|
|
(204 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | =Main=
| + | We have fully migrated to the new OWASP Website! Please visit our new project page at |
− | | + | = https://www2.owasp.org/www-project-juice-shop = |
− | <div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File: incubator_big.jpg|link=]]</div>
| |
− | | |
− | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| |
− | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |
| |
− | | |
− | == OWASP Juice Shop Tool Project ==
| |
− | | |
− | ''The most trustworthy online shop out there.'' ([https://twitter.com/dschadow/status/706781693504589824 dschadow])
| |
− | | |
− | OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire [[OWASP Top Ten]] and other severe security flaws.
| |
− | | |
− | ==Description==
| |
− | | |
− | [[File:JuiceShop_Logo.png|left]]
| |
− | | |
− | Juice Shop is written in Node.js, Express and AngularJS. It was the first application written entirely in JavaScript listed in the [[OWASP_Vulnerable_Web_Applications_Directory_Project|OWASP VWA Directory]].
| |
− | | |
− | The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!
| |
− | | |
− | Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a "guinea pig"-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs.
| |
− | | |
− | ''Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "Javascript" was purely coincidental!''
| |
− | | |
− | == Main Selling Points ==
| |
− | | |
− | * [https://github.com/bkimminich/juice-shop#setup Easy-to-install]: Choose between [http://nodejs.org node.js], [https://www.docker.com Docker] and [https://www.vagrantup.com/downloads.html Vagrant] to run on Windows/Mac/Linux
| |
− | * Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
| |
− | * Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup
| |
− | * Gamification: On a Score Board the application keeps track of successfully exploited vulnerabilities
| |
− | * Free and Open source: Licensed under the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT license] with no hidden costs or caveats
| |
− | | |
− | == Application Architecture ==
| |
− | | |
− | [[File:Architektur_JuiceShop.png]]
| |
− | | |
− | == Introduction Video ==
| |
− | | |
− | This recording from the [[Netherlands_September_22nd,_2016|OWASP Netherlands Chapter Meeting, 22nd September 2016]] gives an introduction to the OWASP Juice Shop and a live demonstration of the application and how to hack it.
| |
− | | |
− | {{#ev:youtube|62Mj0ZgZvXc}}
| |
− | | |
− | ''Spoiler warning: The last 10 minutes of the video show some live hacking including solutions to a few of the challenges!''
| |
− | | |
− | ==Licensing==
| |
− | This program is free software: you can redistribute it and/or modify it under the terms of the [https://github.com/bkimminich/juice-shop/blob/master/LICENSE MIT License]. OWASP Juice Shop and any contributions are Copyright © by [[User:Bjoern Kimminich|Bjoern Kimminich]] 2014-2016.
| |
− | | |
− | | valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |
| |
− | | |
− | {{#widget:PayPal Donation
| |
− | |target=_blank
| |
− | |currency=USD
| |
− | |budget=OWASP Juice Shop
| |
− | }}
| |
− | | |
− | == News ==
| |
− | | |
− | [28.12.16] [https://github.com/bkimminich/juice-shop/releases/tag/v2.20 v2.20] released
| |
− | | |
− | [19.12.16] [https://github.com/bkimminich/juice-shop/releases/tag/v2.19.2 v2.19.2] released
| |
− | | |
− | [07.12.16] [https://github.com/bkimminich/juice-shop/releases/tag/v2.19.0 v2.19] released
| |
− | | |
− | == Installation ==
| |
− | | |
− | [https://github.com/bkimminich/juice-shop/releases/latest Packaged Distributions]
| |
− | | |
− | [https://registry.hub.docker.com/u/bkimminich/juice-shop/ Docker Image]
| |
− | | |
− | [https://juice-shop.herokuapp.com/ Online Demo (Heroku)]
| |
− | | |
− | == Source Code ==
| |
− | | |
− | [https://github.com/bkimminich/juice-shop GitHub Project]
| |
− | | |
− | [https://github.com/bkimminich/juice-shop/commits/master Revision History]
| |
− | | |
− | [https://crowdin.com/project/owasp-juice-shop Crowdin I18N]
| |
− | | |
− | == Documentation == | |
− | | |
− | [http://bkimminich.github.io/juice-shop Introduction (Slide Deck)]
| |
− | | |
− | [https://github.com/bkimminich/juice-shop/blob/master/README.md Documentation (Readme)]
| |
− | | |
− | [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop Companion Guide (eBook)]
| |
− | | |
− | == Support ==
| |
− | | |
− | [https://gitter.im/bkimminich/juice-shop Community Chat]
| |
− | | |
− | [https://github.com/bkimminich/juice-shop/issues Issue Tracker]
| |
− | | |
− | == Collaboration ==
| |
− | | |
− | [https://owasp.slack.com/messages/project-juiceshop Slack Channel]
| |
− | | |
− | [https://lists.owasp.org/mailman/listinfo/owasp_juice_shop_project Mailing List]
| |
− | | |
− | == Social Media ==
| |
− | | |
− | [https://twitter.com/owasp_juiceshop Twitter (@owasp_juiceshop)]
| |
− | | |
− | [https://www.facebook.com/owasp.juiceshop Facebook-Page]
| |
− | | |
− | [http://www.youtube.com/playlist?list=PLV9O4rIovHhO1y8_78GZfMbH6oznyx2g2 YouTube Playlist]
| |
− | | |
− | == Merchandise ==
| |
− | | |
− | Apparel ([http://shop.spreadshirt.com/juiceshop US]/[http://shop.spreadshirt.de/juiceshop DE])
| |
− | | |
− | [https://www.stickermule.com/user/1070702817/stickers Stickers]
| |
− | | |
− | == Project Leader ==
| |
− | | |
− | | |
− | == Related Projects ==
| |
− | | |
− | [[OWASP Security Shepherd|OWASP Security Shepherd]]
| |
− | [[OWASP WebGoat Project|OWASP WebGoat Project]]
| |
− | [[OWASP Node js Goat Project|OWASP NodeGoat Project]]
| |
− | | |
− | ==Miscellaneous==
| |
− | | |
− | [https://www.openhub.net/p/juice-shop OpenHub Project]
| |
− | | |
− | ==Classifications==
| |
− | | |
− | {| width="200" cellpadding="2"
| |
− | |-
| |
− | | colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
| |
− | |-
| |
− | | align="center" valign="top" width="50%" rowspan="3"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| |
− | | align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
| |
− | |-
| |
− | | align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
| |
− | |-
| |
− | | align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=Defenders]]
| |
− | |}
| |
− | | |
− | |}
| |
− | | |
− | = Acknowledgements =
| |
− | ==Contributors==
| |
− | | |
− | The OWASP Juice Shop has created by [[User:Bjoern Kimminich|Bjoern Kimminich]] and is developed and maintained [https://github.com/bkimminich/juice-shop#credits a team of volunteers]. A live update of project [https://github.com/bkimminich/juice-shop/graphs/contributors contributors is found here].
| |
− | | |
− | == Project Sponsors ==
| |
− | | |
− | === Corporate Sponsors ===
| |
− | | |
− | {| width="99%" style="background-color:inherit;"
| |
− | | [[Image:xing_logo.png|link=https://corporate.xing.com/en/about-xing/security/|www.xing.com]]
| |
− | |
| |
− | |-|
| |
− | |
| |
− | |
| |
− | |}
| |
− | | |
− | === Individual Sponsors ===
| |
− | | |
− | * Timo Pagel
| |
− | * Benjamin Pfänder
| |
− | | |
− | = Road Map and Getting Involved =
| |
− | | |
− | Juice Shop is already implemented, properly tested and [https://github.com/bkimminich/juice-shop#blog-links has been promoted] and [https://github.com/bkimminich/juice-shop#conferences-and-meetups demonstrated or live-hacked on various occasions including OWASP events]. It has been successfully used by different companies for inhouse security trainings.
| |
− | | |
− | ==Roadmap==
| |
− | | |
− | ===Functional Enhancements in 2.x===
| |
− | | |
− | * [https://github.com/bkimminich/juice-shop/labels/bug fix known bugs]
| |
− | * continually adding more features/vulnerabilities to the application
| |
− | * Add a CTF-mode to use Juice Shop in classroom setups ([https://github.com/bkimminich/juice-shop/issues/166 #166])
| |
− | | |
− | ===Promotion to Lab Project=== | |
− | | |
− | * official request for project review issued in October 2016
| |
− | | |
− | [[File:Midlevel_projects.png]]
| |
− | | |
− | ===eBook Release===
| |
− | | |
− | * finish and publish companion guide eBook [https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop Pwning OWASP Juice Shop]
| |
− | | |
− | [[File:Pwning-owasp-juiceshop_cover.jpg]]
| |
− | | |
− | ===Vision for [https://github.com/bkimminich/juice-shop/milestone/1 Juice Shop 3.0]===
| |
− | | |
− | ====Technical Evolution====
| |
− | | |
− | * migrate to Angular 2 ([https://github.com/bkimminich/juice-shop/issues/165 #165])
| |
− | * migrate to latest Sequelize version ([https://github.com/bkimminich/juice-shop/issues/167 #167])
| |
− | ** requires to replace the discontinued sequelize-restful module
| |
− | * migrate to Jasmine 2 and Frisby 2 test frameworks ([https://github.com/bkimminich/juice-shop/issues/164 #164])
| |
− | | |
− | ==Getting Involved==
| |
− | | |
− | Involvement in the development and promotion of OWASP Juice Shop is actively encouraged!
| |
− | You do not have to be a security expert or a programmer to contribute. Some of the ways you can help are as follows:
| |
− | | |
− | * use Juice Shop in your own hacker or awareness trainings
| |
− | * use Juice Shop as a "guinea pig" for your security tools
| |
− | * provide ideas for new vulnerabilities and challenges
| |
− | * provide feedback via [mailto:[email protected] email], [https://gitter.im/bkimminich/juice-shop chat] or by [https://github.com/bkimminich/juice-shop/issues opening an issue] | |
− | * help translating the user interface on [https://crowdin.com/project/owasp-juice-shop Crowdin]
| |
− | | |
− | =Project About=
| |
− | {{:Projects/OWASP_Juice_Shop}}
| |
− | | |
− | __NOTOC__ <headertabs />
| |
− | | |
− | [[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]
| |
We have fully migrated to the new OWASP Website! Please visit our new project page at