Using OWASP Juice Shop

Next Tech offers a stack for the OWASP Juice Shop application, which their website describes as:

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

To create content for Juice Shop, simply follow the steps below!

First, you'll want to select the "OWASP Juice Shop" stack from the list of stacks in the content editor. This will provide you with a sandbox environment that has Juice Shop installed at /home/ubuntu/juice-shop accessible to the ubuntu user.

Once your sandbox loads, you'll want to set up Juice Shop to start when the project launches. You can do this by configuring a terminal tab's starting command to the following:

sudo su ubuntu -c 'cd /home/ubuntu/juice-shop && npm start'

This will start Juice Shop on port 3000 in the sandbox when that terminal tab opens. You should see something like the following in the terminal tab when you launch a preview of the content:

The terminal startup command will not automatically run when you update it, therefore launching a preview project is required.

You may also want to change the interface to a single pane layout, since you will not need a code editor or other interface elements.

Currently, the only way to access a project URL is through the web browser tab. However, Juice Shop does not support iframe embedding, which is required by the web browser. Instead, to provide the user with access to the application, you should create an instructional step containing something like the following markdown:

Below is the URL you can use to access your OWASP Juice Shop site:

This uses templates to provide the user with a direct link to their Juice Shop application in the instructional sidebar:

When they click this link, they will see the following in a new tab:

That's it! Happy hacking 🕵️‍♂️