**** Studentensponsoring zum GOD<br />
**** Laison/Fadenhalter für Außenauftritte/fremde Konferenzen (Boris' Bemerkung, 1.11.)<br />
**** Achim: Wiki: eigenes in DE? Oder bleibt's beim Foundation-Wiki?<br />
** Personen<br />
** Wahl eines neuen Chapter Lead<br />
** "Kassenwart"<br />
** Sponsorliason<br />
<br />
* Pause 10 min (ab Minute 115)<br />
<br />
* Boris: Retrospektive des GOD 2015 (Finanzen, Besucher): ~10 Min<br />
<br />
* Ingo: Kurze Zahlen zum GOD 2016 (Finanzen, Besucher) ~5 Min<br />
<br />
* GOD 2017 (15min)<br />
** Gibt's jemanden, der 2017 die nationale Konferenz organisieren will?<br />
** lessons learnt 2016/5<br />
*** Programm<br />
*** Generell<br />
<br />
* IT Ressourcen des German OWASP Chapters (10min)<br />
** owasp.de: Domain, HTTP, SMTP<br />
** vServer bei Strato: was ist drauf. Brauchen wir's? Wer macht was?<br />
** Zertifikat<br />
<br />
* Logo, Neuer Sponsoren-Vertrag (10min)<br />
<br />
* Restpunkte, sollten wir noch Zeit haben<br />
** ..<br />
<br />
<br />
==OWASP Germany Chapter Meeting am 13.04.2015 in Frankfurt==<br />
Das OWASP Germany Chapter Meeting fand am Montag, den [https://lists.owasp.org/pipermail/owasp-germany/2015-March/000758.html 14.03.2014 um 13.00 Uhr in Frankfurt] statt. Die Agenda, Informationen und Beschlüsse sind dem [https://www.owasp.org/images/b/b9/Protokoll_OWASP_Chapter-Meeting_2015-04-13.reformatiert.pdf Protokoll] zu entnehmen.<br />
<br />
==OWASP Germany Chapter Meeting am 14.03.2014 in Frankfurt==<br />
Das OWASP Germany Chapter Meeting fand Freitag, 14.03.2014 um 13.30 Uhr in Frankfurt statt.<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
Ort: Gewerkschaftshaus Willi-Richter-Saal Wilhelm-Leuschner-Straße 69-77 60329 Frankfurt<br />
<br />
Hiermit laden wir Euch nochmals herzlich zum Chapter Meeting des OWASP German Chapters ein.<br />
<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Die Chapter-Meetings richten sich an all diejenigen, die aktiv am Chapter geschehen teilhaben möchten. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Agenda ====<br />
* 13.30h Tobias Glemser, OWASP German Chapter Lead: Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2013 (15 min)<br />
* 13:45h "You are known by the company you keep: Introducing a secure software vendor exchange program" Chris Wysopal, CTO, Veracode (15 min)<br />
* 14.00h "Password Storage: Adobe schlägt Forbes und OWASP" Arnim Rupp, LH Systems (15min)<br />
* 14:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec Research Conference Chair: Rückblick OWASP AppSec Research 2013 und Ausblick OWASP Day 2014 (45 min)<br />
* 15:00h Pause (15 min) <br />
* 15:15h "25 Million Flows Later - Large-scale Detection of DOM-based XSS", Martin Johns SAP AG (45 min)<br />
* 16:00h Tobias Glemser, OWASP German Chapter Lead:Verwendung der zur Verfügung stehenden Geldmittel im Chapter (45 min)<br />
* 16:45h Tobias Glemser, OWASP German Chapter Lead: Chapter Board Wahl (wie 2013 entschieden alle Posten) (15 min)<br />
* 17.00h offene Runde: OWASP Germany im kommenden Jahr (30 min)<br />
* Gegen 17.30 Uhr Ende und wer mag im Anschluss noch einen Absacker im Ristorante Vitavera<br />
<br />
[https://reg.owasp.de Meldet Euch bitte hier an].<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
* [[Media:OWASP_Chapter_Meeting_2014-03-14.pdf|&rarr; Vortrag]] Tobias Glemser, OWASP German Chapter Lead: Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2013 <br />
* Vortrag "You are known by the company you keep: Introducing a secure software vendor exchange program" Chris Wysopal, CTO, Veracode<br />
* [[Media:Password_Storage.pdf|&rarr; Vortrag]] "Password Storage: Adobe schlägt Forbes und OWASP" Arnim Rupp, LH Systems <br />
* 14:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec Research Conference Chair: Rückblick OWASP AppSec Research 2013 und Ausblick OWASP Day 2014 Es wurden grundsätzliche Diskussionen geführt.<br />
** Nach dem Rückblick über die äußerst gelungene AppSec in Hamburg wurden grundsätzliche Diskussionen geführt, wie wir 2014 unsere Konferenz ausrichten.<br />
** ca November 2014 (Kollision mit BeNeLux, it-sa etc. vermeiden)<br />
** CfP müsste bis Mai dann raus . Bis dahin muss Stadt und Ort gefixt sein<br />
** Format eher wieder 1 Tag, 2 Tracks<br />
** Freier Eintritt, komplette Finanzierung durch Sponsoren wird defavorisiert, da befürchtet wird, dass Sponsoren das schwer zu verkaufen ist.<br />
** Problem des Billings/Rechnungsstellung. Viel Aufwand derzeit => Factoring Firma finden<br />
** Wo: Hotel oder Uni?<br />
*** Uni: keine sinnvollen Vorschläge beim Chapter Meeting<br />
*** Hotels: Dresden, Hamburg, ...<br />
** Ort ist relativ egal, Kriterien:<br />
*** ICE-Bahnhof<br />
*** Etwas Attraktivität kann nicht schaden<br />
*** Etablierter Stammtisch dort wäre von Vorteil<br />
*** idealerweise jemand mit lokalen Kenntnissen vor Ort<br />
** Wer: Wir alle auf vielen Schultern oder ein Dienstleister<br />
*** Auch in letztem Fall bleibt Arbeit bei uns hängen.<br />
*** Dirk hat den Orga-Hut auf. Tobias Sponsoren-Hut, Martin PK-Hut.<br />
** Ausrichtung der Konferenz:<br />
*** Lassen wie es ist<br />
*** Mehr an die Entwickler ran<br />
*** Mehr an die Entscheider ran<br />
*** Mehr an die Studenten ran<br />
*** Mehr auch an Hobbyleute ran<br />
*** => offen<br />
**Für 2015: Beschluss Nähe zu Karlsruhe Entwicklertagen zu finden. Ohne Gegenstimme angenommen.<br />
<br />
* Torsten Gigler stellte <u>[https://www.owasp.org/index.php/Category:OWASP_Top_10_fuer_Entwickler Top10 für Entwickler]</u> vor<br />
* Anfrage aus Schottland wegen Sponsoring der Unkosten eines Vortrags von Mario Heidereich. Der Chapterlead wurde entsprechend auf OWASP on the Move verwiesen. Falls das nicht klappt, sponsort das deutsche Chapter die Reise.<br />
* Auftrag für Konferenzen an Tobias Glemser Bücher und Infomaterial von OWASP zu kaufen, um es kostenfrei verteilen zu können.<br />
* [[Media:OWASP domxss.pdf|&rarr; Vortrag]] "25 Million Flows Later - Large-scale Detection of DOM-based XSS", Martin Johns SAP AG (45 min)<br />
* Da die Diskussion um den German OWASP Day das Zeitkontingent gesprent hat, wurden die folgenden beiden Agendapunkte auf das Chapter Meeting 02/2014 geschoben.<br />
** OWASP German Chapter Lead:Verwendung der zur Verfügung stehenden Geldmittel im Chapter (45 min)<br />
** OWASP German Chapter Lead: Chapter Board Wahl (wie 2013 entschieden alle Posten) (15 min)<br />
* Mit leckerem Essen im Ristorante Vitavera beendeten wir das Chapter Meeting.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
<small>(see German text on left)</small><br />
|}<br />
<br />
==OWASP Germany Chapter Meeting am 17.05.2013 in Frankfurt==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
Das OWASP Germany Chapter Meeting fand am 17.05.2013 um 14 Uhr in Frankfurt statt.<br />
<br />
Ort: Saalbau Gallus, Frankenallee 111, 60326 Frankfurt am Main <br />
[[http://maps.google.de/maps?q=Frankenallee+111,+60326+Frankfurt+am+Main&hl=de&sll=50.104389,8.642389&sspn=0.002883,0.010375&vpsrc=0 Karte]] (Wenige Meter von der S-Bahnstation Galluswarte entfernt, ein Halt von Frankfurt Hbf)<br />
----<br />
==== Einladung ====<br />
Hiermit laden wir Euch nochmals herzlich zum Chapter Meeting des OWASP German Chapters ein.<br />
<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Die Chapter-Meetings richten sich an all diejenigen, die aktiv am Chapter geschehen teilhaben möchten. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
<br />
[https://reg.owasp.de Meldet Euch bitte hier an]. Bitte!<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
|-<br />
| style="vertical-align:top;" |<br />
<br />
==== Agenda ====<br />
<br />
* 14.00h Tobias Glemser, OWASP German Chapter Lead (30 min): Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2012 <br />
* 14:30h Laurent Levi von Checkmarx (45 min): DevOps and Security: It's Happening. Right Now.<br />
* 15:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec EU Research Conference Chair (30 min): Rückblick OWASP Day 2012 und Ausblick AppSec EU Research 2013 <br />
* 15:45h Pause (15 min) <br />
* 16.00h Jim Manico, OWASP Board Member (45 min): Top Ten Web Defenses<br />
* 16.45h Torsten Gigler, OWASP German Chapter (15 min): <u>[https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 fuer Entwickler]</u><br />
* 17.00h Tobias Glemser, OWASP German Chapter Lead (15 min): Chapter Board Wahl <br />
* 17.15h offene Runde (30 min): OWASP Germany im kommenden Jahr <br />
* Gegen 17.30 Uhr Ende und wer mag im Anschluss noch einen Absacker im benachbarten Griechen.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Agenda ====<br />
* 14.00h Tobias Glemser, OWASP German Chapter Lead (30 min): Welcome and Review of Chapter Activities 2012 <br />
* 14:30h Laurent Levi von Checkmarx (45 min): DevOps and Security: It's Happening. Right Now.<br />
* 15:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec EU Research Conference Chair (30 min): Review OWASP Day 2012 and Outlook AppSec EU Research 2013 <br />
* 15:45h Break (15 min) <br />
* 16.00h Jim Manico, OWASP Board Member (45 min): Top Ten Web Defenses<br />
* 16.45h Torsten Gigler, OWASP German Chapter (15 min): <u>[https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 fuer Entwickler]</u><br />
* 17.00h Tobias Glemser, OWASP German Chapter (15 min): Chapter Board Election<br />
* 17.00h offene Runde (30 min): OWASP Germany next year <br />
* About 17.30h we will be finished. Who's interested in joining a get together in a greek restaurant nearby is asked to note <br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
<br />
==== Ergebnisse / Protokoll ====<br />
<br />
<br />
* Begrüßung und Bericht durch Tobias [ [[Media:German_Chapter_Meeting_2013_Bericht_Chapter.pdf|&rarr; Folien]] ]<br />
* Talk: Laurent Levi, Checkmarx<br />
* Kurze Vorstellungsrunde<br />
* Talk: Torsten Gigler - OWASP Top 10 für Entwickler [ [[Media:German_Chapter_Meeting_2013_OWASP_Top_10_fuer_Entwickler.pdf|&rarr; Folien]] ]<br />
* Talk: Dirk Wetter - AppSec Research 2013<br />
** GOD 2012<br />
*** Rückblick auf GOD 2012 (German OWASP Day)<br />
*** Fachlich und finanziell ein voller Erfolg<br />
** Dev(i|e)l 2013<br />
*** Ausblick auf AppSec Research 2013<br />
*** Konferenz verspricht viel<br />
*** Details unter <u>https://appsec.eu</u><br />
* Talk: Jim Manico - Top Ten Web Defenses [ [http://www.slideshare.net/JimManico/top-ten-defenses-v10 &rarr; Folien] ]<br />
* Organisatorisches<br />
** Chapter Lead: Tobias Glemser<br />
** Board 2013: <br />
*** Dirk Wetter<br />
*** Martin Johns <br />
*** Achim Hoffmann<br />
*** Emin Tatlı<br />
*** Kai Jendrian<br />
** Entscheidung: Neubesetzung des Boards jährlich <br />
* OWASP Day 2014<br />
* Ortsauswahl durch Call for Venue<br />
* Vorschläge vor Ort:<br />
** Köln<br />
** Karlsruhe<br />
* Vorschläge Projekte<br />
** Übersetzug OpenSAMM<br />
** Übersetzung der Top 10 nach finaler Veröffentlichung (Trigger durch Kai)<br />
* Sonstiges:<br />
** Treffen des OWASP Chapters im Q4 mit Vortrag<br />
** Bessere Präsenz der OWASP in andere Konferenzen <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Protocol ====<br />
tbd<br />
|<br />
<br />
|-<br />
! colspan="2" style="vertical-align:top;" align="left" |<br />
==== Abstracts/Bios ====<br />
|-<br />
| colspan="2" |<br />
===== DevOps and Security: It's Happening. Right Now. =====<br />
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. <br />
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary code analysis overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. Steps include: <br />
* Re-evaluate existing security tools and consider their integration within a CD environment<br />
* Deliver a secured development framework and enforce its usage<br />
* Pinpoint precise security code flaws and provide optimal fix recommendations<br />
<br />
Laurent Levi<br />
Laurent is an experienced security professional with extensive technical knowledge in all aspects of application security. Over the last 6 years, Laurent has been managing Checkmarx's professional services team and prior to that led the code audit team of Lexsi in France. Laurent has extensive software development experience and has a post graduate degree in AI from Paris VI Université Pierre et Marie Curie.<br />
<br />
===== Top Ten Web Defenses =====<br />
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.<br />
<br />
Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.<br />
----<br />
|}<br />
<br />
==OWASP Germany Chapter Meeting am 03.02.2012 in Frankfurt==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
OWASP Germany Chapter Meeting fand am 03.02.2012 in Frankfurt statt.<br />
<br />
Ort: Saalbau Gallus, Frankenallee 111, 60326 Frankfurt am Main <br />
[[http://maps.google.de/maps?q=Frankenallee+111,+60326+Frankfurt+am+Main&hl=de&sll=50.104389,8.642389&sspn=0.002883,0.010375&vpsrc=0 Karte]] (Wenige Meter von der S-Bahnstation Galluswarte entfernt, ein Halt von<br />
Frankfurt Hbf).<br />
<br />
----<br />
==== Einladung ====<br />
Hiermit laden wir Euch nochmals herzlich zum ersten Chapter Meeting 2012 des OWASP German Chapters ein.<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
Nur aufgrund der vielen Köpfe sind wir dort, wo wir heute stehen. Also los! Wir würden uns insbesondere freuen, mehr von Euch aus dem edukativen Bereich (ja, Ihr liebe Studenten!) bei uns willkommen zu heißen.<br />
<br />
Zur besseren Planung gebt bitte kurz per Mail Bescheid, wenn Ihr teilnehmt. Danke!<br />
<br />
Plant auch danach noch gerne etwas Zeit ein, wir lassen den Tag bei einem gemeinsamen Essen und vielleicht einem Getränk nachwirken.<br />
<br />
Viele Grüße und bis zum 03.02. in Frankfurt, wir freuen uns auf Euch.<br />
OWASP German Chapter<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
|-<br />
|<br />
==== Agenda ====<br />
<br />
* Georg: Begrüßung durch Georg Heß, German Board Leader<br />
* Kai: Vortrag "OWASP Top 10 auf Deutsch - Fallstricke und Überraschungen"<br />
* Kai: Fragen und Antworten zu "OWASP Top 10 auf Deutsch"<br />
* Boris: Vortrag "Das neue OWASP Chapter Handbook - wie wir weltweit arbeiten"<br />
* Boris: Fragen und Antworten zu "OWASP Chapter Handbook"<br />
* Dirk: Rückblick OWASP Day 2011, Ausblick 2012<br />
* Tobias: Rückblick it-sa 2011, Ausblick 2012<br />
* Dirk: AppSec Research EU: 2013 in Deutschland?<br />
* Boris: Firmen-Chapter-Support (Kosten, Vorteile, Ablauf)<br />
* Georg: Aktionen zur Mitgliedergewinnung<br />
* Bruce: Möglichkeiten zur Intensivierung der Pressearbeit<br />
* Boris: Zusammenarbeit mit dem BSI<br />
* Tobias: Themen für Projekte 2012<br />
* Georg: kurzer Abriss zu OWASP-Zertifizierungen<br />
* Achim: Definition Rahmenbedingungen Jobseite<br />
* Achim: Administratoren für owasp.org<br />
* Georg: Wahl Leader und Board OWASP German Chapter<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
Das Protokoll des Chapter-Meetings ist <u>[[Media:Chapter-Germany-20120203-Protokoll.zip|hier]]</u> zu finden; das Passwort ist geheim ;-)<br />
<br />
Wichtige Entscheidungen in Kürze:<br />
* Tobias als Chapter Leader gewählt<br />
* Wahl des Boards: Bruce, Dirk, Emin, Martin, Achim<br />
* German OWASP Day 2012 im November in München<br />
** 1,5 - 2 Tage, dieses Jahr keine kommerziellen Trainings<br />
** CfP-Kommitee geführt von Dirk, Martin<br />
** es wird eine Teilnahme/Anwesenheits-Bescheinigung geben<br />
* OWASP-Stand auf it.sa 2012 in Nürnberg<br />
* Firmensponsoring wird ermöglicht: local sponsor ca. 500,-/Jahr<br />
* Zusammenarbeit mit BSI wird intensiviert<br />
* es wird (vorerst) keine eigene deutsche Jobseite unter owasp.org geben; bitte [[OWASP_Jobs]] benutzen<br />
...<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Meetings minutes can be found <u>[[Media:Chapter-Germany-20120203-Protokoll.zip|here]]</u> . Note that it is in German.<br />
<br />
Most important:<br />
* Tobias as Chapter Leader elected<br />
* Boards Members: Bruce, Dirk, Emin, Martin, Achim<br />
* German OWASP Day 2012 will be in November in München<br />
** 1,5 - 2 days, no trainings sessions this year<br />
** CfP Commitee lead by Dirk, Martin<br />
* OWASP will be present at it.sa 2012 in Nürnberg<br />
* company sponsoring possible: local sponsor ca. 500,-/anno<br />
* co-operation and collaboration with BSI will be initiated<br />
* currently no local job page within owasp.org<br />
...<br />
|}<br />
<br />
==Chapter Board Meeting am 19.8.2011 in München==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Agenda ====<br />
* Selbstverständnis Chapter – die Zukunft<br />
* OWASP Germany in „das Bewusstsein“ bringen<br />
* Vereinsgründung ja/nein<br />
* Geldverwaltung/Rechnungen<br />
* Firmen als Chapter Member<br />
* IT-SA 2011<br />
* Board (Kommunikation. Rollen, Wahl, Termin Chapter Meeting)<br />
* Stand der Dinge: Flyer<br />
* OWASP Day<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
Das Protokoll des Board-Meetings ist <u>[[Media:Chapter-Germany-20110819-Protokoll.zip|hier]]</u> zu finden; das Passwort ist geheim ;-)<br />
<br />
Wichtige Entscheidungen in Kürze:<br />
* OWASP Chapter Germany stellt auf der it.sa in Nürnberg aus, 11.10. - 13.10.2011<br />
* es wird eine ''Firmen-Mitgliedschaft'' aka ''Chapter Supporter'' angeboten; Näheres in kürze auf der Webseite<br />
* nächstes Chapter Meeting am 20.01.2012 oder 03.02.2012 in Frankfurt<br />
...<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Protocol ====<br />
The protocol of the Chapter Germany Board Meetings can be found <u>[[Media:Chapter-Germany-20110819-Protokoll.zip|here]]</u> . Note that it is in German.<br />
<br />
Most important:<br />
* OWASP Chapter Germany will be at it.sa in Nuremberg, 11.10. - 13.10.2011<br />
* ''Chapter Supporter'' will be possible for companies; details comming soon<br />
* next Chapter Meeting 20.01.2012 or 03.02.2012 in Frankfurt<br />
...<br />
|}<br />
<br />
== Chapter Meeting am 20.5.2010 in München ==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Agenda ====<br />
* 14:00 Allgemeine Begrüßungs- und Vorstellungsrunde <br />
* 14:15 Bruce Sams: „Strategie und Kosten für ein SDLC“ <br />
* 14:50 Diskussion <br />
* 15:10 Boris Hemkemeier: „Two Factors Are Not Enough“ <br />
* 16:05 Diskussion (geht nahtlos über in die) <br />
* 16:15 Kaffeepause <br />
* 16:35 Vortrag mit Diskussion „Organisatorisches im Chapter“ <br />
* 17:15 Beginn der Beschlussfassungen und Wahlen <br />
* 17:25 Vortrag mit Diskussion „OWASP Germany Conference 2010“ <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
===== Organisatorisches im Chapter =====<br />
<br />
Die Wesentlichen Punkte, die umgesetzt oder verbessert werden sollen: <br />
<br />
* Mehr Außenwirkung durch Public Relations, bessere Pressearbeit / Pressemitteilungen und Einführung und Pflege einer Sprecher- und Rednerliste (um z.B. bei öffentlichen Veranstaltungen OWASP adäquat vorstellen zu können) <br />
* Gepflegtes Wiki sowohl für Außendarstellung als auch als Plattform für die interne Kommunikation <br />
* Einführung von direkten Ansprechpartner für diverse Branchen<br />
<br />
Es folgt eine kurze Diskussion, wie dies effektiv umgesetzt werden kann. Es wird ein Vorschlag durch konkludentes Handeln angenommen: Es soll ein Chapter Board bestehend aus 5 Mitgliedern gewählt werden. Jedes dieser Mitglieder bekommt eine oder mehrere dedizierte Aufgabe(n), um die oben genannten Punkte abzudecken und umzusetzen. Es folgt ein Aufruf, sich für eine entsprechende Wahl zur Verfügung zu stellen. Es soll ebenso der neue Chapter Leader gewählt werden. Da sich nur ein Kandidat für nur einen Posten zur Wahl für die nächsten zwei Jahre zur Verfügung stellt, wird folgendes entschieden: Bei Abstimmungen hat jedes Mitglied des Boards genau eine Stimme, während der Chapter Leader zwei Stimmen hat. So soll zukünftig bei Abstimmungen eine Stimmengleichheit verhindert werden. <br />
<br />
===== Beschluss zur Anzahl der Chapter Leaders =====<br />
<br />
Es wird von den 12 Teilnehmern des Chapter Meetings einstimmig beschlossen, das zukünftig das Chapter Germany (analog zu den meisten anderen OWASP Chapters) nur noch einen Chapter Leader hat. <br />
<br />
===== Wahl des Chapter Leaders =====<br />
<br />
''Georg Heß'' kandidiert als Chapter Leader und wird mit 11 von 12 Stimmen bei einer Enthaltung zum neuen Chapter Leader des OWASP Chapters Germany gewählt. <br />
<br />
===== Beschluss zur zukünftigen Zusammensetzung des Boards =====<br />
<br />
Einstimmig wird beschlossen, dass das zukünftige Board aus 5 Mitgliedern besteht. Diese sollen die Aufgaben wie in der Diskussion beschrieben wahr nehmen. <br />
<br />
===== Wahl des Boards =====<br />
<br />
Es kandidieren ''Tobias Glemser, Boris Hemkemeier, Achim Hoffmann, Uli Petersen und Bruce Sams'' für die 5 Sitze im Board. Alle werden einstimmig gewählt. <br />
<br />
Alle Gewählten nehmen die Wahl an. <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Not yet available in English, sorry.<br />
|}<br />
<br />
== OWASP German Chapter Meeting 10.07.2009, Mannheim ==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Einladaung ====<br />
;Summary:We will start with three interesting fresh talks. The following topics are the next activities of the OWASP German Chapter: the new [http://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative "Stammtisch Initiative"] and the planning of the [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009] at Nuremberg. <br />
<br />
;Location:Aula of the [http://www.hs-mannheim.de Hochschule Mannheim], Building 3, Paul-Wittsack-Strasse 10, Mannheim ([http://maps.google.de/maps?f=d&source=s_d&saddr=Mannheim+Hbf&daddr=49.471303,8.48372&geocode=Fbr-8gIduTmBAA%3B&hl=de&mra=dme&mrcr=0&mrsp=1&sz=15&sll=49.474885,8.474715&sspn=0.015532,0.050254&ie=UTF8&z=15 Google Maps]). Please download the [http://www.hs-mannheim.de/campus/grafik/campusplan_legende_web.pdf campus map]. <br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Agenda ====<br />
* 12:00 - 13:00&nbsp;: Lunch (optional, please send an email to [mailto:Georg.Hess@artofdefence.com?subject=OWASP%20Chapter%20Meeting%20Lunch%20registration Georg Heß] to register for lunch), meeting point for the lunch is at the Aula in Building 3<br />
* 13:15 - 13:30 : Opening by our host Prof. Rainer Gerten (German) <br />
* 13:30 - 14:30 : OWASP Educational Services - Teaching Security!, Martin Knobloch, Member of OWASP Global Education Committee (English) <br />
* 14:30 - 15:00 : Vorstellung und aktueller Stand des OWASP Germany Projekts "Best Practice: Projektierung von Sicherheitsprüfungen von Web Applikationen", N.N., Projekt-Mitarbeiter (German) <br />
* 15:00 - 15:45 : Cloud Application Security - Chancen und Risiken - Einige Ansatzpunkte zum Thema, Georg Hess (German) <br />
* 15:45 - 16:15 : Coffee <br />
* 16:15 - 17:00 : Organisational topics of the OWASP German Chapter (German) <br />
** OWASP Stammtisch Initiative <br />
** Outlook and organisational tasks for the 2nd [[OWASP Germany 2009 Conference]]<br />
* nach 17:00 : Come together (Any ideas for a near pub??) <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
<br />
===== OWASP AppSec 2010 =====<br />
<br />
Es folgt ein kurzer historischer Rückblick der Veranstaltungsorte: 2008 im Hotel in Frankfurt, 2009 auf der Messe it-sa in Nürnberg. Kurze Diskussion pro und contra Hotel vs. Messe vs. Hochschul-Location. <br />
<br />
* Es soll geprüft werden, ob die diesjährige '''„OWASP Germany Conference 2010“''' wieder in Kooperation mit der Messe Nürnberg / it-sa durchgeführt werden kann (z.B. am 20.10.2010). <br />
* Weiterhin ist ein Konferenztag mit '''zwei verschiedenen Tracks (Technik und Management)''' angedacht. <br />
* Um die inhaltliche Gestaltung voranzutreiben wird ein '''Programm-Komitee''' (initial bestehend aus ''Bruce Sams, Kai Jendrian, Boris Hemkemeier und Martin Johns'') ins Leben gerufen, das alsbald den '''CFP''' starten soll.<br />
<br />
Gegen 18:15 löst sich das OWASP German Chapter Meeting auf und geht nahtlos in den 12. „Happy Anniversary!“ OWASP Stammtisch München über.<br />
<br />
Weitere Ergebnisse sind [https://lists.owasp.org/pipermail/owasp-germany/2009-July/000086.html in den Minutes hier] zu finden<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Minutes: [https://lists.owasp.org/pipermail/owasp-germany/2009-July/000086.html See the list archive for the minutes.]<br />
|}<br />
<br />
== OWASP German Chapter Meeting - February 20th, 2008 in Darmstadt ==<br />
<br />
;Date: February 20th, 2008, 11:00-16:15<br />
;Location: The next chapter meeting will be hosted at CAST in Darmstadt.<br />
: CAST (http://www.cast-forum.de<nowiki/>)'''<br> Fraunhoferstr. 5 (vormals Rundeturmstr. 6) - EG Room 072 - [http://www.cast-forum.de/workshops/anfahrt.html Anfahrt]'''<br />
<br />
;Agenda: This time the focus is on technical presentations and discussion.<br />
: Technical presentation slots will consist of 20-30 minute presentation and 15 minute discussion. <br />
# (11:00 - 11:15) Welcome, Introduction and Administrativia <br />
# (11:15 - 11:30) Vorstellung von CAST (Dr. Heinemann) <br />
# (11:30 - 11:45) Short OWASP organisation introduction and update (Tobias Gondrom) <br />
# (11:45 - 12:30) First technical presentation "Best Practices beim Einsatz einer Web Application Firewall 1.0" (Slides: [http://www.owasp.org/images/1/1b/WAF-Paper.pdf PDF]) (Alexander Meisel) <br />
# (12:30 - 13:15) Break <br />
# (13:15 - 14:00) Second technical presentation "Defending against Web Application DoS Attacks" (Maximilian Dermann) <br />
# (14:00 - 14:45) 20-Minutes Talks (15 Min Presentation + 5-10 Min Discuss) <br />
: * "Input validation in ASP.NET -- tips, tricks &amp; pitfalls" (Boris Hemkemeier) <br />
: * "Managing of extremely large Web Application Firewall Installations" (Slides: [http://www.owasp.org/images/f/f6/VeryLargeWAFs.pdf PDF]) (Alexander Meisel) <br />
# (14:45 - 15:00) Coffee Break <br />
# (15:00 - 15:45) Fourth technical presentation "Secure Coding and Development Guidelines (part of CLASP)" (Tobias) <br />
# (15:45 - 16:00) Wrap-up and outlook<br />
<br />
== Chapter Meeting on September 7th 2007 in Frankfurt/Main ==<br />
<br />
After two years of absence the German Chapter has been restarted. The chapter meeting was on September 7th 2007, 15:00 - 18:00. <br />
<br />
This first chapter meeting had as its main goal the re-initiation of the German chapter and to start work on projects. Talks and presentations are secondary and will receive more focus at subsequent meetings. <br />
<br />
Read meeting notes/minutes [https://lists.owasp.org/pipermail/owasp-germany/2007-September/000038.html here].<br />
<br />
<br />
----<br />
[https://www.owasp.org/index.php?title=Germany/Chapter_Meetings <top>] [[Germany|<zurück>]] [[Germany|<Germany>]]<br />
<br />
[[Category:Germany]] <br />
[[Category:Europe]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=Germany/Chapter_Meetings&diff=249694Germany/Chapter Meetings2019-04-04T17:36:09Z<p>Bjoern Kimminich: /* OWASP Germany Chapter Meeting am 10.04.2019 in Karlsruhe */</p>
<hr />
<div>__NOTOC__<br />
<br />
[[Image:owasp_germany_logo.png|right]]<br />
<br />
{| style="background-color:inherit;border-bottom:1px solid black" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
In Deutschland haben wir als organisatorisches Dach ein Chapter, im Rahmen dessen alle Aktivitäten wie Konferenzen etc. stattfinden. Die Stammtische sind keine eigenständigen Chapter.<br />
<br />
Anders als die meisten OWASP Chapter auf der Welt, haben wir daher bislang Chapter Meetings für Treffen eher organisatorischer Natur gehabt, bei denen es am Rande auch Vorträge gab. Die Chapter-Meetings im globalen Sinne waren/sind unsere jährliche Konferenzen (German OWASP Day). <br />
<br />
=== Chapter Meetings ===<br />
Hier sind Informationen zu den Treffen des German Chapter -- Chapter Meeting -- zu finden. Die Agenda, Einladung sowie die erarbeiteten Ergebnisse werden hier veröffentlicht.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
<br />
=== Chapter Meetings ===<br />
This page contains everything you need to know about Chapter Meetings of the OWASP German Chapter. Please note that in Germany we have the so-called "Stammtische" in the metropolitan areas which serve the purpose of other chapters world-wide. '''The''' -- we only have one -- German Chapter is our roof organisation which helps us to promote OWASP and it's goals within Germany. <br />
<br />
Please note, most information is in German only.<br />
|}<br />
<br />
== OWASP Germany Chapter Meeting am 10.04.2019 in Karlsruhe ==<br />
<br />
Das nächste Chaptermeeting wird am '''10.04.2019''', ab '''13:00 Uhr''' in der '''Brauerstraße 48 in Karlsruhe''' stattfinden. <br />
<br />
Gemäß dem ''O'' in OWASP für ''open'' ist dieses Treffen öffentlich. Jedermann kann daran teilnehmen und sich an der Arbeit im Chapter beteiligen. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. Wir benötigen jedoch eine vorherige Anmeldung mit Klarnamen, um entsprechend Besucherausweise am Empfang hinterlegen lassen zu können. Anmeldung (sowie evtl Agendapunkte) bitte via E-Mail an [mailto:tobias.glemser@owasp.org Tobias Glemser] oder [mailto:henrik.willert@owasp.org Henrik Willert].<br />
<br />
'''Wegbeschreibung'''<br />
<br />
Vor dem Hauptbahnhof fahren alle 10 Minuten Straßenbahnen der '''Linie 2''' in Richtung '''Siemensallee'''. (Tickets kann man an den Ticketautomaten lösen und muss sie beim Fahrtantritt in der Straßenbahn entwerten.)<br />
Mit dieser Linie vier Stationen fahren und an der '''Haltestelle ZKM''' aussteigen. <br />
Dort ist dann direkt das Gebäude der 1&1 auf der linken Seite. (Achtung! Es gibt mehrere Gebäude der 1&1 in Karlsruhe. Wir treffen uns in der Brauerstraße 48.)<br />
Am Empfang melden und nach Henrik Willert bzw. OWASP fragen.<br />
<br />
'''Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* German OWASP Day Planung & Status (30min)<br />
* Open Security Summit Sponsoring (15min)<br />
* German Chapter Banner & Postcard (5min mit Option auf +20min)<br />
** Die aktuellen Vorschläge sind (Stand 15.02.) sehr dünn. Es stellt sich die Frage, ob man mit so wenig starten will (was quasi hieße, dass ich mir zumindest die Texte ausdenken muss) oder ob man es bleiben lässt. Eventuell längeren Zeitslot planen zum gemeinsamen Brainstorming, wenn das Vorhaben nicht sterben soll? https://docs.google.com/document/d/1UtUEFwvBTAnatqjqj5gCVUwx29auxHKm9kITiYRLOlQ<br />
* TweetDeck (10min)<br />
** Stammtisch-Vorsitzende dürften sich gerne noch mit Ihrem Twitter-Handle bei Björn melden, wenn sie Rechte für den @owasp_de Account haben möchten. Auch sollten wir vielleicht einmal festlegen, was wir standardmäßig für Like- und Retweet-würdig erachten.<br />
* Masterarbeit Redesign Juice Shop (5min)<br />
** Kleines Update zu der bis dann 1 Monat laufenden Masterarbeit eines Studenten der Hochschule der Medien Stuttgart, die über Kontakte von Tobias zustande kam und ein Redesign am Juice Shop vornehmen möchte. https://juice-shop-experimental.herokuapp.com<br />
* Wie können wir den CFP/GOD für Speaker attraktiver gestalten? (10min)<br />
** Unkosten (Hotel/Bahn) von allen Speakern tragen, um die Veranstaltung für Speaker attraktiver zu machen.<br />
* Meetup Account aus dem deutschen Chapterbudget (15 Min, Christian Becker)<br />
* Google Groups/Technik (15 Min, Tobias)<br />
* it-sa 2019 und Swag (10 Min, Tobias)<br />
* Nächstes Chaptermeeting vor oder nach dem GOD? (5min)<br />
<br />
== OWASP Germany Chapter Meeting am 19.11.2018 in Münster == <br />
Das Chaptermeeting fand am 19.11.2018 in Münster statt und [https://lists.owasp.org/pipermail/owasp-germany/2018-October/001127.html wurde über die Mailingliste angekündigt].<br />
<br />
== OWASP Germany Chapter Meeting am 11.04.2018 in Frankfurt ==<br />
<br />
Das nächste Chapter Meeting wird [http://lists.owasp.org/pipermail/owasp-germany/2018-February/001064.html am 11. April in Frankfurt stattfinden]. Bitte meldet euch bei [mailto:tobias.glemser@owasp.org Tobias Glemser], falls ihr teilnehmen wollt. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. [https://www.owasp.org/images/c/c5/2018-04-11_German_Chapter_Meeting_Minutes.pdf Protokoll]<br />
* Uhrzeit: Mittwoch, den 11.04.2018, 13-18h<br />
* Ort: [https://www.saalbau.com/raumangebot/detail/?SAALBAU-Gutleut&objekt=78 SAALBAU Gutleut], FFM<br />
<br />
'''Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* Aktuelles zu OWASP Global, AppSec Verschiebung (Tobias, 15 Minuten)<br />
* Übersicht Finanzen (Ingo, 15 Minuten)<br />
* OWASP Summit (Björn, 15 Minuten)<br />
* OWASP TOP 10 2017 - Stand der Dinge (15 Minuten)<br />
*GOD 2018 - Stand der Dinge (Christian Dreesen, 15 Minuten)<br />
* Konkretes Vorgehen Chapter-Sponsoring (Alexios, 15 Minuten)<br />
*10 Jahre OWASP Germany (?) (Alexios, 10 Minuten)<br />
*Cheat Sheet Workshop mit Jim im Juli (??, 15 Minuten)<br />
* Ort nächstes Chapter-Meeting.<br />
<br />
== OWASP Germany Chapter Meeting am 13.11.2017 in Essen ==<br />
* Uhrzeit: Montag, den 13.11.2017, 14-18h, [https://www.owasp.org/images/6/62/20171113_Chapter_Meeting_German_OWASP_Chapter.pdf Protokoll]<br />
* Ort: Unperfekthaus in Essen ( <nowiki>http://www.unperfekthaus.de/anfahrt/</nowiki>)<br />
<br />
'''Agenda mit Minutes:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* Stand der Finanzen, German Chapter Budget at OWASP. (Ingo, 60 Minuten)<br />
** Support Projekte des German Chapter: benötigte Ressourcen / Budget<br />
*** OWASP on the move<br />
*** Cheat Sheet Workshop 2018<br />
*** OWASP TOP 10 2017 - DE Workshop<br />
*** Stammtische (assets)<br />
*** weitere<br />
** Support internationale Projekte<br />
*** OWASP Summit London 2018<br />
*** weitere<br />
* OWASP TOP 10 2017 - deutsche Übersetzung: Team und Workshop (15 Minuten)<br />
** Orga-Hut?<br />
** Wer macht mit?<br />
* Stand OWASP on the move Germany (Alexios, Torsten, Bastian, 15 Minuten))<br />
* Öffentlichkeitsarbeit: bessere Sichtbarkeit für das German Chapter (30 Minuten)<br />
** Einstiegsseite owasp.de (Stand der Dinge von Torsten und Henrik?) ([[User:Hwillert/sandbox/Germany|RC]])<br />
** Optionen (selbstgestrickt, Agentur, abwarten, ...)<br />
** Website GOD :-))<br />
* aus dem letzten Meeting: Henrik & Torsten: Kümmern sich um ein Konzept für freie (oder kostengünstige) Trainings am Tag nach dem GOD 2017 in Essen: Stand? (10 Minuten)<br />
* GODays 2018ff: Optimierungsmöglichkeiten Orga (30 Minuten)<br />
** Zusammenarbeit mit Foundation<br />
** Öffentlichkeitsarbeit<br />
** Standardisierungen in Arbeitsabläufen (cheat sheet 2.0)<br />
** Preisgestaltung (Henrik) [https://docs.google.com/a/owasp.org/spreadsheets/d/1bJWgYCvaUDfuI_54fhnobEOG-ylosZcQETwCd_KiXjg/edit?usp=sharing]<br />
** Wer macht Orga?<br />
* Umbennung der Stammtische? (Henrik, 15 Minuten)<br />
* Stand Chapter-Sponsoring (Michael in Vertretung von Alexios, 10 Minuten)<br />
*Wer möchte im neuen Chapter mitwirken? (15 Minuten)<br />
** Personen<br />
** Wahl eines neuen Chapter Lead (aktuell Tobias)<br />
** Kassenwart (aktuell Ingo)<br />
** Sponsorliason (aktuell Alexios)<br />
* Ort nächstes Chapter-Meeting<br />
==OWASP Germany Chapter Meeting am 31.03.2017 in München==<br />
* Uhrzeit: Montag, den 28.11.2016, 11-17h<br />
* Ort: "Stockwerk" Oppelner Str. 5 in 82194 Gröbenzell bei München<br />
<br />
'''Agenda mit Minutes:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias)<br />
* Stand der Finanzen, German Chapter Budget at OWASP. (Ingo)<br />
* Chapter Sponsoring (Alexios)<br />
** Tobias berichtet von Alexios’ (abwesend) Vorschlag, das Chapter Sponsoring einzustellen. Alexios wird gebeten ein Vorschlagspapier mit Pros und Cons und Alternativen zu erstellen. Dann Beschluß durch Board-Telko<br />
* Info Barter Deal mit it-sa (Tobias)<br />
** Abstimmung mit OWASP Global ist erfolgt.<br />
* 2-Tagesworkshop zu Cheat Sheet (Boris, Jan, Hartwig)<br />
** Boris (lead)+Jan+Hartwig: machen einen Vorschlag: dann in die Boardrunde, um Feedback einzusammeln. Achim auf cc halten, damit er auf dem Summit informiert ist. <br />
* Stand der Dinge Cheat Sheet zur Orga eines German OWASP Days (Ingo)<br />
** Ingo hat ein Excel-Sheet dazu erstellt mit ca 50 Punkten.<br />
** Kann für den den GOD 2017 verwendet werden und soll dann auch überarbeitet werden.<br />
** Ingo schickt einen Link auf das Google Drive Document<br />
* GOD 2017 (Christian)<br />
** Wir planen auf max 200 Teilnehmer (inkl. Staff, Speaker,...)<br />
** Christoph stellt Informationen zu Lokationen und Terminen zusammen.<br />
** Entscheidungs-telko im April (Termin, Lokation)<br />
** Anerkunng als Bildungsurlaub möglich?<br />
* Stand der Dinge owasp.de (Tobias)<br />
** Owasp.de bei Tobias “privat” (whois, DNS), Kai nicht mehr Owner<br />
** Owasp.de als redirect betreiben -> Henrik<br />
* Orga-Tools Stammtische wie Meetup (jeder, der dazu beitragen kann)<br />
* OWASP on the move Germany (Alexios, Torsten, Bastian)<br />
** Bastian: zwei Anfragen, aber keiner wollte am Ende Geld. <br />
** Stammtische wurden angefragt, aber kein Feedback<br />
** Alexios verläßt die Runde der “OWASP on the move Germany” Organisatoren<br />
** FAQ auf der Stammtischseite für “neuer Stammtisch” und “Wie nutze ich OontmG” -> Stammtisch CheatSheet<br />
** Stammtische sollen eine Liste auf owasp.org mit potentiellen Vortragenden pflegen. Achim legt die Seite an (done! https://www.owasp.org/index.php/Germany/Speaker ). <br />
* OWASP Germany Social Media und Webseite-Inhalte insb. Startseite (Tobias, Torsten)<br />
** Tobias: Die German Chapter Seite ist nicht “freundlich für Einsteiger”. <br />
** Torstens Vorschlag: Einstiegsseite soll zielgruppenspezifische Landingpage bieten (Informationssuchende, Stammtischeinteressierte, jemand der beitragen möchte,....)<br />
** Torsten und Henrik machen einen Vorschlag<br />
** Twitteraccount owasp.de liegt derzeit bei Dirk und Boris<br />
* Anfrage Mithilfe bei Orga "Large OWASP AppSec Trainings" der Foundation (Achim, Tobias)<br />
** Torsten berichtet von Erfahrungen vom Münchner Stammtisch.<br />
** Austausch zwischen den Stammtischen ist gewünscht, soll aber nicht formalisiert werden (keine Mailingliste)<br />
** Torsten schickt ein Template für eine Umfrage zu Stammtischen an.<br />
* Orga-Tools Stammtische wie Meetup, Mailingliste (auch Board)<br />
** Mails an owasp.de sollen in Zukunft bouncen (Tobias, done)<br />
** Für Board soll zukünftig die board-germany Liste auf mailman genutzt werden.<br />
** Liste eingerichtet, hidden Liste, Member sind informiert; Admin z.Zt. Achim und Bastian<br />
** Meetup: der Stammtisch Karlsruhe nutzt Meetup mit dem OWASP.org Beta Programm.<br />
** Tobias erfragt bei Kate, ob Meetup von owasp.org zur Verfügung gestellt wird (Anfrage gestellt)<br />
** Falls meetup nicht weiter unterstützt ist: Xing hatte bereits einen kostenfreien Pro-Account angeboten.<br />
* Wie kann das German Chapter beim Beantragen und Durchführen von OWASP-Projekten unterstützten?<br />
** Konkreter Painpoint: Review-Prozeß für Juice-Shop (oder allgemein für Projekte) hängt. Bei weiteren konkreten Problemen: Mail an Tobias. Tobias eskaliert an OWASP global.<br />
** Weiterer Painpoint: SecurityRAT. Henrik bittet Daniel, mit Tobias Kontakt aufzunehmen.<br />
* Anfrage Mithilfe bei Orga "Large OWASP AppSec Trainings" der Foundation (Achim, Tobias)<br />
** Generell bestehen Kontakte zu Universitäten.<br />
** Tobias erfragt Rahmendaten: Zielpublikum, Dauer, Sponsored, ...? (Anfrage läuft)<br />
* Summit: <br />
** Achim berichtet über den kommenden Summit im Juni in der Nähe von London.<br />
** Abstimmung: das Chapter sponsored die Entsendung von Achim und Björn zum Summit. Wenn ihre ** Kosten vom “Editors Fund” übernommen werden, dann spenden wir 3.600 EUR vom Chapter Budget an den Summit. Falls Ingo wg. Finanzen teilnimmt, dann werden seine Kosten von dieser Summe gedeckt (Rest Spende). Einstimmig bei zwei Enthaltungen.<br />
* Sonstiges<br />
** Henrik & Torsten: Kümmern sich um ein Konzept für freie (oder kostengünstige) Trainings am Tag nach dem GOD 2017 in Essen<br />
** Martin greift den “German OWASP Summer of Code” wieder auf.<br />
Nächstes Chaptermeeting am Vortag des GOD 2017.<br />
** Ingo: die Konferenzwebseite für den GOD muss professioneller ausschauen. Björn schaut sich an, ob man die appsec.eu Seite auf github “kopieren” kann.<br />
** Torsten fragt, ob das Chapter eine Leinwand (80 EUR) finanziert. Board stimmt zu (einstimmig bei einer Enthaltung.. Ingo pflegt eine “Assetliste”. Seite angelegt: https://www.owasp.org/index.php/Germany/Assets <br />
<br />
<br />
==OWASP Germany Chapter Meeting am 28.11.2016 in Darmstadt==<br />
Am Vortag des German OWASP Day 2016 fand ein Chapter-Meeting statt. [https://www.owasp.org/images/d/d2/Protokoll_OWASP_Chapter-Meeting_2016-11-26.pdf Protokoll]<br />
<br />
* Uhrzeit: Montag, den 28.11.2016, 15-18h<br />
* Ort: Seminarraum des CAST e.V., Rheinstraße 75, 64295 Darmstadt<br />
<br />
'''Draft Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (~10min)<br />
<br />
* Finanzen (~60min)<br />
** Ingo: Finanzübersicht und Status des Chapters <br />
** Dirk: Wofür wollen wir Geld ausgeben? Handlungszwang durch Foundation 60min (http://lists.owasp.org/pipermail/owasp-leaders/2016-November/017448.html)<br />
** Dirk: Finanzübersicht erarbeiten/abstimmen für 2017 (siehe Sheet)<br />
<br />
* Wer möchte im neuen Chapter mitwirken? (~45min)<br />
** Projekte (siehe Reiter 2 im Sheet)<br />
*** Vorstellen und Hand heben<br />
**** German Summer of Code (Martin/Bastian)<br />
**** Studentensponsoring zum GOD<br />
**** Laison/Fadenhalter für Außenauftritte/fremde Konferenzen (Boris' Bemerkung, 1.11.)<br />
**** Achim: Wiki: eigenes in DE? Oder bleibt's beim Foundation-Wiki?<br />
** Personen<br />
** Wahl eines neuen Chapter Lead<br />
** "Kassenwart"<br />
** Sponsorliason<br />
<br />
* Pause 10 min (ab Minute 115)<br />
<br />
* Boris: Retrospektive des GOD 2015 (Finanzen, Besucher): ~10 Min<br />
<br />
* Ingo: Kurze Zahlen zum GOD 2016 (Finanzen, Besucher) ~5 Min<br />
<br />
* GOD 2017 (15min)<br />
** Gibt's jemanden, der 2017 die nationale Konferenz organisieren will?<br />
** lessons learnt 2016/5<br />
*** Programm<br />
*** Generell<br />
<br />
* IT Ressourcen des German OWASP Chapters (10min)<br />
** owasp.de: Domain, HTTP, SMTP<br />
** vServer bei Strato: was ist drauf. Brauchen wir's? Wer macht was?<br />
** Zertifikat<br />
<br />
* Logo, Neuer Sponsoren-Vertrag (10min)<br />
<br />
* Restpunkte, sollten wir noch Zeit haben<br />
** ..<br />
<br />
<br />
==OWASP Germany Chapter Meeting am 13.04.2015 in Frankfurt==<br />
Das OWASP Germany Chapter Meeting fand am Montag, den [https://lists.owasp.org/pipermail/owasp-germany/2015-March/000758.html 14.03.2014 um 13.00 Uhr in Frankfurt] statt. Die Agenda, Informationen und Beschlüsse sind dem [https://www.owasp.org/images/b/b9/Protokoll_OWASP_Chapter-Meeting_2015-04-13.reformatiert.pdf Protokoll] zu entnehmen.<br />
<br />
==OWASP Germany Chapter Meeting am 14.03.2014 in Frankfurt==<br />
Das OWASP Germany Chapter Meeting fand Freitag, 14.03.2014 um 13.30 Uhr in Frankfurt statt.<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
Ort: Gewerkschaftshaus Willi-Richter-Saal Wilhelm-Leuschner-Straße 69-77 60329 Frankfurt<br />
<br />
Hiermit laden wir Euch nochmals herzlich zum Chapter Meeting des OWASP German Chapters ein.<br />
<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Die Chapter-Meetings richten sich an all diejenigen, die aktiv am Chapter geschehen teilhaben möchten. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Agenda ====<br />
* 13.30h Tobias Glemser, OWASP German Chapter Lead: Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2013 (15 min)<br />
* 13:45h "You are known by the company you keep: Introducing a secure software vendor exchange program" Chris Wysopal, CTO, Veracode (15 min)<br />
* 14.00h "Password Storage: Adobe schlägt Forbes und OWASP" Arnim Rupp, LH Systems (15min)<br />
* 14:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec Research Conference Chair: Rückblick OWASP AppSec Research 2013 und Ausblick OWASP Day 2014 (45 min)<br />
* 15:00h Pause (15 min) <br />
* 15:15h "25 Million Flows Later - Large-scale Detection of DOM-based XSS", Martin Johns SAP AG (45 min)<br />
* 16:00h Tobias Glemser, OWASP German Chapter Lead:Verwendung der zur Verfügung stehenden Geldmittel im Chapter (45 min)<br />
* 16:45h Tobias Glemser, OWASP German Chapter Lead: Chapter Board Wahl (wie 2013 entschieden alle Posten) (15 min)<br />
* 17.00h offene Runde: OWASP Germany im kommenden Jahr (30 min)<br />
* Gegen 17.30 Uhr Ende und wer mag im Anschluss noch einen Absacker im Ristorante Vitavera<br />
<br />
[https://reg.owasp.de Meldet Euch bitte hier an].<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
* [[Media:OWASP_Chapter_Meeting_2014-03-14.pdf|&rarr; Vortrag]] Tobias Glemser, OWASP German Chapter Lead: Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2013 <br />
* Vortrag "You are known by the company you keep: Introducing a secure software vendor exchange program" Chris Wysopal, CTO, Veracode<br />
* [[Media:Password_Storage.pdf|&rarr; Vortrag]] "Password Storage: Adobe schlägt Forbes und OWASP" Arnim Rupp, LH Systems <br />
* 14:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec Research Conference Chair: Rückblick OWASP AppSec Research 2013 und Ausblick OWASP Day 2014 Es wurden grundsätzliche Diskussionen geführt.<br />
** Nach dem Rückblick über die äußerst gelungene AppSec in Hamburg wurden grundsätzliche Diskussionen geführt, wie wir 2014 unsere Konferenz ausrichten.<br />
** ca November 2014 (Kollision mit BeNeLux, it-sa etc. vermeiden)<br />
** CfP müsste bis Mai dann raus . Bis dahin muss Stadt und Ort gefixt sein<br />
** Format eher wieder 1 Tag, 2 Tracks<br />
** Freier Eintritt, komplette Finanzierung durch Sponsoren wird defavorisiert, da befürchtet wird, dass Sponsoren das schwer zu verkaufen ist.<br />
** Problem des Billings/Rechnungsstellung. Viel Aufwand derzeit => Factoring Firma finden<br />
** Wo: Hotel oder Uni?<br />
*** Uni: keine sinnvollen Vorschläge beim Chapter Meeting<br />
*** Hotels: Dresden, Hamburg, ...<br />
** Ort ist relativ egal, Kriterien:<br />
*** ICE-Bahnhof<br />
*** Etwas Attraktivität kann nicht schaden<br />
*** Etablierter Stammtisch dort wäre von Vorteil<br />
*** idealerweise jemand mit lokalen Kenntnissen vor Ort<br />
** Wer: Wir alle auf vielen Schultern oder ein Dienstleister<br />
*** Auch in letztem Fall bleibt Arbeit bei uns hängen.<br />
*** Dirk hat den Orga-Hut auf. Tobias Sponsoren-Hut, Martin PK-Hut.<br />
** Ausrichtung der Konferenz:<br />
*** Lassen wie es ist<br />
*** Mehr an die Entwickler ran<br />
*** Mehr an die Entscheider ran<br />
*** Mehr an die Studenten ran<br />
*** Mehr auch an Hobbyleute ran<br />
*** => offen<br />
**Für 2015: Beschluss Nähe zu Karlsruhe Entwicklertagen zu finden. Ohne Gegenstimme angenommen.<br />
<br />
* Torsten Gigler stellte <u>[https://www.owasp.org/index.php/Category:OWASP_Top_10_fuer_Entwickler Top10 für Entwickler]</u> vor<br />
* Anfrage aus Schottland wegen Sponsoring der Unkosten eines Vortrags von Mario Heidereich. Der Chapterlead wurde entsprechend auf OWASP on the Move verwiesen. Falls das nicht klappt, sponsort das deutsche Chapter die Reise.<br />
* Auftrag für Konferenzen an Tobias Glemser Bücher und Infomaterial von OWASP zu kaufen, um es kostenfrei verteilen zu können.<br />
* [[Media:OWASP domxss.pdf|&rarr; Vortrag]] "25 Million Flows Later - Large-scale Detection of DOM-based XSS", Martin Johns SAP AG (45 min)<br />
* Da die Diskussion um den German OWASP Day das Zeitkontingent gesprent hat, wurden die folgenden beiden Agendapunkte auf das Chapter Meeting 02/2014 geschoben.<br />
** OWASP German Chapter Lead:Verwendung der zur Verfügung stehenden Geldmittel im Chapter (45 min)<br />
** OWASP German Chapter Lead: Chapter Board Wahl (wie 2013 entschieden alle Posten) (15 min)<br />
* Mit leckerem Essen im Ristorante Vitavera beendeten wir das Chapter Meeting.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
<small>(see German text on left)</small><br />
|}<br />
<br />
==OWASP Germany Chapter Meeting am 17.05.2013 in Frankfurt==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
Das OWASP Germany Chapter Meeting fand am 17.05.2013 um 14 Uhr in Frankfurt statt.<br />
<br />
Ort: Saalbau Gallus, Frankenallee 111, 60326 Frankfurt am Main <br />
[[http://maps.google.de/maps?q=Frankenallee+111,+60326+Frankfurt+am+Main&hl=de&sll=50.104389,8.642389&sspn=0.002883,0.010375&vpsrc=0 Karte]] (Wenige Meter von der S-Bahnstation Galluswarte entfernt, ein Halt von Frankfurt Hbf)<br />
----<br />
==== Einladung ====<br />
Hiermit laden wir Euch nochmals herzlich zum Chapter Meeting des OWASP German Chapters ein.<br />
<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Die Chapter-Meetings richten sich an all diejenigen, die aktiv am Chapter geschehen teilhaben möchten. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
<br />
[https://reg.owasp.de Meldet Euch bitte hier an]. Bitte!<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
|-<br />
| style="vertical-align:top;" |<br />
<br />
==== Agenda ====<br />
<br />
* 14.00h Tobias Glemser, OWASP German Chapter Lead (30 min): Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2012 <br />
* 14:30h Laurent Levi von Checkmarx (45 min): DevOps and Security: It's Happening. Right Now.<br />
* 15:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec EU Research Conference Chair (30 min): Rückblick OWASP Day 2012 und Ausblick AppSec EU Research 2013 <br />
* 15:45h Pause (15 min) <br />
* 16.00h Jim Manico, OWASP Board Member (45 min): Top Ten Web Defenses<br />
* 16.45h Torsten Gigler, OWASP German Chapter (15 min): <u>[https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 fuer Entwickler]</u><br />
* 17.00h Tobias Glemser, OWASP German Chapter Lead (15 min): Chapter Board Wahl <br />
* 17.15h offene Runde (30 min): OWASP Germany im kommenden Jahr <br />
* Gegen 17.30 Uhr Ende und wer mag im Anschluss noch einen Absacker im benachbarten Griechen.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Agenda ====<br />
* 14.00h Tobias Glemser, OWASP German Chapter Lead (30 min): Welcome and Review of Chapter Activities 2012 <br />
* 14:30h Laurent Levi von Checkmarx (45 min): DevOps and Security: It's Happening. Right Now.<br />
* 15:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec EU Research Conference Chair (30 min): Review OWASP Day 2012 and Outlook AppSec EU Research 2013 <br />
* 15:45h Break (15 min) <br />
* 16.00h Jim Manico, OWASP Board Member (45 min): Top Ten Web Defenses<br />
* 16.45h Torsten Gigler, OWASP German Chapter (15 min): <u>[https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 fuer Entwickler]</u><br />
* 17.00h Tobias Glemser, OWASP German Chapter (15 min): Chapter Board Election<br />
* 17.00h offene Runde (30 min): OWASP Germany next year <br />
* About 17.30h we will be finished. Who's interested in joining a get together in a greek restaurant nearby is asked to note <br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
<br />
==== Ergebnisse / Protokoll ====<br />
<br />
<br />
* Begrüßung und Bericht durch Tobias [ [[Media:German_Chapter_Meeting_2013_Bericht_Chapter.pdf|&rarr; Folien]] ]<br />
* Talk: Laurent Levi, Checkmarx<br />
* Kurze Vorstellungsrunde<br />
* Talk: Torsten Gigler - OWASP Top 10 für Entwickler [ [[Media:German_Chapter_Meeting_2013_OWASP_Top_10_fuer_Entwickler.pdf|&rarr; Folien]] ]<br />
* Talk: Dirk Wetter - AppSec Research 2013<br />
** GOD 2012<br />
*** Rückblick auf GOD 2012 (German OWASP Day)<br />
*** Fachlich und finanziell ein voller Erfolg<br />
** Dev(i|e)l 2013<br />
*** Ausblick auf AppSec Research 2013<br />
*** Konferenz verspricht viel<br />
*** Details unter <u>https://appsec.eu</u><br />
* Talk: Jim Manico - Top Ten Web Defenses [ [http://www.slideshare.net/JimManico/top-ten-defenses-v10 &rarr; Folien] ]<br />
* Organisatorisches<br />
** Chapter Lead: Tobias Glemser<br />
** Board 2013: <br />
*** Dirk Wetter<br />
*** Martin Johns <br />
*** Achim Hoffmann<br />
*** Emin Tatlı<br />
*** Kai Jendrian<br />
** Entscheidung: Neubesetzung des Boards jährlich <br />
* OWASP Day 2014<br />
* Ortsauswahl durch Call for Venue<br />
* Vorschläge vor Ort:<br />
** Köln<br />
** Karlsruhe<br />
* Vorschläge Projekte<br />
** Übersetzug OpenSAMM<br />
** Übersetzung der Top 10 nach finaler Veröffentlichung (Trigger durch Kai)<br />
* Sonstiges:<br />
** Treffen des OWASP Chapters im Q4 mit Vortrag<br />
** Bessere Präsenz der OWASP in andere Konferenzen <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Protocol ====<br />
tbd<br />
|<br />
<br />
|-<br />
! colspan="2" style="vertical-align:top;" align="left" |<br />
==== Abstracts/Bios ====<br />
|-<br />
| colspan="2" |<br />
===== DevOps and Security: It's Happening. Right Now. =====<br />
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. <br />
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary code analysis overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. Steps include: <br />
* Re-evaluate existing security tools and consider their integration within a CD environment<br />
* Deliver a secured development framework and enforce its usage<br />
* Pinpoint precise security code flaws and provide optimal fix recommendations<br />
<br />
Laurent Levi<br />
Laurent is an experienced security professional with extensive technical knowledge in all aspects of application security. Over the last 6 years, Laurent has been managing Checkmarx's professional services team and prior to that led the code audit team of Lexsi in France. Laurent has extensive software development experience and has a post graduate degree in AI from Paris VI Université Pierre et Marie Curie.<br />
<br />
===== Top Ten Web Defenses =====<br />
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.<br />
<br />
Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.<br />
----<br />
|}<br />
<br />
==OWASP Germany Chapter Meeting am 03.02.2012 in Frankfurt==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
OWASP Germany Chapter Meeting fand am 03.02.2012 in Frankfurt statt.<br />
<br />
Ort: Saalbau Gallus, Frankenallee 111, 60326 Frankfurt am Main <br />
[[http://maps.google.de/maps?q=Frankenallee+111,+60326+Frankfurt+am+Main&hl=de&sll=50.104389,8.642389&sspn=0.002883,0.010375&vpsrc=0 Karte]] (Wenige Meter von der S-Bahnstation Galluswarte entfernt, ein Halt von<br />
Frankfurt Hbf).<br />
<br />
----<br />
==== Einladung ====<br />
Hiermit laden wir Euch nochmals herzlich zum ersten Chapter Meeting 2012 des OWASP German Chapters ein.<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
Nur aufgrund der vielen Köpfe sind wir dort, wo wir heute stehen. Also los! Wir würden uns insbesondere freuen, mehr von Euch aus dem edukativen Bereich (ja, Ihr liebe Studenten!) bei uns willkommen zu heißen.<br />
<br />
Zur besseren Planung gebt bitte kurz per Mail Bescheid, wenn Ihr teilnehmt. Danke!<br />
<br />
Plant auch danach noch gerne etwas Zeit ein, wir lassen den Tag bei einem gemeinsamen Essen und vielleicht einem Getränk nachwirken.<br />
<br />
Viele Grüße und bis zum 03.02. in Frankfurt, wir freuen uns auf Euch.<br />
OWASP German Chapter<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
|-<br />
|<br />
==== Agenda ====<br />
<br />
* Georg: Begrüßung durch Georg Heß, German Board Leader<br />
* Kai: Vortrag "OWASP Top 10 auf Deutsch - Fallstricke und Überraschungen"<br />
* Kai: Fragen und Antworten zu "OWASP Top 10 auf Deutsch"<br />
* Boris: Vortrag "Das neue OWASP Chapter Handbook - wie wir weltweit arbeiten"<br />
* Boris: Fragen und Antworten zu "OWASP Chapter Handbook"<br />
* Dirk: Rückblick OWASP Day 2011, Ausblick 2012<br />
* Tobias: Rückblick it-sa 2011, Ausblick 2012<br />
* Dirk: AppSec Research EU: 2013 in Deutschland?<br />
* Boris: Firmen-Chapter-Support (Kosten, Vorteile, Ablauf)<br />
* Georg: Aktionen zur Mitgliedergewinnung<br />
* Bruce: Möglichkeiten zur Intensivierung der Pressearbeit<br />
* Boris: Zusammenarbeit mit dem BSI<br />
* Tobias: Themen für Projekte 2012<br />
* Georg: kurzer Abriss zu OWASP-Zertifizierungen<br />
* Achim: Definition Rahmenbedingungen Jobseite<br />
* Achim: Administratoren für owasp.org<br />
* Georg: Wahl Leader und Board OWASP German Chapter<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
Das Protokoll des Chapter-Meetings ist <u>[[Media:Chapter-Germany-20120203-Protokoll.zip|hier]]</u> zu finden; das Passwort ist geheim ;-)<br />
<br />
Wichtige Entscheidungen in Kürze:<br />
* Tobias als Chapter Leader gewählt<br />
* Wahl des Boards: Bruce, Dirk, Emin, Martin, Achim<br />
* German OWASP Day 2012 im November in München<br />
** 1,5 - 2 Tage, dieses Jahr keine kommerziellen Trainings<br />
** CfP-Kommitee geführt von Dirk, Martin<br />
** es wird eine Teilnahme/Anwesenheits-Bescheinigung geben<br />
* OWASP-Stand auf it.sa 2012 in Nürnberg<br />
* Firmensponsoring wird ermöglicht: local sponsor ca. 500,-/Jahr<br />
* Zusammenarbeit mit BSI wird intensiviert<br />
* es wird (vorerst) keine eigene deutsche Jobseite unter owasp.org geben; bitte [[OWASP_Jobs]] benutzen<br />
...<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Meetings minutes can be found <u>[[Media:Chapter-Germany-20120203-Protokoll.zip|here]]</u> . Note that it is in German.<br />
<br />
Most important:<br />
* Tobias as Chapter Leader elected<br />
* Boards Members: Bruce, Dirk, Emin, Martin, Achim<br />
* German OWASP Day 2012 will be in November in München<br />
** 1,5 - 2 days, no trainings sessions this year<br />
** CfP Commitee lead by Dirk, Martin<br />
* OWASP will be present at it.sa 2012 in Nürnberg<br />
* company sponsoring possible: local sponsor ca. 500,-/anno<br />
* co-operation and collaboration with BSI will be initiated<br />
* currently no local job page within owasp.org<br />
...<br />
|}<br />
<br />
==Chapter Board Meeting am 19.8.2011 in München==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Agenda ====<br />
* Selbstverständnis Chapter – die Zukunft<br />
* OWASP Germany in „das Bewusstsein“ bringen<br />
* Vereinsgründung ja/nein<br />
* Geldverwaltung/Rechnungen<br />
* Firmen als Chapter Member<br />
* IT-SA 2011<br />
* Board (Kommunikation. Rollen, Wahl, Termin Chapter Meeting)<br />
* Stand der Dinge: Flyer<br />
* OWASP Day<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
Das Protokoll des Board-Meetings ist <u>[[Media:Chapter-Germany-20110819-Protokoll.zip|hier]]</u> zu finden; das Passwort ist geheim ;-)<br />
<br />
Wichtige Entscheidungen in Kürze:<br />
* OWASP Chapter Germany stellt auf der it.sa in Nürnberg aus, 11.10. - 13.10.2011<br />
* es wird eine ''Firmen-Mitgliedschaft'' aka ''Chapter Supporter'' angeboten; Näheres in kürze auf der Webseite<br />
* nächstes Chapter Meeting am 20.01.2012 oder 03.02.2012 in Frankfurt<br />
...<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Protocol ====<br />
The protocol of the Chapter Germany Board Meetings can be found <u>[[Media:Chapter-Germany-20110819-Protokoll.zip|here]]</u> . Note that it is in German.<br />
<br />
Most important:<br />
* OWASP Chapter Germany will be at it.sa in Nuremberg, 11.10. - 13.10.2011<br />
* ''Chapter Supporter'' will be possible for companies; details comming soon<br />
* next Chapter Meeting 20.01.2012 or 03.02.2012 in Frankfurt<br />
...<br />
|}<br />
<br />
== Chapter Meeting am 20.5.2010 in München ==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Agenda ====<br />
* 14:00 Allgemeine Begrüßungs- und Vorstellungsrunde <br />
* 14:15 Bruce Sams: „Strategie und Kosten für ein SDLC“ <br />
* 14:50 Diskussion <br />
* 15:10 Boris Hemkemeier: „Two Factors Are Not Enough“ <br />
* 16:05 Diskussion (geht nahtlos über in die) <br />
* 16:15 Kaffeepause <br />
* 16:35 Vortrag mit Diskussion „Organisatorisches im Chapter“ <br />
* 17:15 Beginn der Beschlussfassungen und Wahlen <br />
* 17:25 Vortrag mit Diskussion „OWASP Germany Conference 2010“ <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
===== Organisatorisches im Chapter =====<br />
<br />
Die Wesentlichen Punkte, die umgesetzt oder verbessert werden sollen: <br />
<br />
* Mehr Außenwirkung durch Public Relations, bessere Pressearbeit / Pressemitteilungen und Einführung und Pflege einer Sprecher- und Rednerliste (um z.B. bei öffentlichen Veranstaltungen OWASP adäquat vorstellen zu können) <br />
* Gepflegtes Wiki sowohl für Außendarstellung als auch als Plattform für die interne Kommunikation <br />
* Einführung von direkten Ansprechpartner für diverse Branchen<br />
<br />
Es folgt eine kurze Diskussion, wie dies effektiv umgesetzt werden kann. Es wird ein Vorschlag durch konkludentes Handeln angenommen: Es soll ein Chapter Board bestehend aus 5 Mitgliedern gewählt werden. Jedes dieser Mitglieder bekommt eine oder mehrere dedizierte Aufgabe(n), um die oben genannten Punkte abzudecken und umzusetzen. Es folgt ein Aufruf, sich für eine entsprechende Wahl zur Verfügung zu stellen. Es soll ebenso der neue Chapter Leader gewählt werden. Da sich nur ein Kandidat für nur einen Posten zur Wahl für die nächsten zwei Jahre zur Verfügung stellt, wird folgendes entschieden: Bei Abstimmungen hat jedes Mitglied des Boards genau eine Stimme, während der Chapter Leader zwei Stimmen hat. So soll zukünftig bei Abstimmungen eine Stimmengleichheit verhindert werden. <br />
<br />
===== Beschluss zur Anzahl der Chapter Leaders =====<br />
<br />
Es wird von den 12 Teilnehmern des Chapter Meetings einstimmig beschlossen, das zukünftig das Chapter Germany (analog zu den meisten anderen OWASP Chapters) nur noch einen Chapter Leader hat. <br />
<br />
===== Wahl des Chapter Leaders =====<br />
<br />
''Georg Heß'' kandidiert als Chapter Leader und wird mit 11 von 12 Stimmen bei einer Enthaltung zum neuen Chapter Leader des OWASP Chapters Germany gewählt. <br />
<br />
===== Beschluss zur zukünftigen Zusammensetzung des Boards =====<br />
<br />
Einstimmig wird beschlossen, dass das zukünftige Board aus 5 Mitgliedern besteht. Diese sollen die Aufgaben wie in der Diskussion beschrieben wahr nehmen. <br />
<br />
===== Wahl des Boards =====<br />
<br />
Es kandidieren ''Tobias Glemser, Boris Hemkemeier, Achim Hoffmann, Uli Petersen und Bruce Sams'' für die 5 Sitze im Board. Alle werden einstimmig gewählt. <br />
<br />
Alle Gewählten nehmen die Wahl an. <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Not yet available in English, sorry.<br />
|}<br />
<br />
== OWASP German Chapter Meeting 10.07.2009, Mannheim ==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Einladaung ====<br />
;Summary:We will start with three interesting fresh talks. The following topics are the next activities of the OWASP German Chapter: the new [http://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative "Stammtisch Initiative"] and the planning of the [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009] at Nuremberg. <br />
<br />
;Location:Aula of the [http://www.hs-mannheim.de Hochschule Mannheim], Building 3, Paul-Wittsack-Strasse 10, Mannheim ([http://maps.google.de/maps?f=d&source=s_d&saddr=Mannheim+Hbf&daddr=49.471303,8.48372&geocode=Fbr-8gIduTmBAA%3B&hl=de&mra=dme&mrcr=0&mrsp=1&sz=15&sll=49.474885,8.474715&sspn=0.015532,0.050254&ie=UTF8&z=15 Google Maps]). Please download the [http://www.hs-mannheim.de/campus/grafik/campusplan_legende_web.pdf campus map]. <br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Agenda ====<br />
* 12:00 - 13:00&nbsp;: Lunch (optional, please send an email to [mailto:Georg.Hess@artofdefence.com?subject=OWASP%20Chapter%20Meeting%20Lunch%20registration Georg Heß] to register for lunch), meeting point for the lunch is at the Aula in Building 3<br />
* 13:15 - 13:30 : Opening by our host Prof. Rainer Gerten (German) <br />
* 13:30 - 14:30 : OWASP Educational Services - Teaching Security!, Martin Knobloch, Member of OWASP Global Education Committee (English) <br />
* 14:30 - 15:00 : Vorstellung und aktueller Stand des OWASP Germany Projekts "Best Practice: Projektierung von Sicherheitsprüfungen von Web Applikationen", N.N., Projekt-Mitarbeiter (German) <br />
* 15:00 - 15:45 : Cloud Application Security - Chancen und Risiken - Einige Ansatzpunkte zum Thema, Georg Hess (German) <br />
* 15:45 - 16:15 : Coffee <br />
* 16:15 - 17:00 : Organisational topics of the OWASP German Chapter (German) <br />
** OWASP Stammtisch Initiative <br />
** Outlook and organisational tasks for the 2nd [[OWASP Germany 2009 Conference]]<br />
* nach 17:00 : Come together (Any ideas for a near pub??) <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
<br />
===== OWASP AppSec 2010 =====<br />
<br />
Es folgt ein kurzer historischer Rückblick der Veranstaltungsorte: 2008 im Hotel in Frankfurt, 2009 auf der Messe it-sa in Nürnberg. Kurze Diskussion pro und contra Hotel vs. Messe vs. Hochschul-Location. <br />
<br />
* Es soll geprüft werden, ob die diesjährige '''„OWASP Germany Conference 2010“''' wieder in Kooperation mit der Messe Nürnberg / it-sa durchgeführt werden kann (z.B. am 20.10.2010). <br />
* Weiterhin ist ein Konferenztag mit '''zwei verschiedenen Tracks (Technik und Management)''' angedacht. <br />
* Um die inhaltliche Gestaltung voranzutreiben wird ein '''Programm-Komitee''' (initial bestehend aus ''Bruce Sams, Kai Jendrian, Boris Hemkemeier und Martin Johns'') ins Leben gerufen, das alsbald den '''CFP''' starten soll.<br />
<br />
Gegen 18:15 löst sich das OWASP German Chapter Meeting auf und geht nahtlos in den 12. „Happy Anniversary!“ OWASP Stammtisch München über.<br />
<br />
Weitere Ergebnisse sind [https://lists.owasp.org/pipermail/owasp-germany/2009-July/000086.html in den Minutes hier] zu finden<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Minutes: [https://lists.owasp.org/pipermail/owasp-germany/2009-July/000086.html See the list archive for the minutes.]<br />
|}<br />
<br />
== OWASP German Chapter Meeting - February 20th, 2008 in Darmstadt ==<br />
<br />
;Date: February 20th, 2008, 11:00-16:15<br />
;Location: The next chapter meeting will be hosted at CAST in Darmstadt.<br />
: CAST (http://www.cast-forum.de<nowiki/>)'''<br> Fraunhoferstr. 5 (vormals Rundeturmstr. 6) - EG Room 072 - [http://www.cast-forum.de/workshops/anfahrt.html Anfahrt]'''<br />
<br />
;Agenda: This time the focus is on technical presentations and discussion.<br />
: Technical presentation slots will consist of 20-30 minute presentation and 15 minute discussion. <br />
# (11:00 - 11:15) Welcome, Introduction and Administrativia <br />
# (11:15 - 11:30) Vorstellung von CAST (Dr. Heinemann) <br />
# (11:30 - 11:45) Short OWASP organisation introduction and update (Tobias Gondrom) <br />
# (11:45 - 12:30) First technical presentation "Best Practices beim Einsatz einer Web Application Firewall 1.0" (Slides: [http://www.owasp.org/images/1/1b/WAF-Paper.pdf PDF]) (Alexander Meisel) <br />
# (12:30 - 13:15) Break <br />
# (13:15 - 14:00) Second technical presentation "Defending against Web Application DoS Attacks" (Maximilian Dermann) <br />
# (14:00 - 14:45) 20-Minutes Talks (15 Min Presentation + 5-10 Min Discuss) <br />
: * "Input validation in ASP.NET -- tips, tricks &amp; pitfalls" (Boris Hemkemeier) <br />
: * "Managing of extremely large Web Application Firewall Installations" (Slides: [http://www.owasp.org/images/f/f6/VeryLargeWAFs.pdf PDF]) (Alexander Meisel) <br />
# (14:45 - 15:00) Coffee Break <br />
# (15:00 - 15:45) Fourth technical presentation "Secure Coding and Development Guidelines (part of CLASP)" (Tobias) <br />
# (15:45 - 16:00) Wrap-up and outlook<br />
<br />
== Chapter Meeting on September 7th 2007 in Frankfurt/Main ==<br />
<br />
After two years of absence the German Chapter has been restarted. The chapter meeting was on September 7th 2007, 15:00 - 18:00. <br />
<br />
This first chapter meeting had as its main goal the re-initiation of the German chapter and to start work on projects. Talks and presentations are secondary and will receive more focus at subsequent meetings. <br />
<br />
Read meeting notes/minutes [https://lists.owasp.org/pipermail/owasp-germany/2007-September/000038.html here].<br />
<br />
<br />
----<br />
[https://www.owasp.org/index.php?title=Germany/Chapter_Meetings <top>] [[Germany|<zurück>]] [[Germany|<Germany>]]<br />
<br />
[[Category:Germany]] <br />
[[Category:Europe]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=Germany/Chapter_Meetings&diff=249693Germany/Chapter Meetings2019-04-04T17:35:44Z<p>Bjoern Kimminich: /* OWASP Germany Chapter Meeting am 10.04.2019 in Karlsruhe */</p>
<hr />
<div>__NOTOC__<br />
<br />
[[Image:owasp_germany_logo.png|right]]<br />
<br />
{| style="background-color:inherit;border-bottom:1px solid black" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
In Deutschland haben wir als organisatorisches Dach ein Chapter, im Rahmen dessen alle Aktivitäten wie Konferenzen etc. stattfinden. Die Stammtische sind keine eigenständigen Chapter.<br />
<br />
Anders als die meisten OWASP Chapter auf der Welt, haben wir daher bislang Chapter Meetings für Treffen eher organisatorischer Natur gehabt, bei denen es am Rande auch Vorträge gab. Die Chapter-Meetings im globalen Sinne waren/sind unsere jährliche Konferenzen (German OWASP Day). <br />
<br />
=== Chapter Meetings ===<br />
Hier sind Informationen zu den Treffen des German Chapter -- Chapter Meeting -- zu finden. Die Agenda, Einladung sowie die erarbeiteten Ergebnisse werden hier veröffentlicht.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
<br />
=== Chapter Meetings ===<br />
This page contains everything you need to know about Chapter Meetings of the OWASP German Chapter. Please note that in Germany we have the so-called "Stammtische" in the metropolitan areas which serve the purpose of other chapters world-wide. '''The''' -- we only have one -- German Chapter is our roof organisation which helps us to promote OWASP and it's goals within Germany. <br />
<br />
Please note, most information is in German only.<br />
|}<br />
<br />
== OWASP Germany Chapter Meeting am 10.04.2019 in Karlsruhe ==<br />
<br />
Das nächste Chaptermeeting wird am '''10.04.2019''', ab '''13:00 Uhr''' in der '''Brauerstraße 48 in Karlsruhe''' stattfinden. <br />
<br />
Gemäß dem ''O'' in OWASP für ''open'' ist dieses Treffen öffentlich. Jedermann kann daran teilnehmen und sich an der Arbeit im Chapter beteiligen. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. Wir benötigen jedoch eine vorherige Anmeldung mit Klarnamen, um entsprechend Besucherausweise am Empfang hinterlegen lassen zu können. Anmeldung (sowie evtl Agendapunkte) bitte via E-Mail an [mailto:tobias.glemser@owasp.org Tobias Glemser] oder [mailto:henrik.willert@owasp.org Henrik Willert].<br />
<br />
'''Wegbeschreibung'''<br />
<br />
Vor dem Hauptbahnhof fahren alle 10 Minuten Straßenbahnen der '''Linie 2''' in Richtung '''Siemensallee'''. (Tickets kann man an den Ticketautomaten lösen und muss sie beim Fahrtantritt in der Straßenbahn entwerten.)<br />
Mit dieser Linie vier Stationen fahren und an der '''Haltestelle ZKM''' aussteigen. <br />
Dort ist dann direkt das Gebäude der 1&1 auf der linken Seite. (Achtung! Es gibt mehrere Gebäude der 1&1 in Karlsruhe. Wir treffen uns in der Brauerstraße 48.)<br />
Am Empfang melden und nach Henrik Willert bzw. OWASP fragen.<br />
<br />
'''Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* German OWASP Day Planung & Status (30min)<br />
* Open Security Summit Sponsoring (15min)<br />
* German Chapter Banner & Postcard (5min mit Option auf +20min)<br />
** Die aktuellen Vorschläge sind (Stand 15.02.) sehr dünn. Es stellt sich die Frage, ob man mit so wenig starten will (was quasi hieße, dass ich mir zumindest die Texte ausdenken muss) oder ob man es bleiben lässt. Eventuell längeren Zeitslot planen zum gemeinsamen Brainstorming, wenn das Vorhaben nicht sterben soll? https://docs.google.com/document/d/1UtUEFwvBTAnatqjqj5gCVUwx29auxHKm9kITiYRLOlQ<br />
* TweetDeck (10min)<br />
** Stammtisch-Vorsitzende dürften sich gerne noch mit Ihrem Twitter-Handle bei Björn melden, wenn sie Rechte für den @owasp_de Account haben möchten. Auch sollten wir vielleicht einmal festlegen, was wir standardmäßig für Like- und Retweet-würdig erachten.<br />
* Masterarbeit Redesign Juice Shop (5min)<br />
** Kleines Update zu der bis dann 1 Monat laufenden Masterarbeit eines Studenten der Hochschule der Medien Stuttgart, die über Kontakte von Tobias zustande kam und ein Redesign am Juice Shop vornehmen möchte.<br />
https://juice-shop-experimental.herokuapp.com<br />
* Wie können wir den CFP/GOD für Speaker attraktiver gestalten? (10min)<br />
** Unkosten (Hotel/Bahn) von allen Speakern tragen, um die Veranstaltung für Speaker attraktiver zu machen.<br />
* Meetup Account aus dem deutschen Chapterbudget (15 Min, Christian Becker)<br />
* Google Groups/Technik (15 Min, Tobias)<br />
* it-sa 2019 und Swag (10 Min, Tobias)<br />
* Nächstes Chaptermeeting vor oder nach dem GOD? (5min)<br />
<br />
== OWASP Germany Chapter Meeting am 19.11.2018 in Münster == <br />
Das Chaptermeeting fand am 19.11.2018 in Münster statt und [https://lists.owasp.org/pipermail/owasp-germany/2018-October/001127.html wurde über die Mailingliste angekündigt].<br />
<br />
== OWASP Germany Chapter Meeting am 11.04.2018 in Frankfurt ==<br />
<br />
Das nächste Chapter Meeting wird [http://lists.owasp.org/pipermail/owasp-germany/2018-February/001064.html am 11. April in Frankfurt stattfinden]. Bitte meldet euch bei [mailto:tobias.glemser@owasp.org Tobias Glemser], falls ihr teilnehmen wollt. Eine OWASP Mitgliedschaft ist '''keine''' Voraussetzung zur Teilnahme! Lediglich für die Abstimmungen ist eine Mitgliedschaft notwendig. [https://www.owasp.org/images/c/c5/2018-04-11_German_Chapter_Meeting_Minutes.pdf Protokoll]<br />
* Uhrzeit: Mittwoch, den 11.04.2018, 13-18h<br />
* Ort: [https://www.saalbau.com/raumangebot/detail/?SAALBAU-Gutleut&objekt=78 SAALBAU Gutleut], FFM<br />
<br />
'''Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* Aktuelles zu OWASP Global, AppSec Verschiebung (Tobias, 15 Minuten)<br />
* Übersicht Finanzen (Ingo, 15 Minuten)<br />
* OWASP Summit (Björn, 15 Minuten)<br />
* OWASP TOP 10 2017 - Stand der Dinge (15 Minuten)<br />
*GOD 2018 - Stand der Dinge (Christian Dreesen, 15 Minuten)<br />
* Konkretes Vorgehen Chapter-Sponsoring (Alexios, 15 Minuten)<br />
*10 Jahre OWASP Germany (?) (Alexios, 10 Minuten)<br />
*Cheat Sheet Workshop mit Jim im Juli (??, 15 Minuten)<br />
* Ort nächstes Chapter-Meeting.<br />
<br />
== OWASP Germany Chapter Meeting am 13.11.2017 in Essen ==<br />
* Uhrzeit: Montag, den 13.11.2017, 14-18h, [https://www.owasp.org/images/6/62/20171113_Chapter_Meeting_German_OWASP_Chapter.pdf Protokoll]<br />
* Ort: Unperfekthaus in Essen ( <nowiki>http://www.unperfekthaus.de/anfahrt/</nowiki>)<br />
<br />
'''Agenda mit Minutes:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias, 15 Minuten)<br />
* Stand der Finanzen, German Chapter Budget at OWASP. (Ingo, 60 Minuten)<br />
** Support Projekte des German Chapter: benötigte Ressourcen / Budget<br />
*** OWASP on the move<br />
*** Cheat Sheet Workshop 2018<br />
*** OWASP TOP 10 2017 - DE Workshop<br />
*** Stammtische (assets)<br />
*** weitere<br />
** Support internationale Projekte<br />
*** OWASP Summit London 2018<br />
*** weitere<br />
* OWASP TOP 10 2017 - deutsche Übersetzung: Team und Workshop (15 Minuten)<br />
** Orga-Hut?<br />
** Wer macht mit?<br />
* Stand OWASP on the move Germany (Alexios, Torsten, Bastian, 15 Minuten))<br />
* Öffentlichkeitsarbeit: bessere Sichtbarkeit für das German Chapter (30 Minuten)<br />
** Einstiegsseite owasp.de (Stand der Dinge von Torsten und Henrik?) ([[User:Hwillert/sandbox/Germany|RC]])<br />
** Optionen (selbstgestrickt, Agentur, abwarten, ...)<br />
** Website GOD :-))<br />
* aus dem letzten Meeting: Henrik & Torsten: Kümmern sich um ein Konzept für freie (oder kostengünstige) Trainings am Tag nach dem GOD 2017 in Essen: Stand? (10 Minuten)<br />
* GODays 2018ff: Optimierungsmöglichkeiten Orga (30 Minuten)<br />
** Zusammenarbeit mit Foundation<br />
** Öffentlichkeitsarbeit<br />
** Standardisierungen in Arbeitsabläufen (cheat sheet 2.0)<br />
** Preisgestaltung (Henrik) [https://docs.google.com/a/owasp.org/spreadsheets/d/1bJWgYCvaUDfuI_54fhnobEOG-ylosZcQETwCd_KiXjg/edit?usp=sharing]<br />
** Wer macht Orga?<br />
* Umbennung der Stammtische? (Henrik, 15 Minuten)<br />
* Stand Chapter-Sponsoring (Michael in Vertretung von Alexios, 10 Minuten)<br />
*Wer möchte im neuen Chapter mitwirken? (15 Minuten)<br />
** Personen<br />
** Wahl eines neuen Chapter Lead (aktuell Tobias)<br />
** Kassenwart (aktuell Ingo)<br />
** Sponsorliason (aktuell Alexios)<br />
* Ort nächstes Chapter-Meeting<br />
==OWASP Germany Chapter Meeting am 31.03.2017 in München==<br />
* Uhrzeit: Montag, den 28.11.2016, 11-17h<br />
* Ort: "Stockwerk" Oppelner Str. 5 in 82194 Gröbenzell bei München<br />
<br />
'''Agenda mit Minutes:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (Tobias)<br />
* Stand der Finanzen, German Chapter Budget at OWASP. (Ingo)<br />
* Chapter Sponsoring (Alexios)<br />
** Tobias berichtet von Alexios’ (abwesend) Vorschlag, das Chapter Sponsoring einzustellen. Alexios wird gebeten ein Vorschlagspapier mit Pros und Cons und Alternativen zu erstellen. Dann Beschluß durch Board-Telko<br />
* Info Barter Deal mit it-sa (Tobias)<br />
** Abstimmung mit OWASP Global ist erfolgt.<br />
* 2-Tagesworkshop zu Cheat Sheet (Boris, Jan, Hartwig)<br />
** Boris (lead)+Jan+Hartwig: machen einen Vorschlag: dann in die Boardrunde, um Feedback einzusammeln. Achim auf cc halten, damit er auf dem Summit informiert ist. <br />
* Stand der Dinge Cheat Sheet zur Orga eines German OWASP Days (Ingo)<br />
** Ingo hat ein Excel-Sheet dazu erstellt mit ca 50 Punkten.<br />
** Kann für den den GOD 2017 verwendet werden und soll dann auch überarbeitet werden.<br />
** Ingo schickt einen Link auf das Google Drive Document<br />
* GOD 2017 (Christian)<br />
** Wir planen auf max 200 Teilnehmer (inkl. Staff, Speaker,...)<br />
** Christoph stellt Informationen zu Lokationen und Terminen zusammen.<br />
** Entscheidungs-telko im April (Termin, Lokation)<br />
** Anerkunng als Bildungsurlaub möglich?<br />
* Stand der Dinge owasp.de (Tobias)<br />
** Owasp.de bei Tobias “privat” (whois, DNS), Kai nicht mehr Owner<br />
** Owasp.de als redirect betreiben -> Henrik<br />
* Orga-Tools Stammtische wie Meetup (jeder, der dazu beitragen kann)<br />
* OWASP on the move Germany (Alexios, Torsten, Bastian)<br />
** Bastian: zwei Anfragen, aber keiner wollte am Ende Geld. <br />
** Stammtische wurden angefragt, aber kein Feedback<br />
** Alexios verläßt die Runde der “OWASP on the move Germany” Organisatoren<br />
** FAQ auf der Stammtischseite für “neuer Stammtisch” und “Wie nutze ich OontmG” -> Stammtisch CheatSheet<br />
** Stammtische sollen eine Liste auf owasp.org mit potentiellen Vortragenden pflegen. Achim legt die Seite an (done! https://www.owasp.org/index.php/Germany/Speaker ). <br />
* OWASP Germany Social Media und Webseite-Inhalte insb. Startseite (Tobias, Torsten)<br />
** Tobias: Die German Chapter Seite ist nicht “freundlich für Einsteiger”. <br />
** Torstens Vorschlag: Einstiegsseite soll zielgruppenspezifische Landingpage bieten (Informationssuchende, Stammtischeinteressierte, jemand der beitragen möchte,....)<br />
** Torsten und Henrik machen einen Vorschlag<br />
** Twitteraccount owasp.de liegt derzeit bei Dirk und Boris<br />
* Anfrage Mithilfe bei Orga "Large OWASP AppSec Trainings" der Foundation (Achim, Tobias)<br />
** Torsten berichtet von Erfahrungen vom Münchner Stammtisch.<br />
** Austausch zwischen den Stammtischen ist gewünscht, soll aber nicht formalisiert werden (keine Mailingliste)<br />
** Torsten schickt ein Template für eine Umfrage zu Stammtischen an.<br />
* Orga-Tools Stammtische wie Meetup, Mailingliste (auch Board)<br />
** Mails an owasp.de sollen in Zukunft bouncen (Tobias, done)<br />
** Für Board soll zukünftig die board-germany Liste auf mailman genutzt werden.<br />
** Liste eingerichtet, hidden Liste, Member sind informiert; Admin z.Zt. Achim und Bastian<br />
** Meetup: der Stammtisch Karlsruhe nutzt Meetup mit dem OWASP.org Beta Programm.<br />
** Tobias erfragt bei Kate, ob Meetup von owasp.org zur Verfügung gestellt wird (Anfrage gestellt)<br />
** Falls meetup nicht weiter unterstützt ist: Xing hatte bereits einen kostenfreien Pro-Account angeboten.<br />
* Wie kann das German Chapter beim Beantragen und Durchführen von OWASP-Projekten unterstützten?<br />
** Konkreter Painpoint: Review-Prozeß für Juice-Shop (oder allgemein für Projekte) hängt. Bei weiteren konkreten Problemen: Mail an Tobias. Tobias eskaliert an OWASP global.<br />
** Weiterer Painpoint: SecurityRAT. Henrik bittet Daniel, mit Tobias Kontakt aufzunehmen.<br />
* Anfrage Mithilfe bei Orga "Large OWASP AppSec Trainings" der Foundation (Achim, Tobias)<br />
** Generell bestehen Kontakte zu Universitäten.<br />
** Tobias erfragt Rahmendaten: Zielpublikum, Dauer, Sponsored, ...? (Anfrage läuft)<br />
* Summit: <br />
** Achim berichtet über den kommenden Summit im Juni in der Nähe von London.<br />
** Abstimmung: das Chapter sponsored die Entsendung von Achim und Björn zum Summit. Wenn ihre ** Kosten vom “Editors Fund” übernommen werden, dann spenden wir 3.600 EUR vom Chapter Budget an den Summit. Falls Ingo wg. Finanzen teilnimmt, dann werden seine Kosten von dieser Summe gedeckt (Rest Spende). Einstimmig bei zwei Enthaltungen.<br />
* Sonstiges<br />
** Henrik & Torsten: Kümmern sich um ein Konzept für freie (oder kostengünstige) Trainings am Tag nach dem GOD 2017 in Essen<br />
** Martin greift den “German OWASP Summer of Code” wieder auf.<br />
Nächstes Chaptermeeting am Vortag des GOD 2017.<br />
** Ingo: die Konferenzwebseite für den GOD muss professioneller ausschauen. Björn schaut sich an, ob man die appsec.eu Seite auf github “kopieren” kann.<br />
** Torsten fragt, ob das Chapter eine Leinwand (80 EUR) finanziert. Board stimmt zu (einstimmig bei einer Enthaltung.. Ingo pflegt eine “Assetliste”. Seite angelegt: https://www.owasp.org/index.php/Germany/Assets <br />
<br />
<br />
==OWASP Germany Chapter Meeting am 28.11.2016 in Darmstadt==<br />
Am Vortag des German OWASP Day 2016 fand ein Chapter-Meeting statt. [https://www.owasp.org/images/d/d2/Protokoll_OWASP_Chapter-Meeting_2016-11-26.pdf Protokoll]<br />
<br />
* Uhrzeit: Montag, den 28.11.2016, 15-18h<br />
* Ort: Seminarraum des CAST e.V., Rheinstraße 75, 64295 Darmstadt<br />
<br />
'''Draft Agenda:'''<br />
<br />
* Begrüßung und kurze namentliche Vorstellung (~10min)<br />
<br />
* Finanzen (~60min)<br />
** Ingo: Finanzübersicht und Status des Chapters <br />
** Dirk: Wofür wollen wir Geld ausgeben? Handlungszwang durch Foundation 60min (http://lists.owasp.org/pipermail/owasp-leaders/2016-November/017448.html)<br />
** Dirk: Finanzübersicht erarbeiten/abstimmen für 2017 (siehe Sheet)<br />
<br />
* Wer möchte im neuen Chapter mitwirken? (~45min)<br />
** Projekte (siehe Reiter 2 im Sheet)<br />
*** Vorstellen und Hand heben<br />
**** German Summer of Code (Martin/Bastian)<br />
**** Studentensponsoring zum GOD<br />
**** Laison/Fadenhalter für Außenauftritte/fremde Konferenzen (Boris' Bemerkung, 1.11.)<br />
**** Achim: Wiki: eigenes in DE? Oder bleibt's beim Foundation-Wiki?<br />
** Personen<br />
** Wahl eines neuen Chapter Lead<br />
** "Kassenwart"<br />
** Sponsorliason<br />
<br />
* Pause 10 min (ab Minute 115)<br />
<br />
* Boris: Retrospektive des GOD 2015 (Finanzen, Besucher): ~10 Min<br />
<br />
* Ingo: Kurze Zahlen zum GOD 2016 (Finanzen, Besucher) ~5 Min<br />
<br />
* GOD 2017 (15min)<br />
** Gibt's jemanden, der 2017 die nationale Konferenz organisieren will?<br />
** lessons learnt 2016/5<br />
*** Programm<br />
*** Generell<br />
<br />
* IT Ressourcen des German OWASP Chapters (10min)<br />
** owasp.de: Domain, HTTP, SMTP<br />
** vServer bei Strato: was ist drauf. Brauchen wir's? Wer macht was?<br />
** Zertifikat<br />
<br />
* Logo, Neuer Sponsoren-Vertrag (10min)<br />
<br />
* Restpunkte, sollten wir noch Zeit haben<br />
** ..<br />
<br />
<br />
==OWASP Germany Chapter Meeting am 13.04.2015 in Frankfurt==<br />
Das OWASP Germany Chapter Meeting fand am Montag, den [https://lists.owasp.org/pipermail/owasp-germany/2015-March/000758.html 14.03.2014 um 13.00 Uhr in Frankfurt] statt. Die Agenda, Informationen und Beschlüsse sind dem [https://www.owasp.org/images/b/b9/Protokoll_OWASP_Chapter-Meeting_2015-04-13.reformatiert.pdf Protokoll] zu entnehmen.<br />
<br />
==OWASP Germany Chapter Meeting am 14.03.2014 in Frankfurt==<br />
Das OWASP Germany Chapter Meeting fand Freitag, 14.03.2014 um 13.30 Uhr in Frankfurt statt.<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
Ort: Gewerkschaftshaus Willi-Richter-Saal Wilhelm-Leuschner-Straße 69-77 60329 Frankfurt<br />
<br />
Hiermit laden wir Euch nochmals herzlich zum Chapter Meeting des OWASP German Chapters ein.<br />
<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Die Chapter-Meetings richten sich an all diejenigen, die aktiv am Chapter geschehen teilhaben möchten. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Agenda ====<br />
* 13.30h Tobias Glemser, OWASP German Chapter Lead: Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2013 (15 min)<br />
* 13:45h "You are known by the company you keep: Introducing a secure software vendor exchange program" Chris Wysopal, CTO, Veracode (15 min)<br />
* 14.00h "Password Storage: Adobe schlägt Forbes und OWASP" Arnim Rupp, LH Systems (15min)<br />
* 14:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec Research Conference Chair: Rückblick OWASP AppSec Research 2013 und Ausblick OWASP Day 2014 (45 min)<br />
* 15:00h Pause (15 min) <br />
* 15:15h "25 Million Flows Later - Large-scale Detection of DOM-based XSS", Martin Johns SAP AG (45 min)<br />
* 16:00h Tobias Glemser, OWASP German Chapter Lead:Verwendung der zur Verfügung stehenden Geldmittel im Chapter (45 min)<br />
* 16:45h Tobias Glemser, OWASP German Chapter Lead: Chapter Board Wahl (wie 2013 entschieden alle Posten) (15 min)<br />
* 17.00h offene Runde: OWASP Germany im kommenden Jahr (30 min)<br />
* Gegen 17.30 Uhr Ende und wer mag im Anschluss noch einen Absacker im Ristorante Vitavera<br />
<br />
[https://reg.owasp.de Meldet Euch bitte hier an].<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
* [[Media:OWASP_Chapter_Meeting_2014-03-14.pdf|&rarr; Vortrag]] Tobias Glemser, OWASP German Chapter Lead: Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2013 <br />
* Vortrag "You are known by the company you keep: Introducing a secure software vendor exchange program" Chris Wysopal, CTO, Veracode<br />
* [[Media:Password_Storage.pdf|&rarr; Vortrag]] "Password Storage: Adobe schlägt Forbes und OWASP" Arnim Rupp, LH Systems <br />
* 14:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec Research Conference Chair: Rückblick OWASP AppSec Research 2013 und Ausblick OWASP Day 2014 Es wurden grundsätzliche Diskussionen geführt.<br />
** Nach dem Rückblick über die äußerst gelungene AppSec in Hamburg wurden grundsätzliche Diskussionen geführt, wie wir 2014 unsere Konferenz ausrichten.<br />
** ca November 2014 (Kollision mit BeNeLux, it-sa etc. vermeiden)<br />
** CfP müsste bis Mai dann raus . Bis dahin muss Stadt und Ort gefixt sein<br />
** Format eher wieder 1 Tag, 2 Tracks<br />
** Freier Eintritt, komplette Finanzierung durch Sponsoren wird defavorisiert, da befürchtet wird, dass Sponsoren das schwer zu verkaufen ist.<br />
** Problem des Billings/Rechnungsstellung. Viel Aufwand derzeit => Factoring Firma finden<br />
** Wo: Hotel oder Uni?<br />
*** Uni: keine sinnvollen Vorschläge beim Chapter Meeting<br />
*** Hotels: Dresden, Hamburg, ...<br />
** Ort ist relativ egal, Kriterien:<br />
*** ICE-Bahnhof<br />
*** Etwas Attraktivität kann nicht schaden<br />
*** Etablierter Stammtisch dort wäre von Vorteil<br />
*** idealerweise jemand mit lokalen Kenntnissen vor Ort<br />
** Wer: Wir alle auf vielen Schultern oder ein Dienstleister<br />
*** Auch in letztem Fall bleibt Arbeit bei uns hängen.<br />
*** Dirk hat den Orga-Hut auf. Tobias Sponsoren-Hut, Martin PK-Hut.<br />
** Ausrichtung der Konferenz:<br />
*** Lassen wie es ist<br />
*** Mehr an die Entwickler ran<br />
*** Mehr an die Entscheider ran<br />
*** Mehr an die Studenten ran<br />
*** Mehr auch an Hobbyleute ran<br />
*** => offen<br />
**Für 2015: Beschluss Nähe zu Karlsruhe Entwicklertagen zu finden. Ohne Gegenstimme angenommen.<br />
<br />
* Torsten Gigler stellte <u>[https://www.owasp.org/index.php/Category:OWASP_Top_10_fuer_Entwickler Top10 für Entwickler]</u> vor<br />
* Anfrage aus Schottland wegen Sponsoring der Unkosten eines Vortrags von Mario Heidereich. Der Chapterlead wurde entsprechend auf OWASP on the Move verwiesen. Falls das nicht klappt, sponsort das deutsche Chapter die Reise.<br />
* Auftrag für Konferenzen an Tobias Glemser Bücher und Infomaterial von OWASP zu kaufen, um es kostenfrei verteilen zu können.<br />
* [[Media:OWASP domxss.pdf|&rarr; Vortrag]] "25 Million Flows Later - Large-scale Detection of DOM-based XSS", Martin Johns SAP AG (45 min)<br />
* Da die Diskussion um den German OWASP Day das Zeitkontingent gesprent hat, wurden die folgenden beiden Agendapunkte auf das Chapter Meeting 02/2014 geschoben.<br />
** OWASP German Chapter Lead:Verwendung der zur Verfügung stehenden Geldmittel im Chapter (45 min)<br />
** OWASP German Chapter Lead: Chapter Board Wahl (wie 2013 entschieden alle Posten) (15 min)<br />
* Mit leckerem Essen im Ristorante Vitavera beendeten wir das Chapter Meeting.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
<small>(see German text on left)</small><br />
|}<br />
<br />
==OWASP Germany Chapter Meeting am 17.05.2013 in Frankfurt==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
Das OWASP Germany Chapter Meeting fand am 17.05.2013 um 14 Uhr in Frankfurt statt.<br />
<br />
Ort: Saalbau Gallus, Frankenallee 111, 60326 Frankfurt am Main <br />
[[http://maps.google.de/maps?q=Frankenallee+111,+60326+Frankfurt+am+Main&hl=de&sll=50.104389,8.642389&sspn=0.002883,0.010375&vpsrc=0 Karte]] (Wenige Meter von der S-Bahnstation Galluswarte entfernt, ein Halt von Frankfurt Hbf)<br />
----<br />
==== Einladung ====<br />
Hiermit laden wir Euch nochmals herzlich zum Chapter Meeting des OWASP German Chapters ein.<br />
<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Die Chapter-Meetings richten sich an all diejenigen, die aktiv am Chapter geschehen teilhaben möchten. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
<br />
[https://reg.owasp.de Meldet Euch bitte hier an]. Bitte!<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
|-<br />
| style="vertical-align:top;" |<br />
<br />
==== Agenda ====<br />
<br />
* 14.00h Tobias Glemser, OWASP German Chapter Lead (30 min): Warme Willkommensworte und Rückblick auf Chapter-Aktivitäten 2012 <br />
* 14:30h Laurent Levi von Checkmarx (45 min): DevOps and Security: It's Happening. Right Now.<br />
* 15:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec EU Research Conference Chair (30 min): Rückblick OWASP Day 2012 und Ausblick AppSec EU Research 2013 <br />
* 15:45h Pause (15 min) <br />
* 16.00h Jim Manico, OWASP Board Member (45 min): Top Ten Web Defenses<br />
* 16.45h Torsten Gigler, OWASP German Chapter (15 min): <u>[https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 fuer Entwickler]</u><br />
* 17.00h Tobias Glemser, OWASP German Chapter Lead (15 min): Chapter Board Wahl <br />
* 17.15h offene Runde (30 min): OWASP Germany im kommenden Jahr <br />
* Gegen 17.30 Uhr Ende und wer mag im Anschluss noch einen Absacker im benachbarten Griechen.<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Agenda ====<br />
* 14.00h Tobias Glemser, OWASP German Chapter Lead (30 min): Welcome and Review of Chapter Activities 2012 <br />
* 14:30h Laurent Levi von Checkmarx (45 min): DevOps and Security: It's Happening. Right Now.<br />
* 15:15h Dirk Wetter, OWASP German Chapter Board Member und AppSec EU Research Conference Chair (30 min): Review OWASP Day 2012 and Outlook AppSec EU Research 2013 <br />
* 15:45h Break (15 min) <br />
* 16.00h Jim Manico, OWASP Board Member (45 min): Top Ten Web Defenses<br />
* 16.45h Torsten Gigler, OWASP German Chapter (15 min): <u>[https://www.owasp.org/index.php/OWASP_Top_10_Fuer_Entwickler_Project OWASP Top 10 fuer Entwickler]</u><br />
* 17.00h Tobias Glemser, OWASP German Chapter (15 min): Chapter Board Election<br />
* 17.00h offene Runde (30 min): OWASP Germany next year <br />
* About 17.30h we will be finished. Who's interested in joining a get together in a greek restaurant nearby is asked to note <br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
<br />
==== Ergebnisse / Protokoll ====<br />
<br />
<br />
* Begrüßung und Bericht durch Tobias [ [[Media:German_Chapter_Meeting_2013_Bericht_Chapter.pdf|&rarr; Folien]] ]<br />
* Talk: Laurent Levi, Checkmarx<br />
* Kurze Vorstellungsrunde<br />
* Talk: Torsten Gigler - OWASP Top 10 für Entwickler [ [[Media:German_Chapter_Meeting_2013_OWASP_Top_10_fuer_Entwickler.pdf|&rarr; Folien]] ]<br />
* Talk: Dirk Wetter - AppSec Research 2013<br />
** GOD 2012<br />
*** Rückblick auf GOD 2012 (German OWASP Day)<br />
*** Fachlich und finanziell ein voller Erfolg<br />
** Dev(i|e)l 2013<br />
*** Ausblick auf AppSec Research 2013<br />
*** Konferenz verspricht viel<br />
*** Details unter <u>https://appsec.eu</u><br />
* Talk: Jim Manico - Top Ten Web Defenses [ [http://www.slideshare.net/JimManico/top-ten-defenses-v10 &rarr; Folien] ]<br />
* Organisatorisches<br />
** Chapter Lead: Tobias Glemser<br />
** Board 2013: <br />
*** Dirk Wetter<br />
*** Martin Johns <br />
*** Achim Hoffmann<br />
*** Emin Tatlı<br />
*** Kai Jendrian<br />
** Entscheidung: Neubesetzung des Boards jährlich <br />
* OWASP Day 2014<br />
* Ortsauswahl durch Call for Venue<br />
* Vorschläge vor Ort:<br />
** Köln<br />
** Karlsruhe<br />
* Vorschläge Projekte<br />
** Übersetzug OpenSAMM<br />
** Übersetzung der Top 10 nach finaler Veröffentlichung (Trigger durch Kai)<br />
* Sonstiges:<br />
** Treffen des OWASP Chapters im Q4 mit Vortrag<br />
** Bessere Präsenz der OWASP in andere Konferenzen <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Protocol ====<br />
tbd<br />
|<br />
<br />
|-<br />
! colspan="2" style="vertical-align:top;" align="left" |<br />
==== Abstracts/Bios ====<br />
|-<br />
| colspan="2" |<br />
===== DevOps and Security: It's Happening. Right Now. =====<br />
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Traditional application security tools which require lengthy periods of configuration, tuning and application learning have become irrelevant in these fast-pace environments. Yet, falling back only on the secure coding practices of the developer cannot be tolerated. <br />
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary code analysis overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes. Steps include: <br />
* Re-evaluate existing security tools and consider their integration within a CD environment<br />
* Deliver a secured development framework and enforce its usage<br />
* Pinpoint precise security code flaws and provide optimal fix recommendations<br />
<br />
Laurent Levi<br />
Laurent is an experienced security professional with extensive technical knowledge in all aspects of application security. Over the last 6 years, Laurent has been managing Checkmarx's professional services team and prior to that led the code audit team of Lexsi in France. Laurent has extensive software development experience and has a post graduate degree in AI from Paris VI Université Pierre et Marie Curie.<br />
<br />
===== Top Ten Web Defenses =====<br />
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Citigroup, PBS, Sega, Nintendo, Gawker, AT&T, the CIA, the US Senate, NASA, Nasdaq, the NYSE, Zynga, and thousands of others have something in common – all have had websites compromised in the last year. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.<br />
<br />
Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. He authors and delivers developer security awareness training for WhiteHat Security and has a background as a software developer and architect. Jim is also a global board member for the OWASP foundation. He manages and participates in several OWASP projects, including the OWASP cheat sheet series and the OWASP podcast series.<br />
----<br />
|}<br />
<br />
==OWASP Germany Chapter Meeting am 03.02.2012 in Frankfurt==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
OWASP Germany Chapter Meeting fand am 03.02.2012 in Frankfurt statt.<br />
<br />
Ort: Saalbau Gallus, Frankenallee 111, 60326 Frankfurt am Main <br />
[[http://maps.google.de/maps?q=Frankenallee+111,+60326+Frankfurt+am+Main&hl=de&sll=50.104389,8.642389&sspn=0.002883,0.010375&vpsrc=0 Karte]] (Wenige Meter von der S-Bahnstation Galluswarte entfernt, ein Halt von<br />
Frankfurt Hbf).<br />
<br />
----<br />
==== Einladung ====<br />
Hiermit laden wir Euch nochmals herzlich zum ersten Chapter Meeting 2012 des OWASP German Chapters ein.<br />
Wer sich aktiv in die Gestaltung des Chapters einbringen möchte, ist hier genau richtig. Wir stellen die Weichen, um OWASP in Deutschland noch präsenter zu machen und freuen uns auf Deinen Beitrag! OWASP lebt von der Community, von der aktiven Beteiligung.<br />
Nur aufgrund der vielen Köpfe sind wir dort, wo wir heute stehen. Also los! Wir würden uns insbesondere freuen, mehr von Euch aus dem edukativen Bereich (ja, Ihr liebe Studenten!) bei uns willkommen zu heißen.<br />
<br />
Zur besseren Planung gebt bitte kurz per Mail Bescheid, wenn Ihr teilnehmt. Danke!<br />
<br />
Plant auch danach noch gerne etwas Zeit ein, wir lassen den Tag bei einem gemeinsamen Essen und vielleicht einem Getränk nachwirken.<br />
<br />
Viele Grüße und bis zum 03.02. in Frankfurt, wir freuen uns auf Euch.<br />
OWASP German Chapter<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
|-<br />
|<br />
==== Agenda ====<br />
<br />
* Georg: Begrüßung durch Georg Heß, German Board Leader<br />
* Kai: Vortrag "OWASP Top 10 auf Deutsch - Fallstricke und Überraschungen"<br />
* Kai: Fragen und Antworten zu "OWASP Top 10 auf Deutsch"<br />
* Boris: Vortrag "Das neue OWASP Chapter Handbook - wie wir weltweit arbeiten"<br />
* Boris: Fragen und Antworten zu "OWASP Chapter Handbook"<br />
* Dirk: Rückblick OWASP Day 2011, Ausblick 2012<br />
* Tobias: Rückblick it-sa 2011, Ausblick 2012<br />
* Dirk: AppSec Research EU: 2013 in Deutschland?<br />
* Boris: Firmen-Chapter-Support (Kosten, Vorteile, Ablauf)<br />
* Georg: Aktionen zur Mitgliedergewinnung<br />
* Bruce: Möglichkeiten zur Intensivierung der Pressearbeit<br />
* Boris: Zusammenarbeit mit dem BSI<br />
* Tobias: Themen für Projekte 2012<br />
* Georg: kurzer Abriss zu OWASP-Zertifizierungen<br />
* Achim: Definition Rahmenbedingungen Jobseite<br />
* Achim: Administratoren für owasp.org<br />
* Georg: Wahl Leader und Board OWASP German Chapter<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
Das Protokoll des Chapter-Meetings ist <u>[[Media:Chapter-Germany-20120203-Protokoll.zip|hier]]</u> zu finden; das Passwort ist geheim ;-)<br />
<br />
Wichtige Entscheidungen in Kürze:<br />
* Tobias als Chapter Leader gewählt<br />
* Wahl des Boards: Bruce, Dirk, Emin, Martin, Achim<br />
* German OWASP Day 2012 im November in München<br />
** 1,5 - 2 Tage, dieses Jahr keine kommerziellen Trainings<br />
** CfP-Kommitee geführt von Dirk, Martin<br />
** es wird eine Teilnahme/Anwesenheits-Bescheinigung geben<br />
* OWASP-Stand auf it.sa 2012 in Nürnberg<br />
* Firmensponsoring wird ermöglicht: local sponsor ca. 500,-/Jahr<br />
* Zusammenarbeit mit BSI wird intensiviert<br />
* es wird (vorerst) keine eigene deutsche Jobseite unter owasp.org geben; bitte [[OWASP_Jobs]] benutzen<br />
...<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Meetings minutes can be found <u>[[Media:Chapter-Germany-20120203-Protokoll.zip|here]]</u> . Note that it is in German.<br />
<br />
Most important:<br />
* Tobias as Chapter Leader elected<br />
* Boards Members: Bruce, Dirk, Emin, Martin, Achim<br />
* German OWASP Day 2012 will be in November in München<br />
** 1,5 - 2 days, no trainings sessions this year<br />
** CfP Commitee lead by Dirk, Martin<br />
* OWASP will be present at it.sa 2012 in Nürnberg<br />
* company sponsoring possible: local sponsor ca. 500,-/anno<br />
* co-operation and collaboration with BSI will be initiated<br />
* currently no local job page within owasp.org<br />
...<br />
|}<br />
<br />
==Chapter Board Meeting am 19.8.2011 in München==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Agenda ====<br />
* Selbstverständnis Chapter – die Zukunft<br />
* OWASP Germany in „das Bewusstsein“ bringen<br />
* Vereinsgründung ja/nein<br />
* Geldverwaltung/Rechnungen<br />
* Firmen als Chapter Member<br />
* IT-SA 2011<br />
* Board (Kommunikation. Rollen, Wahl, Termin Chapter Meeting)<br />
* Stand der Dinge: Flyer<br />
* OWASP Day<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
Das Protokoll des Board-Meetings ist <u>[[Media:Chapter-Germany-20110819-Protokoll.zip|hier]]</u> zu finden; das Passwort ist geheim ;-)<br />
<br />
Wichtige Entscheidungen in Kürze:<br />
* OWASP Chapter Germany stellt auf der it.sa in Nürnberg aus, 11.10. - 13.10.2011<br />
* es wird eine ''Firmen-Mitgliedschaft'' aka ''Chapter Supporter'' angeboten; Näheres in kürze auf der Webseite<br />
* nächstes Chapter Meeting am 20.01.2012 oder 03.02.2012 in Frankfurt<br />
...<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
<br />
==== Protocol ====<br />
The protocol of the Chapter Germany Board Meetings can be found <u>[[Media:Chapter-Germany-20110819-Protokoll.zip|here]]</u> . Note that it is in German.<br />
<br />
Most important:<br />
* OWASP Chapter Germany will be at it.sa in Nuremberg, 11.10. - 13.10.2011<br />
* ''Chapter Supporter'' will be possible for companies; details comming soon<br />
* next Chapter Meeting 20.01.2012 or 03.02.2012 in Frankfurt<br />
...<br />
|}<br />
<br />
== Chapter Meeting am 20.5.2010 in München ==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Agenda ====<br />
* 14:00 Allgemeine Begrüßungs- und Vorstellungsrunde <br />
* 14:15 Bruce Sams: „Strategie und Kosten für ein SDLC“ <br />
* 14:50 Diskussion <br />
* 15:10 Boris Hemkemeier: „Two Factors Are Not Enough“ <br />
* 16:05 Diskussion (geht nahtlos über in die) <br />
* 16:15 Kaffeepause <br />
* 16:35 Vortrag mit Diskussion „Organisatorisches im Chapter“ <br />
* 17:15 Beginn der Beschlussfassungen und Wahlen <br />
* 17:25 Vortrag mit Diskussion „OWASP Germany Conference 2010“ <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
===== Organisatorisches im Chapter =====<br />
<br />
Die Wesentlichen Punkte, die umgesetzt oder verbessert werden sollen: <br />
<br />
* Mehr Außenwirkung durch Public Relations, bessere Pressearbeit / Pressemitteilungen und Einführung und Pflege einer Sprecher- und Rednerliste (um z.B. bei öffentlichen Veranstaltungen OWASP adäquat vorstellen zu können) <br />
* Gepflegtes Wiki sowohl für Außendarstellung als auch als Plattform für die interne Kommunikation <br />
* Einführung von direkten Ansprechpartner für diverse Branchen<br />
<br />
Es folgt eine kurze Diskussion, wie dies effektiv umgesetzt werden kann. Es wird ein Vorschlag durch konkludentes Handeln angenommen: Es soll ein Chapter Board bestehend aus 5 Mitgliedern gewählt werden. Jedes dieser Mitglieder bekommt eine oder mehrere dedizierte Aufgabe(n), um die oben genannten Punkte abzudecken und umzusetzen. Es folgt ein Aufruf, sich für eine entsprechende Wahl zur Verfügung zu stellen. Es soll ebenso der neue Chapter Leader gewählt werden. Da sich nur ein Kandidat für nur einen Posten zur Wahl für die nächsten zwei Jahre zur Verfügung stellt, wird folgendes entschieden: Bei Abstimmungen hat jedes Mitglied des Boards genau eine Stimme, während der Chapter Leader zwei Stimmen hat. So soll zukünftig bei Abstimmungen eine Stimmengleichheit verhindert werden. <br />
<br />
===== Beschluss zur Anzahl der Chapter Leaders =====<br />
<br />
Es wird von den 12 Teilnehmern des Chapter Meetings einstimmig beschlossen, das zukünftig das Chapter Germany (analog zu den meisten anderen OWASP Chapters) nur noch einen Chapter Leader hat. <br />
<br />
===== Wahl des Chapter Leaders =====<br />
<br />
''Georg Heß'' kandidiert als Chapter Leader und wird mit 11 von 12 Stimmen bei einer Enthaltung zum neuen Chapter Leader des OWASP Chapters Germany gewählt. <br />
<br />
===== Beschluss zur zukünftigen Zusammensetzung des Boards =====<br />
<br />
Einstimmig wird beschlossen, dass das zukünftige Board aus 5 Mitgliedern besteht. Diese sollen die Aufgaben wie in der Diskussion beschrieben wahr nehmen. <br />
<br />
===== Wahl des Boards =====<br />
<br />
Es kandidieren ''Tobias Glemser, Boris Hemkemeier, Achim Hoffmann, Uli Petersen und Bruce Sams'' für die 5 Sitze im Board. Alle werden einstimmig gewählt. <br />
<br />
Alle Gewählten nehmen die Wahl an. <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Not yet available in English, sorry.<br />
|}<br />
<br />
== OWASP German Chapter Meeting 10.07.2009, Mannheim ==<br />
<br />
{| style="background-color:inherit;" width="100%"<br />
| style="vertical-align:top; padding-right:0.5em;" width="70%" |<br />
==== Einladaung ====<br />
;Summary:We will start with three interesting fresh talks. The following topics are the next activities of the OWASP German Chapter: the new [http://www.owasp.org/index.php/OWASP_German_Chapter_Stammtisch_Initiative "Stammtisch Initiative"] and the planning of the [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009] at Nuremberg. <br />
<br />
;Location:Aula of the [http://www.hs-mannheim.de Hochschule Mannheim], Building 3, Paul-Wittsack-Strasse 10, Mannheim ([http://maps.google.de/maps?f=d&source=s_d&saddr=Mannheim+Hbf&daddr=49.471303,8.48372&geocode=Fbr-8gIduTmBAA%3B&hl=de&mra=dme&mrcr=0&mrsp=1&sz=15&sll=49.474885,8.474715&sspn=0.015532,0.050254&ie=UTF8&z=15 Google Maps]). Please download the [http://www.hs-mannheim.de/campus/grafik/campusplan_legende_web.pdf campus map]. <br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" width="30%" |<br />
==== Invitation ====<br />
<br />
|-<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Agenda ====<br />
* 12:00 - 13:00&nbsp;: Lunch (optional, please send an email to [mailto:Georg.Hess@artofdefence.com?subject=OWASP%20Chapter%20Meeting%20Lunch%20registration Georg Heß] to register for lunch), meeting point for the lunch is at the Aula in Building 3<br />
* 13:15 - 13:30 : Opening by our host Prof. Rainer Gerten (German) <br />
* 13:30 - 14:30 : OWASP Educational Services - Teaching Security!, Martin Knobloch, Member of OWASP Global Education Committee (English) <br />
* 14:30 - 15:00 : Vorstellung und aktueller Stand des OWASP Germany Projekts "Best Practice: Projektierung von Sicherheitsprüfungen von Web Applikationen", N.N., Projekt-Mitarbeiter (German) <br />
* 15:00 - 15:45 : Cloud Application Security - Chancen und Risiken - Einige Ansatzpunkte zum Thema, Georg Hess (German) <br />
* 15:45 - 16:15 : Coffee <br />
* 16:15 - 17:00 : Organisational topics of the OWASP German Chapter (German) <br />
** OWASP Stammtisch Initiative <br />
** Outlook and organisational tasks for the 2nd [[OWASP Germany 2009 Conference]]<br />
* nach 17:00 : Come together (Any ideas for a near pub??) <br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Agenda ====<br />
|-<br />
<br />
| style="vertical-align:top; padding-right:0.5em;" |<br />
==== Ergebnisse / Protokoll ====<br />
<br />
===== OWASP AppSec 2010 =====<br />
<br />
Es folgt ein kurzer historischer Rückblick der Veranstaltungsorte: 2008 im Hotel in Frankfurt, 2009 auf der Messe it-sa in Nürnberg. Kurze Diskussion pro und contra Hotel vs. Messe vs. Hochschul-Location. <br />
<br />
* Es soll geprüft werden, ob die diesjährige '''„OWASP Germany Conference 2010“''' wieder in Kooperation mit der Messe Nürnberg / it-sa durchgeführt werden kann (z.B. am 20.10.2010). <br />
* Weiterhin ist ein Konferenztag mit '''zwei verschiedenen Tracks (Technik und Management)''' angedacht. <br />
* Um die inhaltliche Gestaltung voranzutreiben wird ein '''Programm-Komitee''' (initial bestehend aus ''Bruce Sams, Kai Jendrian, Boris Hemkemeier und Martin Johns'') ins Leben gerufen, das alsbald den '''CFP''' starten soll.<br />
<br />
Gegen 18:15 löst sich das OWASP German Chapter Meeting auf und geht nahtlos in den 12. „Happy Anniversary!“ OWASP Stammtisch München über.<br />
<br />
Weitere Ergebnisse sind [https://lists.owasp.org/pipermail/owasp-germany/2009-July/000086.html in den Minutes hier] zu finden<br />
<br />
| style="vertical-align:top; padding-left:0.5em;border-left:1px solid black" |<br />
==== Protocol ====<br />
Minutes: [https://lists.owasp.org/pipermail/owasp-germany/2009-July/000086.html See the list archive for the minutes.]<br />
|}<br />
<br />
== OWASP German Chapter Meeting - February 20th, 2008 in Darmstadt ==<br />
<br />
;Date: February 20th, 2008, 11:00-16:15<br />
;Location: The next chapter meeting will be hosted at CAST in Darmstadt.<br />
: CAST (http://www.cast-forum.de<nowiki/>)'''<br> Fraunhoferstr. 5 (vormals Rundeturmstr. 6) - EG Room 072 - [http://www.cast-forum.de/workshops/anfahrt.html Anfahrt]'''<br />
<br />
;Agenda: This time the focus is on technical presentations and discussion.<br />
: Technical presentation slots will consist of 20-30 minute presentation and 15 minute discussion. <br />
# (11:00 - 11:15) Welcome, Introduction and Administrativia <br />
# (11:15 - 11:30) Vorstellung von CAST (Dr. Heinemann) <br />
# (11:30 - 11:45) Short OWASP organisation introduction and update (Tobias Gondrom) <br />
# (11:45 - 12:30) First technical presentation "Best Practices beim Einsatz einer Web Application Firewall 1.0" (Slides: [http://www.owasp.org/images/1/1b/WAF-Paper.pdf PDF]) (Alexander Meisel) <br />
# (12:30 - 13:15) Break <br />
# (13:15 - 14:00) Second technical presentation "Defending against Web Application DoS Attacks" (Maximilian Dermann) <br />
# (14:00 - 14:45) 20-Minutes Talks (15 Min Presentation + 5-10 Min Discuss) <br />
: * "Input validation in ASP.NET -- tips, tricks &amp; pitfalls" (Boris Hemkemeier) <br />
: * "Managing of extremely large Web Application Firewall Installations" (Slides: [http://www.owasp.org/images/f/f6/VeryLargeWAFs.pdf PDF]) (Alexander Meisel) <br />
# (14:45 - 15:00) Coffee Break <br />
# (15:00 - 15:45) Fourth technical presentation "Secure Coding and Development Guidelines (part of CLASP)" (Tobias) <br />
# (15:45 - 16:00) Wrap-up and outlook<br />
<br />
== Chapter Meeting on September 7th 2007 in Frankfurt/Main ==<br />
<br />
After two years of absence the German Chapter has been restarted. The chapter meeting was on September 7th 2007, 15:00 - 18:00. <br />
<br />
This first chapter meeting had as its main goal the re-initiation of the German chapter and to start work on projects. Talks and presentations are secondary and will receive more focus at subsequent meetings. <br />
<br />
Read meeting notes/minutes [https://lists.owasp.org/pipermail/owasp-germany/2007-September/000038.html here].<br />
<br />
<br />
----<br />
[https://www.owasp.org/index.php?title=Germany/Chapter_Meetings <top>] [[Germany|<zurück>]] [[Germany|<Germany>]]<br />
<br />
[[Category:Germany]] <br />
[[Category:Europe]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=249554OWASP Juice Shop Project2019-04-02T10:31:13Z<p>Bjoern Kimminich: /* Project Sponsors */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
[16.01.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.3.0 v8.3.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
----<br />
<br />
You can find the current project balance along with a history of all donations and spendings in the [https://docs.google.com/spreadsheets/d/1rjGL50kp7kciYq3zyYCyKt5_lfLUCezRCkNRlirpC84/edit#gid=1584336283&range=C315 Chapter and Project Transactions] spreadsheet.<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=249509OWASP Juice Shop Project2019-04-01T07:47:53Z<p>Bjoern Kimminich: /* Documentation */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
[16.01.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.3.0 v8.3.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
Companion Guide ([https://leanpub.com/juice-shop LeanPub]/[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content GitBook])<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=249508OWASP Juice Shop Project2019-04-01T07:46:30Z<p>Bjoern Kimminich: /* Documentation */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
[16.01.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.3.0 v8.3.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
Introduction Slide Deck ([http://bkimminich.github.io/juice-shop HTML5]/[https://github.com/bkimminich/juice-shop/raw/master/docs/OWASP%20Juice%20Shop%20-%20An%20intentionally%20insecure%20JavaScript%20Web%20Application.pdf PDF])<br />
<br />
[https://github.com/bkimminich/juice-shop/blob/master/README.md Documentation (Readme)]<br />
<br />
[https://leanpub.com/juice-shop Companion Guide (LeanPub)]<br />
<br />
[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content Companion Guide (HTML)]<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=249491GSoC2019 Ideas2019-03-31T13:34:50Z<p>Bjoern Kimminich: /* OWASP Juice Shop */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== Idea 1 Improving the Machine Learning chatbot: ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== Idea 2 Improving and building Lab challenges and write-ups: ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
=== Idea 3 Addition of exploitation framework + labs + challenges and write ups ===<br />
The proposal for SKF (Security Knowledge Framework) involves addition of “Exploit Development Framework” , the idea revolves around how does one start with Linux exploit development from basic string format attacks to advance buffer overflows.<br />
<br />
The idea is to develop an addition (framework) which intergrates SKF, that now gives you an hands on experience for writing exploit code deployed over various containers with the help of dockers for easy and instant deployment.<br />
<br />
The framework will involve a browser based environmental (shell) and inbuilt chat utility that will be guiding you on how to go from an absolute beginner with gdb basics to all the way to how to bypass various protections like ASLR/NX/Canaries on Linux environment.<br />
<br />
Each challenge will have a dedicated container to easily maintain various challenges, also it will give you an option to connect to binary running on a particular port if you want to access it via your own machine, and also the source to the vulnerable code. This idea gives user a flexibility to experiment with the idea and even automate the attacks in python via socket programs or user intermediate framework like pwntools.<br />
<br />
The whole idea of challenges isn’t limited to stack based buffer overflows, but includes various challenges like format string attacks, double frees, heap overflows and privilege escalations.<br />
<br />
Total number will be deploying 20 challenges, the whole idea isn’t limited to exploit development but also to try out some very advance exploitation techniques like blind ROPs and lots of experimentation.<br />
<br />
The whole add on also comes with a dedicated document with very well written ways to exploit challenges in various flavours like manual, automated, advanced.<br />
<br />
Upon completion of labs and write ups the NLP model can be trained now to know not just web, but also all about various languages like C / C++ coding best practices and risk involved with calls like free (); puts(); and not just only tell the theory on why is it bad but also train you and guide you why it is bad and how you can write an exploit from a vulnerable code.<br />
<br />
Upon completion of labs with ASLR turned off on (non ASLR) stages they can be turned on and lead to ROP with ASLR and even more challenging questions.<br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor, SKF Contributor)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool and is used as the backbone for security programs. It is easy to get started with to work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
'''Issue Tracking:'''<br />
<br />
Enhancement [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement requests] and [https://github.com/DefectDojo/django-DefectDojo/issues?q=is%3Aissue+is%3Aopen+label%3Abug bugfixes] are located in Github issues. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. <br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP DefectDojo<br />
* Each feature comes with full functional unit and integration tests<br />
'''Getting started:'''<br />
* Get familiar with the architecture and code base of the application built on Django<br />
* Review the application functionality and familiarize yourself with Products, Engagements, Tests and Findings.<br />
* Get familiar with the CI/CD process based on Travis-CI<br />
'''Knowledge Prerequisites:'''<br />
* Python, Django, Javascript, Unit/Integration testing.<br />
'''Potential Mentors:'''<br />
* [[Mailto:aaron.weaver2+gsoc@gmail.com|Aaron Weaver]] - DefectDojo Project Leader<br />
* [[Mailto:greg.anderson@owasp.org|Greg Anderson]] - DefectDojo Project Leader<br />
* [[Mailto:matt.tesauro@owasp.org|Matt Tesauro]] - DefectDojo Project Leader<br />
'''Option 1: Unit Tests - Difficulty: Easy'''<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
* Review the current [https://github.com/DefectDojo/django-DefectDojo/tree/dev/dojo/unittests unit tests] <br />
* Complete Code Coverage Testing<br />
** Validate Tests exist for the following (create any that are missing):<br />
*** Finding, Test, Engagement, Reports, Endpoints <br />
*** Import from all scanners <br />
'''Option 2: Python3 Completion'''<br />
* DefectDojo is finishing up a migration to Python3<br />
Test the current [https://github.com/DefectDojo/django-DefectDojo/tree/python3/dojo/unittests state] of Python3<br />
* Ensure all features work<br />
* Travis testing works correctly<br />
'''Option 3: Scan 2.0 / Launch Containers'''<br />
<br />
Scan 2.0 consists of automating the scanning orchestration within DefectDojo. Several proof of concepts exist for this using the AppSecpPipeline to launch containers and then push those finding into the appropriate product. <br />
* Use the [https://github.com/appsecpipeline/AppSecPipeline-Specification AppSecPipeline] containers to build a scanning pipeline built on top of [https://www.openfaas.com/ OpenFaaS]<br />
* Scans should be able to be scheduled by DefectDojo and then invoked via the REST API call to OpenFaaS<br />
* Upon scan completion the results will be posted back to DefectDojo via DefectDojo's REST API and consumed as an engagement/test.<br />
* Pick 2 or 3 popular open source scanners such as NMAP, ZAP and Nikto to start out with.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The OWASP SecureTea Project is an application designed to help secure a person's laptop or computer / server with IoT (Internet Of Things) and notify users (via various communication mechanisms), whenever someone accesses their computer / server. This application uses the touchpad/mouse/wireless mouse to determine activity and is developed in Python and tested on various machines (Linux, Mac & Windows).<br />
The software is still under development, and will eventually have it's own IDS(Intrusion Detection System) / IPS(Instrusion Prevention System), firewall, anti-virus, intelligent log monitoring capabilities with web defacement detection, and support for much more communication medium.<br />
. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring include Web Deface Detection<br><br />
Detection of malicious devices <br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
<br />
=== OWASP OWTF - Passive Online scanner improvements ===<br />
'''Brief Explanation'''<br />
<br />
OWTF allows many passive tests, such as those using third party websites like Google, Bing, etc. searches, as well as handy "Search for vulnerability" search boxes (i.e. Fingerprinting plugin). This feature involves the creation of a '''script''' that produces an interactive OWTF report with the intention of hosting it in the github.io site. The idea here is to have a passive, JavaScript-only interactive report available on the owtf.github.io site, so that people can try OWTF '''without installing anything''', simply visiting a URL.<br />
<br />
This would be a normal OWTF interactive report where the user can:<br />
* Enter a target<br />
* Try passive plugins (only the parts that use no tools)<br />
* Play with boilerplate templates from the OWTF interactive report<br />
An old version of the passive online scanner is hosted at https://owtf.github.io/online-passive-scanner.<br />
<br />
'''LEGAL CLARIFICATION (Just in case!)''': The passive online scanner, simply makes OWTF passive testing '''through third party websites''' more accessible to anybody, however it is the user that must 1) click the link manually + 2) do something bad with that afterwards + 3) doing 1 + 2 WITHOUT permission :). Therefore this passive online scanner does not do anything illegal [http://www.slideshare.net/abrahamaranguren/legal-and-efficient-web-app-testing-without-permission More information about why this is not illegal here] (recommended reading!)<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
* '''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code]/ES6 JavaScript code in all modified code and surrounding areas.'''<br />
* High performance<br />
* Reliability<br />
* Ease of use<br />
* Test cases<br />
* Good documentation<br />
<br />
'''Knowledge Prerequisite:'''<br />
<br />
A good knowledge of JavaScript and writing ES6 compliant React/TypeScript is needed. Previous exposure to security concepts and penetration testing is not required but recommended and some lack of this can be compensated with pre-GSoC involvement and will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia]<br />
<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
[[OWASP SeraphimDroid Project|OWASP Seraphimdroid]] is Android security and privacy app, with features to enhance user's knowledge about security and privacy on his/her mobile device. If you are interested in this project and working on it during Google Summer of Code, please contact [[User:Nikola Milosevic|Nikola Milosevic]] and express your interest.<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that uthe user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledgebase shouldbbeextending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:<br />
<br />
== IoT Goat ==<br />
IoT Goat will be a deliberately insecure firmware based on OpenWrt. The project’s goal is to teach users about the most common vulnerabilities typically found in IoT devices. The vulnerabilities will be based on the [https://www.owasp.org/images/1/1c/OWASP-IoT-Top-10-2018-final.pdf IoT Top 10 2018]. <br />
<br />
===Idea 1: Insecure firmware web application ecosystem===<br />
'''Brief Explanation:'''<br />
<br />
A vulnerable web application, and backend API/web services deployed in OpenWrt containing critical vulnerabilities showcasing the traditional IoT problems.<br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Development of a simple web application user interface with web services and API's deployed locally on the OpenWrt firmware. Documented challenges of how to discover and remediate web software security vulnerabilities. The insecure web application services must contain the following vulnerabilities to be used with the IoT testing guide: <br />
* Command injection<br />
* SQL injection<br />
* Local file inclusion <br />
* XXE injection,Insufficient Authentication<br />
* Transfer sensitive data using insecure channels<br />
* Store sensitive data insecurely<br />
Vulnerable SOAP web services and REST API implementations are in-scope. <br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded and/or web development (nice to have)<br />
** Web application code can be developed using the following common embedded programming languages:<br />
*** Lua<br />
*** PHP<br />
*** C/C++<br />
*** JavaScript<br />
<br />
===Idea 2: Insecure network services===<br />
'''Brief Explanation:'''<br />
<br />
Deliberately insecure services configured within OpenWrt such as an miniupnp daemon configured with secure_mode off (Secure mode; client can only redirect an incoming port to the client itself (same IP as the request comes from), to demonstrate a port mapping attack where an attacker from inside the network exposes a service that typically should be behind a LAN to the internet). <br />
<br />
''' Getting started '''<br />
* Have a look at the getting started page to get familiar with virtualizing OpenWrt: https://github.com/scriptingxss/IoTGoat#-getting-started-<br />
* Create a GitHub account to be added as a collaborator to the repository<br />
* Review the example vulnerabilities and challenges: https://github.com/scriptingxss/IoTGoat/blob/master/challenges/challenges.md<br />
<br />
'''Expected Results:'''<br />
<br />
Documented challenges of how to discover and remediate insecure network service vulnerabilities. The network services can be inherently insecure or have insecure configurations that can be abused during the challenges.<br />
* Example of network insecure services include:<br />
** FTP<br />
** Telnet<br />
** miniupnpd<br />
** HTTP<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Network security<br />
<br />
===Idea 3: Insecure firmware build system===<br />
'''Brief Explanation:'''<br />
<br />
Develop custom firmware builds of the latest OpenWrt version (18.06) demonstrating the process of incorporating debug services/tools, misconfigurations, and usage of vulnerable software packages. <br />
<br />
''' Getting started '''<br />
* Review OpenWrt's developer guide to get familiar with creating custom firmware builds<br />
** https://openwrt.org/docs/guide-developer/start<br />
** https://openwrt.org/docs/guide-developer/build-system/install-buildsystem<br />
** https://github.com/openwrt/openwrt<br />
<br />
'''Expected Results:'''<br />
* Provide walkthrough examples of insecure design choices for building firmware. <br />
* Provide suggested mitigation security controls<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Working Linux knowledge<br />
* Embedded development (C/C++)<br />
<br />
===Suggest your own ideas===<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
=== Mentors and Leaders ===<br />
* Aaron Guzman - OWASP IoT Goat Contributor (Project leader of the IoT and Embedded AppSec project)<br />
* Fotios Chantzis - OWASP IoT Goat Contributor (and former GSoC Student/GSoc Mentor)<br />
* [[User:Calderpwn|Paulino Calderon]] - OWASP IoT Goat Contributor (and former GSoC 2011 Student/GSoc Mentor in 2015 and 2017)<br />
<br />
==OWASP Web Honeypot Project ==<br />
<br />
The goal of the OWASP Honeypot Project is to identify emerging attacks against web applications and report them to the community, in order to facilitate protection against such targeted attacks. Within this project, Anglia Ruskin University is leading the collection, storage and analysis of threat intelligence data. <br />
<br />
https://www.owasp.org/index.php/OWASP_Honeypot_Project<br />
<br />
https://github.com/OWASP/Honeypot-Project/<br />
<br />
<br />
===Brief Explanation===<br />
The purpose of this part of the project is to capture intelligence on attacker activity against web applications and utilise this intelligence as ways to protect software against attacks. Honeypots are an established industry technique to provide a realistic target to entice a criminal, whilst encouraging them to divulge the tools and techniques they use during an attack. Like bees to a honeypot. These honeypots are safely designed to contain no information of monetary use to an attacker, and hence provide no risk to the businesses implementing them. <br><br />
<br />
The project will create honeypots that the community can distribute within their own networks. With enough honeypots globally distributed, we will be in a position to aggregate attack techniques to better understand and protect against the techniques used by attackers. With this information, we will be in a position to create educational information, such as rules and strategies, that application writers can use to ensure that any detected bugs and vulnerabilities are closed. <br><br />
<br />
===Idea===<br />
Project progression: <br />
* Honeypot software. The honeypot software that is to be provided to the community to place in their networks has been written. Honeypots are available in a variety of forms, to make deployment as flexible as possible and appeal to a diverse a user set as possible.<br />
* Collection software. The centralised collection software has been written and evaluated in a student driven proof-of-concept project. Honeypots have been attacked in a laboratory situation and have reported both the steps taken by the attacker and what they have attacked, back to the collection software.<br />
* Rollout to the Community. The project now needs a dedicated infrastructure platform in place that is available to the entire community to start collecting intelligence back from community deployed honeypots. This infrastructure will run the collector software, analysis programmes and provide a portal for communicating our finds and recommendations back to the community in a meaningful manner.<br />
* Going Forward. Toolkits and skills used by attackers do not stand still. As existing bugs are plugged, others open. Follow up stages for the project will be to create a messaging system to automatically update the community on findings of significant risk in their existing code that requires attention. <br />
<br />
<br />
===Expect Results ===<br />
<br />
Some of the ideas from last year's summit<br />
<br />
* Setup Proof of Concept to understand how Mod Security baed Honeypot/Probe interacts with a receiving console (develop a VM and/or Docker based test solution to store logs from multiple probes).<br />
* Evaluate console options to visualise threat data received from ModSecurity Honeypots/probes in MosSecurity Audit Console, WAF-FLE, Fluent and bespoke scripts for single and multiple probes.<br />
* Develop a mechanism to convert from stored MySQL to JSON format.<br />
* Provide a mechanism to convert ModSecurity mlogc audit log output into JSON format.<br />
* Provide a mechanism to convert mlogc audit log output directly into ELK (ElasticSearch/Logstash/Kibana) to visualise the data.<br />
* Provide a mechanism to forward honest output into threat intelligence format such as STIX using something like the MISP project(https://www.misp-project.org) to share Threat data coming from the Honeypots making it easy to export/import data from formats such as STIX and TAXII., may require use of concurrent logs in a format that MISP can deal with.<br />
* Consider new alternatives for log transfer including the use of MLOGC-NG or other possible approaches.<br />
* Develop a new VM based honeypot/robe based on CRS v3.0.<br />
* Develop new alternative small footprint honeypot/probe formats utilising Docker & Raspberry Pi.<br />
* Develop machine learning approach to automatically be able to update the rule set being used by the probe based on cyber threat intelligence received.<br />
<br />
<br />
=== Students Requirements ===<br />
<br />
Some of the skills we are looking for:<br />
<br />
* Apache/Tomcat <br />
* Any experience of MISP<br />
* MySQL & JSON<br />
* ELK <br />
* STIX/TAXII<br />
* Python<br />
* ModSecurity/mlogc<br />
* OWASP Core RuleSet (CRS)<br />
* Linux<br />
* VM/Docker<br />
<br />
=== Mentors === <br />
<br />
* [mailto:adrian.winckles@owasp.org Adrian Winckles] - (OWASP Web Honeypot Project Leader) <br><br />
<br />
===Suggest your own ideas===<br />
<br />
You may suggest additional challenges or ideas that fit this project's objectives.<br />
<br />
==OWASP Risk Assessment Framework ==<br />
Tool projects aim to assessment more than one or many web application using owasp risk rating mathodologies.<br />
<br />
https://github.com/OWASP/RiskAssessmentFramework<br />
<br />
'''Idea 1:''' make dashboard with database and can assess many website based owasp risk rating mathodologies, create graph and report in pdf,word & excel format.<br><br />
Ideas 2 : Static Application Security Testing. <br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Java<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (Mentor) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]- (Mentor)<br />
<br></div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=249437OWASP Juice Shop Project2019-03-28T22:24:34Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[29.03.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.1 v6.0.1]<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
[16.01.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.3.0 v8.3.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
[http://bkimminich.github.io/juice-shop Introduction (Slide Deck)]<br />
<br />
[https://github.com/bkimminich/juice-shop/blob/master/README.md Documentation (Readme)]<br />
<br />
[https://leanpub.com/juice-shop Companion Guide (LeanPub)]<br />
<br />
[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content Companion Guide (HTML)]<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GoogleSeasonOfDocs2019&diff=248754GoogleSeasonOfDocs20192019-03-13T14:46:55Z<p>Bjoern Kimminich: /* "Pwning OWASP Juice Shop" Companion Guide */</p>
<hr />
<div>= Overview =<br />
<br />
OWASP is going to apply to participate in the inaugural [https://developers.google.com/season-of-docs/ Google Season of Docs]<br />
We will be requesting project ideas to help us complete our organization application which is due April 23rd.<br />
<br />
= OWASP Project Documentation Requests =<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/season-of-docs/docs/project-ideas Google Season of Docs Project Ideas]'''<br />
'''* Read [https://developers.google.com/season-of-docs/terms/program-rules Program Rules]'''<br />
<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== The API ===<br />
ZAP has an extremely powerful API that allows you to do nearly everything that possible via the desktop interface. It is considered on of ZAPs strengths and is heavily used for automation.<br />
Unfortunately is also not particularly well documented and we get many queries about it on the support groups.<br />
<br />
Existing documentation includes:<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiDetails<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index<br />
<br />
This project would:<br />
# Explain the concepts behind the UI<br />
# Explain how it can be used at a high level<br />
# Detail all of the API calls<br />
<br />
The documentation should be suitable for publishing as web pages and for printing on paper.<br />
<br />
=== Zest ===<br />
Zest is an experimental specialized scripting language developed by the ZAP team and is intended to be used in web oriented security tools.<br />
While it is tool independent it is heavily used by ZAP.<br />
<br />
Existing documentation includes:<br />
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Zest<br />
* https://github.com/mozilla/zest/wiki<br />
<br />
This project would:<br />
# Explain the concepts behind the Zest<br />
# Explain how to write Zest scripts<br />
# Document the ZAP Desktop UI provided relating to Zest<br />
<br />
The documentation should be suitable for publishing as web pages and ideally the parts relating to the ZAP Desktop UI should be able to be included within the UI as context sensitive help.<br />
<br />
==OWASP Juice Shop==<br />
[[OWASP Juice Shop Project]] is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!<br />
<br />
==="Pwning OWASP Juice Shop" Companion Guide===<br />
<br />
''[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].''<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop|100px]]<br />
<br />
''The book is divided into three parts:''<br />
# ''Part I - Hacking preparations (helps you to get the application running and to set up optional hacking tools)''<br />
# ''Part II - Challenge hunting (gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application)''<br />
# ''Part III - Getting involved (shows up various ways to contribute to the OWASP Juice Shop open source project)''<br />
<br />
Primary focus points of this project could be:<br />
* Migrate the eBook from (legacy) GitBook format to either latest GitBook or another suitable format<br />
* Mandatory requirement is the ability to generate PDF/ePub/Mobi versions of the book for LeanPub '''and''' to be able to host it in HTML online-readable form<br />
<br />
This project could additionally:<br />
* Add hints and solutions for currently undocumented challenges (marked with ''':wrench: **TODO**''')<br />
* Extend the "Codebase 101" chapter with more details and examples for new contributors<br />
* Review, curate and extend the other existing content</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GoogleSeasonOfDocs2019&diff=248753GoogleSeasonOfDocs20192019-03-13T14:46:27Z<p>Bjoern Kimminich: /* "Pwning OWASP Juice Shop" Companion Guide */</p>
<hr />
<div>= Overview =<br />
<br />
OWASP is going to apply to participate in the inaugural [https://developers.google.com/season-of-docs/ Google Season of Docs]<br />
We will be requesting project ideas to help us complete our organization application which is due April 23rd.<br />
<br />
= OWASP Project Documentation Requests =<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/season-of-docs/docs/project-ideas Google Season of Docs Project Ideas]'''<br />
'''* Read [https://developers.google.com/season-of-docs/terms/program-rules Program Rules]'''<br />
<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== The API ===<br />
ZAP has an extremely powerful API that allows you to do nearly everything that possible via the desktop interface. It is considered on of ZAPs strengths and is heavily used for automation.<br />
Unfortunately is also not particularly well documented and we get many queries about it on the support groups.<br />
<br />
Existing documentation includes:<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiDetails<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index<br />
<br />
This project would:<br />
# Explain the concepts behind the UI<br />
# Explain how it can be used at a high level<br />
# Detail all of the API calls<br />
<br />
The documentation should be suitable for publishing as web pages and for printing on paper.<br />
<br />
=== Zest ===<br />
Zest is an experimental specialized scripting language developed by the ZAP team and is intended to be used in web oriented security tools.<br />
While it is tool independent it is heavily used by ZAP.<br />
<br />
Existing documentation includes:<br />
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Zest<br />
* https://github.com/mozilla/zest/wiki<br />
<br />
This project would:<br />
# Explain the concepts behind the Zest<br />
# Explain how to write Zest scripts<br />
# Document the ZAP Desktop UI provided relating to Zest<br />
<br />
The documentation should be suitable for publishing as web pages and ideally the parts relating to the ZAP Desktop UI should be able to be included within the UI as context sensitive help.<br />
<br />
==OWASP Juice Shop==<br />
[[OWASP Juice Shop Project]] is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!<br />
<br />
==="Pwning OWASP Juice Shop" Companion Guide===<br />
<br />
''[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].''<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop|100px]]<br />
<br />
''The book is divided into three parts:<br />
# Part I - Hacking preparations (helps you to get the application running and to set up optional hacking tools)<br />
# Part II - Challenge hunting (gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application)<br />
# Part III - Getting involved (shows up various ways to contribute to the OWASP Juice Shop open source project)''<br />
<br />
Primary focus points of this project could be:<br />
* Migrate the eBook from (legacy) GitBook format to either latest GitBook or another suitable format<br />
* Mandatory requirement is the ability to generate PDF/ePub/Mobi versions of the book for LeanPub '''and''' to be able to host it in HTML online-readable form<br />
<br />
This project could additionally:<br />
* Add hints and solutions for currently undocumented challenges (marked with ''':wrench: **TODO**''')<br />
* Extend the "Codebase 101" chapter with more details and examples for new contributors<br />
* Review, curate and extend the other existing content</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GoogleSeasonOfDocs2019&diff=248752GoogleSeasonOfDocs20192019-03-13T14:44:53Z<p>Bjoern Kimminich: </p>
<hr />
<div>= Overview =<br />
<br />
OWASP is going to apply to participate in the inaugural [https://developers.google.com/season-of-docs/ Google Season of Docs]<br />
We will be requesting project ideas to help us complete our organization application which is due April 23rd.<br />
<br />
= OWASP Project Documentation Requests =<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/season-of-docs/docs/project-ideas Google Season of Docs Project Ideas]'''<br />
'''* Read [https://developers.google.com/season-of-docs/terms/program-rules Program Rules]'''<br />
<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== The API ===<br />
ZAP has an extremely powerful API that allows you to do nearly everything that possible via the desktop interface. It is considered on of ZAPs strengths and is heavily used for automation.<br />
Unfortunately is also not particularly well documented and we get many queries about it on the support groups.<br />
<br />
Existing documentation includes:<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiDetails<br />
* https://github.com/zaproxy/zaproxy/wiki/ApiGen_Index<br />
<br />
This project would:<br />
# Explain the concepts behind the UI<br />
# Explain how it can be used at a high level<br />
# Detail all of the API calls<br />
<br />
The documentation should be suitable for publishing as web pages and for printing on paper.<br />
<br />
=== Zest ===<br />
Zest is an experimental specialized scripting language developed by the ZAP team and is intended to be used in web oriented security tools.<br />
While it is tool independent it is heavily used by ZAP.<br />
<br />
Existing documentation includes:<br />
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Zest<br />
* https://github.com/mozilla/zest/wiki<br />
<br />
This project would:<br />
# Explain the concepts behind the Zest<br />
# Explain how to write Zest scripts<br />
# Document the ZAP Desktop UI provided relating to Zest<br />
<br />
The documentation should be suitable for publishing as web pages and ideally the parts relating to the ZAP Desktop UI should be able to be included within the UI as context sensitive help.<br />
<br />
==OWASP Juice Shop==<br />
[[OWASP Juice Shop Project]] is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!<br />
<br />
==="Pwning OWASP Juice Shop" Companion Guide===<br />
<br />
''[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].''<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop|100px]]<br />
<br />
The book is divided into three parts:<br />
# Part I - Hacking preparations (helps you to get the application running and to set up optional hacking tools)<br />
# Part II - Challenge hunting (gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application)<br />
# Part III - Getting involved (shows up various ways to contribute to the OWASP Juice Shop open source project)<br />
<br />
Primary focus points of this project could be:<br />
* Migrate the eBook from (legacy) GitBook format to either latest GitBook or another suitable format<br />
* Mandatory requirement is the ability to generate PDF/ePub/Mobi versions of the book for LeanPub '''and''' to be able to host it in HTML online-readable form<br />
<br />
This project could additionally:<br />
* Add hints and solutions for currently undocumented challenges (marked with ''':wrench: **TODO**''')<br />
* Extend the "Codebase 101" chapter with more details and examples for new contributors<br />
* Review, curate and extend the other existing content</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=248615OWASP Juice Shop Project2019-03-11T18:10:02Z<p>Bjoern Kimminich: /* News */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[11.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.1 v8.4.1]<br />
<br />
[07.03.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.4.0 v8.4.0]<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
[16.01.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.3.0 v8.3.0]<br />
<br />
[06.12.18] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.2.0 v8.2.0]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
[http://bkimminich.github.io/juice-shop Introduction (Slide Deck)]<br />
<br />
[https://github.com/bkimminich/juice-shop/blob/master/README.md Documentation (Readme)]<br />
<br />
[https://leanpub.com/juice-shop Companion Guide (LeanPub)]<br />
<br />
[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content Companion Guide (HTML)]<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=OWASP_Juice_Shop_Project&diff=248561OWASP Juice Shop Project2019-03-08T12:59:23Z<p>Bjoern Kimminich: /* Collaboration */</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: flagship_big.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
== OWASP Juice Shop Tool Project ==<br />
<br />
''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])<br />
— ''The best juice shop on the whole internet!'' ([https://twitter.com/shehackspurple/status/907335357775085568 shehackspurple])<br />
— ''Actually the most bug-free vulnerable application in existence!'' ([https://youtu.be/TXAztSpYpvE?t=26m35s vanderaj])<br />
— ''First you'' 😂😂''then you'' 😢 ([https://twitter.com/kramse/status/1073168529405472768 kramse])<br />
<br />
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire [[OWASP Top Ten]] along with many other security flaws found in real-world applications!<br />
<br />
==Description==<br />
<br />
[[File:JuiceShop_Logo.png|200px|left]]<br />
<br />
Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].<br />
<br />
The application contains a vast number of hacking challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!<br />
<br />
Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.<br />
<br />
''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!''<br />
<br />
== Main Selling Points ==<br />
<br />
* Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats<br />
* [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux<br />
* Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically<br />
* Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup<br />
* Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board<br />
* Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements<br />
* CTF-support: Challenge notifications optionally contain a flag code for your own [https://github.com/bkimminich/juice-shop-ctf Capture-The-Flag events]<br />
<br />
== Application Architecture ==<br />
<br />
[[File:Architektur_JuiceShop.png]]<br />
<br />
== Introduction Video ==<br />
<br />
This recording from [[OWASP BeNeLux-Days 2018]] gives a complete introduction to the OWASP Juice Shop including a live demonstration of the application and how to hack it.<br />
<br />
{{#ev:youtube|Lu0-kDdtVf4}}<br />
<br />
''Spoiler warning: The video contains some live hacking including mild spoilers for a few of the easiest challenges!''<br />
<br />
== Official Companion Guide ==<br />
<br />
[https://leanpub.com/juice-shop Pwning OWASP Juice Shop] is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge. The ebook is published under [https://creativecommons.org/licenses/by-nc-nd/4.0/ CC BY-NC-ND 4.0] and is available '''for free''' as work-in-progress in [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop HTML, PDF, Kindle and ePub format on GitBook]. The latest officially released edition is [https://leanpub.com/juice-shop available '''for free''' on LeanPub in PDF, Kindle and ePub format].<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|link=https://leanpub.com/juice-shop]]<br />
<br />
==Licensing==<br />
This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright &copy; by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2019. <br />
<br />
| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
{{#widget:PayPal Donation<br />
|target=_blank<br />
|currency=USD<br />
|budget=OWASP Juice Shop Project<br />
}}<br />
<br />
== News ==<br />
<br />
[29.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v6.0.0 v6.0.0]<br />
<br />
[24.01.19] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.2 v5.0.2]<br />
<br />
[16.01.19] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.3.0 v8.3.0]<br />
<br />
[06.12.18] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.2.0 v8.2.0]<br />
<br />
[30.11.18] juice-shop-ctf [https://github.com/bkimminich/juice-shop-ctf/releases/tag/v5.0.1 v5.0.1]<br />
<br />
[30.11.18] juice-shop [https://github.com/bkimminich/juice-shop/releases/tag/v8.1.1 v8.1.1]<br />
<br />
== Installation ==<br />
<br />
[https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]<br />
<br />
[https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]<br />
<br />
[https://juice-shop.herokuapp.com/ Online Demo (Heroku)]<br />
<br />
== Source Code ==<br />
<br />
[https://github.com/bkimminich/juice-shop GitHub Project]<br />
<br />
[https://github.com/bkimminich/juice-shop/commits/master Revision History]<br />
<br />
[https://crowdin.com/project/owasp-juice-shop Crowdin I18N]<br />
<br />
[https://github.com/bkimminich/juice-shop-ctf CTF-Extension]<br />
<br />
== Documentation ==<br />
<br />
[http://bkimminich.github.io/juice-shop Introduction (Slide Deck)]<br />
<br />
[https://github.com/bkimminich/juice-shop/blob/master/README.md Documentation (Readme)]<br />
<br />
[https://leanpub.com/juice-shop Companion Guide (LeanPub)]<br />
<br />
[https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content Companion Guide (HTML)]<br />
<br />
== Support ==<br />
<br />
[https://gitter.im/bkimminich/juice-shop Community Chat]<br />
<br />
[https://www.reddit.com/r/owasp_juiceshop Official Subreddit]<br />
<br />
[https://github.com/bkimminich/juice-shop/issues Issue Tracker]<br />
<br />
== Collaboration ==<br />
<br />
[https://owasp.slack.com/messages/project-juiceshop Slack Channel]<br />
<br />
[https://groups.google.com/a/owasp.org/forum/#!forum/juice-shop-project Mailing List]<br />
<br />
== Social Media ==<br />
<br />
[https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]<br />
<br />
[https://www.facebook.com/owasp.juiceshop Facebook-Page]<br />
<br />
[http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]<br />
<br />
== Merchandise ==<br />
<br />
[https://www.stickeryou.com/products/owasp-juice-shop/794 Stickers, Magnets etc.]<br />
<br />
Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop EU])<br />
<br />
== Project Leader ==<br />
[[User:Bjoern Kimminich|Bjoern Kimminich]] [mailto:bjoern.kimminich@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
[[OWASP WebGoat Project|OWASP WebGoat Project]]<br />
<br />
[[OWASP DevSlop Project|OWASP DevSlop Project]]<br />
<br />
==Miscellaneous==<br />
<br />
[https://www.openhub.net/p/juice-shop OpenHub Project]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| align="center" valign="top" width="50%" rowspan="3"| [[File:Mature_projects.png|130px|link=https://www.owasp.org/index.php/OWASP_Project_Stages#Flagship_Projects|Flagship Project]]<br />
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]<br />
|-<br />
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|}<br />
<br />
|}<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
The OWASP Juice Shop has been created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained by [https://github.com/bkimminich/juice-shop#contributors a team of volunteers]. A live update of the project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].<br />
<br />
== Project Sponsors ==<br />
<br />
=== Top Sponsors ===<br />
<br />
{|<br />
|style="padding: 50px 50px 50px 50px" | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:eSailors_Logo.png|300px|link=https://www.esailors.de/|www.esailors.de]]<br />
|--<br />
|style="padding: 50px 50px 50px 50px" | [[Image:Iteratec-sponsor_logo.png|300px|link=https://www.iteratec.de/|www.iteratec.de]]<br />
|style="padding: 50px 50px 50px 50px" | [[Image:denim-group_trans.png|300px|link=http://www.denimgroup.com/|www.denimgroup.com]]<br />
|}<br />
<br />
=== Other Corporate Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|[https://plextrac.com PlexTrac]<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== [https://www.patreon.com/join/bkimminich Patrons] ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"| [http://www.7minsec.com Brian Johnson] (''Carrot Juice'' Level)<br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== Other Individual Sponsors ===<br />
<br />
{|<br />
|style="text-align:center; padding-left: 0px;"|Jeroen Willemsen<br />
|style="text-align:center; padding-left: 50px;"|Soron Foster<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Bendik Mjaaland<br />
|style="text-align:center; padding-left: 50px;"|Timo Pagel<br />
|-<br />
|style="text-align:center; padding-left: 0px;"|Benjamin Pfänder<br />
|style="text-align:center; padding-left: 50px;"|[https://twitter.com/bkimminich Björn Kimminich] <br />
|-<br />
|style="text-align:center; padding-left: 0px;"|[https://twitter.com/kchungco Kevin Chung] <br />
|style="text-align:center; padding-left: 50px;"|<br />
|}<br />
<br />
=== LeanPub Royalties ===<br />
<br />
[[File:PwningOWASPJuiceShop_Cover.jpg|200px|link=https://leanpub.com/juice-shop]]<br />
<br />
All royalties of [https://twitter.com/bkimminich Björn Kimminich]'s eBook are donated to the project!<br />
<br />
= Road Map and Getting Involved =<br />
<br />
Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#web-links has been promoted] and [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#conference-and-meetup-appearances demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings as well as [https://github.com/bkimminich/juice-shop/blob/master/REFERENCES.md#lectures-and-trainings in university lectures or published training slides].<br />
<br />
==Roadmap==<br />
<br />
===Long-term Goals===<br />
<br />
* [https://github.com/bkimminich/juice-shop/labels/design%2Flayout Design/Facelifting] of the Angular Material UI<br />
* [https://github.com/bkimminich/juice-shop/issues/440 Hacking Instructor] to guide beginners through the challenges<br />
<br />
[[File:Architektur_JuiceShop_8.0.png]]<br />
<br />
==Getting Involved==<br />
<br />
Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:<br />
<br />
* use Juice Shop in your own hacker or awareness trainings<br />
* use Juice Shop as a "guinea pig" for your security tools<br />
* provide ideas for new vulnerabilities and challenges<br />
* provide feedback via [mailto:bjoern.kimminich@owasp.org email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue]<br />
* help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]<br />
<br />
__NOTOC__ <headertabs /> <br />
<br />
[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=248503GSoC2019 Ideas2019-03-07T16:38:43Z<p>Bjoern Kimminich: /* OWASP Juice Shop */</p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== '''Idea 1 Improving the Machine Learning chatbot:''' ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== '''Idea 2 Improving and building Lab challenges and write-ups:''' ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
Notify by Twitter (done)<br><br />
Securetea Dashboard / Gui (done)<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring<br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
<br><br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledge base should be extending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:</div>Bjoern Kimminichhttps://wiki.owasp.org/index.php?title=GSoC2019_Ideas&diff=248371GSoC2019 Ideas2019-03-05T16:30:05Z<p>Bjoern Kimminich: </p>
<hr />
<div>=OWASP Project Requests=<br />
<br />
'''Tips to get you started in no particular order:''' <br />
'''* Read [https://developers.google.com/open-source/gsoc/ Google Summer of Code Program(GSOC)]`'''<br />
'''* Read the [[GSoC SAT]] '''<br />
* Read the [https://www.owasp.org/index.php/GSoC GSOC Student Guidelines]<br />
* Contact us through the mailing list or irc channel.<br />
* Check our [https://github.com/OWASP github organization]<br />
<br />
<br />
==OWASP-SKF==<br />
<br />
=== '''Idea 1 Improving the Machine Learning chatbot:''' ===<br />
We want to extend the functionality of SKF Bot. (Security Knowledge Framework Chatbot):<br />
<br />
Some improvements or the suggestions which we can do to improve the functionality are:<br />
<br />
1. Create a desktop version of the chatbot. Where people can install the setup file on their local machine.<br />
<br />
2. Create a Plugin or website bot which we can add in the website for better chat experience for the user.<br />
<br />
3. Extend the bots capability to do the google search (using web scraping) for the things which are not available in the database. So, it will have a wider scope of knowledge.<br />
<br />
4. Add basic conversation flow which makes SKF Bot friendly and provides the better user experience. Example: Replies to the general queries like How are you? What is your Name etc?<br />
<br />
5. Extend the bot capability to reply to what security controls should be followed from the ASVS and MASVS or other custom checklists that are present in SKF.<br />
# Extend the bot to different platforms like Facebook, telegram, slack, Google Assistant etc.<br />
Existing chatbot implementation is on Gitter. You can test the bot by typing @skfchatbot on Gitter Community.<br />
<br />
'''Getting started:'''<br />
<br />
· Get familiar with the architecture and code base of SKF (Security Knowledge Framework)<br />
<br />
· Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
<br />
· Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
<br />
· Python 3+, Flask, Coffee Script<br />
<br />
'''Mentors and Leaders'''<br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
Priyanka Jain (Mentor)<br />
<br />
=== '''Idea 2 Improving and building Lab challenges and write-ups:''' ===<br />
Build lab examples and write-ups (how to test) for different vulnerabilities over different technology stacks. These challenges are to be delivered in Docker so they can be <br />
<br />
easily deployed.<br />
<br />
In the current situation the security knowledge framework ultimately presents a list of security controls with correlating knowledge base items that contain a description and <br />
<br />
a solution. The new labs are used to give the software developers or application security specialists a more in depth understanding and approach on how to test the <br />
<br />
vulnerabilities in their own code. <br />
* For example we have now around 20 lab challenges in Docker container build in Python:<br />
** A Local File Inclusion Docker app example:<br />
*** https://github.com/blabla1337/skf-labs/tree/master/LFI<br />
** A write-up example:<br />
*** https://owasp-skf.gitbook.io/asvs-write-ups/filename-injection<br />
The images that are pushed to the Github repository are already automatically build and pushed to a docker registry where the SKF users can easily pull the images from to get their<br />
<br />
labs running. Of course they can download it and build it themselves from source by pulling the original repository. <br />
<br />
'''Mentors and Leaders''' <br />
<br />
Glenn ten Cate (Mentor, Project leader)<br />
<br />
Riccardo ten Cate (Mentor, Project leader)<br />
<br />
== OWASP DefectDojo ==<br />
OWASP DefectDojo is a popular open source vulnerability management tool, used as the backbone for security programs. It is easy to get started with and work on! We welcome volunteers of all experience levels and are happy to provide mentorship.<br />
<br />
Option 1: Unit Tests - Difficulty: Easy<br />
* If you're new to programming, unit tests are short scripts designed to test a specific function of an application.<br />
* The project needs additional unit tests to ensure that new code functions properly. <br />
Option 2: Feature Enhancement - Difficulty: Varies<br />
* The functionality of DefectDojo is constantly expanding.<br />
* Feature enhancements offer programming challenges for all levels of experience.<br />
Option 3: Pull Request Review - Difficulty: Moderate - Hard<br />
* Test pull requests and provide feedback on code.<br />
<br />
== OHP (OWASP Honeypot) ==<br />
<br />
[[OWASP_Python_Honeypot|OWASP Honeypot]] is an open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way! This project is compatible with Python 2.x and 3.x and tested on Windows, Mac OS X and Linux.<br />
<br />
=== Getting Start ===<br />
<br />
It's best to start from [https://github.com/zdresearch/OWASP-Honeypot/wiki GitHub wiki page], we are looking forward to adding more modules and optimize the core.<br />
<br />
=== Technologies ===<br />
<br />
Currently we are using<br />
<br />
* Docker<br />
* Python<br />
* MongoDB<br />
* TShark<br />
* Flask<br />
* ChartJS<br />
* And more linux services<br />
<br />
=== Expected Results ===<br />
<br />
* Zero Bugs: Currently we may have several bugs in different conditions, and it's best to test the all functions and fix them<br />
* Monitoring: Right now monitoring limited to the connections (send&recieve) and it's best to store and analysis the contents for farther investigations and recognizing incoming attacks.<br />
* Duplicated codes: codes are complicated and duplicated in engine, should be fixed/clean up<br />
* New modules: add some creative ICS/Network/Web modules andvulnerable web applications, services and stuff<br />
* API: update API sync to all features<br />
* WebUI: Demonstrate and add API on WebUI and Live version with all features<br />
* WebUI Special Reports: Track the attacks more creative and provide high risk IPs<br />
* Database: Better database structure, faster and use queue<br />
* Data analysis: Analysis stored data and attack signatures<br />
* OWASP Top 10: Preparing useful processed/raw data for OWASP top 10 project<br />
<br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Packet Analysis & Tshark & Libpcap<br />
* Docker<br />
* Database<br />
* Web Development Skills<br />
* Honeypot and Deception knowledge<br />
<br />
=== Mentors and Leaders ===<br />
<br />
* [mailto:ali.razmjoo@owasp.org Ali Razmjoo] (Mentor & Project Leader)<br />
* [mailto:ehsan@nezami.me Ehsan Nezami] (Mentor & Project Leader)<br />
* [mailto:reza.espargham@owasp.org Reza Espargham](Mentor)<br />
* [mailto:abiusx@owasp.org Abbas Naderi] (Mentor)<br />
<br />
== OWASP Juice Shop ==<br />
<br />
[[OWASP Juice Shop Project]] is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express and Angular. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.<br />
The best way to get in touch with us is the '''community chat on https://gitter.im/bkimminich/juice-shop<nowiki/>.''' You can also send PMs to the potential mentors (@bkimminich, @wurstbrot, @J12934 and @CaptainFreak) there if you like!<br />
<br />
To receive early feedback please '''put your proposal on Google Docs and submit it to the OWASP Organization on Google's GSoC page''' in ''Draft Shared'' mode. Please pick '''''juice shop'' as Proposal Tag''' to make them easier to find for us. '''Thank you!'''<br />
<br />
=== Feature Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new functionality and "business" features are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Afeature GitHub issues labeled "feature"]. This project could implement a whole bunch of new features one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for features and new functionality in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 5 or more new features or functional enhancements of significant scope for OWASP Juice Shop (not necessarily including corresponding challenges)<br />
* Each feature comes with full functional unit and integration tests<br />
* Extending the functional walk-through chapter of the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, security knowledge is optional.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Juice Shop Mobile ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
A complete mobile client for Juice-Shop API which will serve a legit mobile experience for Juice-Shop user as well as a plethora of Mobile app vulnerabilities and challenges around them to solve. Should in the best case translate the idea of Juice Shop's hacking challenges with a score board and success notifications into the mobile world.<br />
<br />
''Coming up with a sophisticated proposal (optimally even with a good initial sample implementation) could make the difference between being selected or declined as a student for this project!''<br />
<br />
''' Getting started '''<br />
* Get familiar with the architecture and code base of the application's RESTful backend<br />
* Get familiar with Native App developement<br />
* Get familiar with Mobile vulnerabilities<br />
<br />
'''Expected Results:'''<br />
* A mobile App with consistent UI/UX for Juice-Shop with standard client side vulnerabilities.<br />
* Sufficient initial release quality (en par with Juice Shop and Juice Shop CTF) to make it an official extension project hosted in its own GitHub repository ''bkimminich/juice-shop-mobile''<br />
* Code follows existing styleguides and applies similar quality gates regarding code smells, test coverage etc. as the main project.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) React Native and NodeJS/Express, some Mobile security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Challenge Pack 2019 ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
Ideas for potential new hacking challenges are collected in [https://github.com/bkimminich/juice-shop/issues?q=is%3Aissue+is%3Aopen+label%3Achallenge GitHub issues labeled "challenge"]. This project could implement a whole bunch of challenges one by one and release them over the course of several small releases. This would allow the student to work in a professional Continuous Delivery kind of way while bringing benefit to the Juice Shop over the duration of the project.<br />
<br />
''Coming up with good additional ideas for challenges in the proposal could make the difference between being selected or declined as a student for this project!''<br />
<br />
'''Expected Results:'''<br />
* 10 or more new challenges for OWASP Juice Shop (including required functional enhancements to place the challenges)<br />
* Each challenge comes with full functional unit and integration tests<br />
* Each challenge is verified to be exploitable by corresponding end-to-end tests<br />
* Hint and solution sections for each new challenge are added to the "Pwning OWASP Juice Shop" ebook<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Hacking Instructor ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
While the Juice Shop is offering a lot of long-lasting motivation and challenges for security experts, it might be a bit daunting for newcomers and less experienced hackers.<br />
The "Hacking Instructor" as sketched in [https://github.com/bkimminich/juice-shop/issues/440 GitHub issue #440] could guide users from this target audience through at least some of the hacking challenges. As this would be an entirely new and relatively independent feature of the Juice Shop, students should be able to bring in their own creativity and ideas a lot.<br />
<br />
''For this project, a good proposal with a design & implementation proposal more sophisticated than the rough ideas in [https://github.com/bkimminich/juice-shop/issues/440 #440] is paramount to be selected as a student!''<br />
<br />
'''Expected Results:'''<br />
* A working implementation of e.g. an avatar-style "Hacking Instructor" or other solution based on the students own proposal<br />
* Coverage of at least the trivial (1-star) and some easy (2-star) challenges<br />
* Documentation how to configure or script the "Hacking Instructor" for challenges in general<br />
<br />
''' Getting started: '''<br />
* Get familiar with the architecture and code base of the application's rich Javascript frontend and RESTful backend<br />
* Get a feeling for the high code & test quality bar by inspecting the existing test suites and static code analysis results<br />
* Get familiar with the CI/CD process based on Travis-CI and several associated 3rd party services<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular, some UI/UX experience would be preferable.<br />
<br />
'''Potential Mentors:'''<br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
* [[User:Timo Pagel|Timo Pagel]] - OWASP Juice Shop Project Collaborator<br />
* Jannik Hollenbach - OWASP Juice Shop Project Collaborator<br />
* Shoeb Patel - OWASP Juice Shop Contributor (and former GSoC 2018 Student)<br />
<br />
=== Your idea ===<br />
<br />
'''Brief Explanation:'''<br />
<br />
You have an awesome idea to improve OWASP Juice Shop that is not on this list? Great, please submit it!<br />
<br />
''' Getting started '''<br />
* Get in touch with [https://www.owasp.org/index.php/User:Bjoern_Kimminich Bjoern Kimminich]<br />
<br />
'''Expected Results:'''<br />
* A new feature that makes OWASP Juice Shop even better<br />
* Code follows existing styleguides and passes all existing quality gates regarding code smells, test coverage etc.<br />
<br />
'''Knowledge Prerequisites:'''<br />
* Javascript, Unit/Integration testing, experience with (or willingness to learn) Angular and NodeJS/Express, some security knowledge would be preferable.<br />
<br />
'''Mentors:''' <br />
* [[User:Bjoern_Kimminich|Bjoern Kimminich]] - OWASP Juice Shop Project Leader<br />
<br />
==OWASP-Securetea Tools Project ==<br />
The purpose of this application is to warn the user (via various communication mechanisms) whenever their laptop accessed. This small application was developed and tested in python in Linux machine is likely to work well on the Raspberry Pi as well. -<br />
https://github.com/OWASP/SecureTea-Project/blob/master/README.md<br />
<br />
===Brief Explanation===<br />
We are looking any awesome idea to improve Securetea Project that is not on this list? We are expecting make this project will be useful to everyone to secure their Small IoT. <br />
<br />
===Idea===<br />
Below roadmap and expect results you can choose to improve Securetea Project . <br />
if any bugs please help to fix it<br />
<br />
===Roadmap=== <br />
See Our Roadmap<br><br />
https://github.com/OWASP/SecureTea-Project#roadmap<br><br />
Notify by Twitter (done)<br><br />
Securetea Dashboard / Gui (done)<br><br />
<br />
===Expect Results ===<br />
<br><br />
Securetea Protection /firewall<br><br />
Securetea Antivirus<br><br />
Notify by Whatsapp<br><br />
Notify by SMS Alerts<br><br />
Notify by Line<br><br />
Notify by Telegram<br><br />
Intelligent Log Monitoring<br><br />
Login History<br><br />
=== Students Requirements ===<br />
<br />
* Python<br />
* Javascript <br />
* Angular and NodeJS/Express<br />
* Database<br />
* Linux<br />
<br />
=== Mentors === <br />
<br />
* [mailto:ade.putra@owasp.org Ade Yoseman Putra] - (OWASP Securetea Project Leader) <br><br />
* [mailto:rejah.rehim@owasp.org Rejah Rehim.A.A]]- (OWASP Securetea Project Leader)<br />
* [https://github.com/sananthu Ananthu S] - (Mentor)<br />
<br />
==OWASP OWTF==<br />
'''[https://github.com/owtf/owtf Offensive Web Testing Framework (OWTF)]''' is a project focused on penetration testing efficiency and alignment of security tests to security standards like the OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST. Most of the ideas below focus on rewrite of some major components of OWTF to make it more modular. OWTF is moving to a fresh codebase with a fully Docker testing and deployment environment. If you want to get a jumpstart, check out https://github.com/owtf/owtf/tree/new-arch.<br />
===OWASP OWTF - MiTM proxy interception and replay capabilities===<br />
'''Brief Explanation:'''<br />
<br />
The OWTF man-in-the-middle proxy is written completely in Python (based on the excellent Tornado framework) and was benchmarked to be the fastest MiTM python proxy. However it lacks the useful and much need interception and replay capabilities of mitmproxy (https://github.com/mitmproxy/mitmproxy).<br />
<br />
The current implementation of the MiTM proxy serves its purpose very well. Its fast but its not extensible. There are a number of good use cases for being extensible<br />
*ability to intercept the transactions<br />
*modify or replay transaction on the fly<br />
*add additional capabilities to the proxy (such as session marking/changing) without polluting the main proxy code<br />
Bonus:<br />
*Design and implement a proxy plugin (middleware) architecture so that the plugins can be defined separately and the user can choose what plugins to include dynamically (from the web interface).<br />
*Replace the current Requester (based on urllib, urllib2) with a more robust Requester based on the new urllib3 with support for a real headless browser factory. The typical flow when requested for an authenticated browser instance (using PhantomJS)<br />
<br />
*The "Requester" module checks if there is any login parameters provided (i.e form-based or script - look at https://github.com/owtf/login-sessions-plugin)<br />
*Create a browser instance and do the necessary login procedure<br />
*Handle the browser for the URI<br />
*When called to close the browser, do a clean logout and kill the browser instance.<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
'''Knowledge Prerequisite:''' Python proficiency, some previous exposure to security concepts and penetration testing is welcome but not strictly necessary as long as there is will to learn.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - Web interface enhancements===<br />
'''Brief explanation:'''<br />
<br />
The current web interface is a mixture of Tornado Jinja templates and ReactJS. A complete UI change to a stable ReactJS-based interface should be the deliverable for this project. Most of the hard part for the change has already been done and added in a separate branch at https://github.com/owtf/owtf/tree/develop.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT:Clean, maintainable (ES6 compatible and using recommended design patterns) React (JavaScript) code. ([https://github.com/getsentry/zeus/tree/master/webapp This] is a good example!)'''<br />
*'''IMPORTANT: Thoroughly documented code along with API examples and example future components.'''<br />
*'''CRITICAL''': Excellent reliability and performance.<br />
*Unit tests / Functional tests and easy to setup testing environment (preferably automated).<br />
'''Knowledge Prerequisite:''' Python (reading API source code and endpoints), React.JS (high proficiency) and general JavaScript proficiency.<br />
<br />
'''OWASP OWTF Mentors:''' Contact: [mailto:Abraham.Aranguren@owasp.org Abraham Aranguren][mailto:viyat.bhalodia@owasp.org Viyat Bhalodia][mailto:bharadwaj.machiraju@gmail.com Bharadwaj Machiraju] OWASP OWTF Project Leaders<br />
===OWASP OWTF - New plugin architecture===<br />
'''Brief explanation:'''<br />
<br />
The current plugin system is not very useful and it is painful to browse many plugins. Most of the plugins do have much code and most of is repeated - much refactoring needed there.<br />
<br />
This issue is documented in detail at https://github.com/owtf/owtf/issues/905.<br />
<br />
For background on OWASP OWTF please see: https://www.owasp.org/index.php/OWASP_OWTF<br />
<br />
'''Expected results:'''<br />
*'''IMPORTANT: [http://legacy.python.org/dev/peps/pep-0008/ PEP-8 compliant code] in all modified code and surrounding areas.'''<br />
*'''IMPORTANT: [https://github.com/7a/owtf/wiki/Contributor%27s-README OWTF contributor README compliant code]'''<br />
*'''IMPORTANT: [http://sphinx-doc.org/ Sphinx-friendly python comments] [http://owtf.github.io/ptp/_modules/ptp/tools/w3af/parser.html#W3AFXMLParser example Sphinx-friendly python comments here]'''<br />
*CRITICAL: Excellent reliability<br />
*Good performance<br />
*Unit tests / Functional tests<br />
*Good documentation<br />
<br />
== OWASP iGoat (draft) ==<br />
'''Idea 1:''' Completing OWASP iGoat documentation at https://docs.igoatapp.com/ and creating demo videos at for OWASP iGoat YouTube channel for learning purpose.<br />
<br />
'''Idea 2:''' Adding new challenge pack / CTF for iGoat. It should be one point solution for learning iOS app security<br />
<br />
== OWASP Seraphimdroid ==<br />
<br />
=== Idea 1: Anomaly detection of device state ===<br />
The idea is that certain features of a device would be constantly monitored (battery use, internet usage, opp calls, etc.). Initially, the usual behaviour of the device would be learned. Later, anomalies normal behavior would be reported to the user. This should involve some explanations, such as which applications are causing an anomaly the device behaviors <br />
<br />
=== Idea 2: On device machine learning of maliciousness of an app ===<br />
Tensor-flow for on-device processing and some other libraries have been released that enable machine learning. We have previously applied a system, that based on permissions, is able to distinguish malicious apps from non-malicious. Now, we would like to learn also from other outputs and things one can monitor about application whether it can be malicious. <br />
<br />
=== Idea 3: Enhansing privacy features ===<br />
The vision of Seraphimdroid is to be aware of privacy threats. This may be achieved throug knowing which applications are using user accounts or other information that user has on phone to send to the server, or just by knowing which applications may be doing it. Knowledge base should be extending with the suggestions on how to improve privacy. Also, automated settings of various apps to use encryption should be proposed.<br />
==OWASP ZAP==<br />
[[OWASP Zed Attack Proxy Project]] (ZAP) The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. Previous GSoC students have implemented key parts of the ZAP core functionality and have been offered (and accepted) jobs based on their work on ZAP.<br />
<br />
=== Active Scanning WebSockets ===<br />
: '''Brief Explanation:'''<br />
: ZAP has good support for websockets, and allows them to be intercepted, changed and fuzzed. Unfortunately it doesn't currently support active scanning (automated attacking) of websocket traffic (messages).<br />
: We would like to add active scanning support to websockets, ideally in a generic way which would allow us to reuse as many of our existing rules as are relevant. Adding additional websocket specific attacks would also be very useful.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* An pluggable infrastructure that allows us to active scan websockets<br />
:* Converting the relevant existing scan rules to work with websockets<br />
:* Implementing new websocket specific scan rules<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
<br />
=== Automated Authentication Detection and Configuration ===<br />
: '''Brief Explanation:'''<br />
: Currently a user must manually configure ZAP to handle authentication, eg as per <nowiki>https://github.com/zaproxy/zaproxy/wiki/FAQformauth</nowiki><br />
: This is time consuming and error prone.<br />
: Ideally ZAP would help detect login and registration pages and provide more assistance when configuring authentication, ideally being able to completely automate the task for as many sort of webapps as possible.<br />
: This project will be a continuation of the work that was started as part of last year's GSoC.<br />
: '''Expected Results:'''<br />
:* Detect login and registration pages<br />
:* Provide a wizard to walk users through the process of setting up authentication, with as much assistance as possible<br />
:* An option to completely automate the authentication process, for as many authentication mechanisms as possible<br />
: '''Getting Started:''' <br />
:* Have a look at the ZAP [https://github.com/zaproxy/zaproxy/blob/develop/CONTRIBUTING.md CONTRIBUTING.md] file, especially the 'Coding' section.<br />
:* We like to see students who have already contributed to ZAP, so try fixing one of the bugs flagged as [https://github.com/zaproxy/zaproxy/issues?q=is%3Aopen+is%3Aissue+label%3AIdealFirstBug IdealFirstBug].<br />
: '''Knowledge Prerequisites:'''<br />
:* ZAP is written in Java, so a good knowledge of this language is recommended. Some knowledge of application security would be useful, but not essential.<br />
: '''Mentors:''' [https://www.owasp.org/index.php/User:Psiinon Simon Bennetts] [mailto:psiinon@gmail.com @] and the rest of the ZAP Core Team<br />
:</div>Bjoern Kimminich