Juice Shop

An intentionally insecure webapp suitable for pentesting and security awareness trainings written in Node, Express and Angular.

Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "Javascript" was purely coincidental!

Features

• Easy to install: Just requires node.js*
• Self contained: Additional dependencies will be resolved and downloaded automatically
• No external DB: A simple file based SQLite database is used which is wiped and regenerated on server startup
• Open source: No hidden costs or caveats
• Score Board: The application keeps track of known vulnerabilities the user has successfully exploited

Juice Shop is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

Preview

Feel free to have a look at the latest version of Juice Shop: https://juice-shop.herokuapp.com

This is a "sneak-peek" instance only! You are not allowed to use this instance for your own hacking endeavors! Technically Heroku could view hacking activity on this instance as an attack on their infrastructure! You have been warned!

Setup

From Sources

1. Install node.js*
2. Run git clone https://github.com/bkimminich/juice-shop.git (or clone your own fork of the repository)
3. Run npm install (only has to be done before first start or when you change the source code)
4. Run npm start
5. Browse to http://localhost:3000

Docker Container

1. Install Docker
2. Run docker pull bkimminich/juice-shop
3. Run docker run -d -p 3000:3000 bkimminich/juice-shop
4. Browse to http://localhost:3000

Even easier: Run Docker Container from Docker Toolbox (Kitematic)

1. Install and launch Docker Toolbox
2. Search for juice-shop and click Create to download image and run container
3. Click on the Open icon next to Web Preview to browse to Juice Shop

Packaged Distribution (for Windows x64)

1. Install node.js 4.x for Windows x64
2. Download juice-shop-<version>_node4_x64.zip attached to latest release
3. Unpack and run npm start in unzipped folder
4. Browse to http://localhost:3000

The packaged distribution will neither work on Linux nor on other node.js versions because SQLite is compiled from source for the OS and node.js version which npm install is executed on.

Amazon EC2 Instance

1. Setup an Amazon Linux AMI instance
2. Copy the script below into User Data:
3. Use a Security Group that opens port 80
4. Launch instance
5. Browse to your instance's public DNS

#!/bin/bash
yum update -y
yum install -y docker
service docker start
docker pull bkimminich/juice-shop:latest
docker run -d -p 80:3000 bkimminich/juice-shop:latest

Technically Amazon could view hacking activity on any EC2 instance as an attack on their AWS infrastructure! I highly disrecommend aggressive scanning or automated brute force attacks! You have been warned!

*Node.js version compatibility

Juice Shop has been successfully tested with the following versions of node.js:

• 0.10.x
• 0.11.x
• 0.12.x
• 4.x

Troubleshooting

If you need help with the application setup please check the Troubleshooting section below or post your specific problem or question in the official Gitter Chat.

• If you are experiencing Error 128 from some GitHub repos during bower_install.js execution, run git config --global url."https://".insteadOf git:// and try npm install again
• If using Boot2Docker (Docker inside VirtualBox on Windows) make sure that you also enable port forwarding from Host 127.0.0.1:3000 to 0.0.0.0:3000 for TCP
• If npm install fails after an update of your local copy during bower_install.js complaining about version issues, delete /app/bower_components and try again to remove outdated versions that cause conflicts
• You may find it easier to find vulnerabilities using a pen test tool. I strongly recommend Zed Attack Proxy which is open source and very powerful, yet beginner friendly.

Contributions

Found a bug? Crashed the app? Broken challenge? Found a vulnerability that is not on the Score Board?

Feel free to create an issue or post your ideas in the chat! Pull requests are also highly welcome as long as the tests still pass!

Unit Tests

There is a full suite containing independent unit tests for the client- and server-side code. These tests verify if the normal use cases of the application should work. All server-side vulnerabilities are also tested.

npm test

End-to-end Tests

The e2e test suite verifies if all client- and server-side vulnerabilities are exploitable. It passes only when all challenges are solvable on the score board.

npm run protractor

The e2e tests require a working internet connection in order to verify the redirect challenges!

Project Marketing

Blog Links

• Guest post on The official Sauce Labs Blog: Proving that an application is as broken as intended
• Teaser post on Björn Kimminich's Blog': Juice Shop

Conferences and Meetups

• Hacking the Juice Shop ("So ein Saftladen!"), JavaLand 2016, 08.03.2016
• Hacking the JuiceShop! ("Hackt den Saftladen!"), node.HH Meetup: Security!, 03.02.2016
• Lightning Talk: Hacking the Juice Shop ("So ein Saftladen!"), German OWASP Day 2015, 01.12.2015
• Juice Shop - Hacking an intentionally insecure Javascript Web Application, JS Unconf 2015, 25.04.2015
• So ein Saftladen! - Hacking Session für Developer (und Pentester), 17. OWASP Stammtisch Hamburg, 27.01.2015

Credits

Inspired by the "classic" BodgeIt Store by @psiinon.

License

Copyright (c) 2014-2016 Bjoern Kimminich Licensed under the MIT license.