Hands-On Web Security: Capture the Banner with OWASP Juice Shop

As a developer, are you confident you know what you need to know about web security? Wait around, maybe you work in infosec. As a protection specialist, are you confident that the programmers you work with know enough to undertake the right thing?

Screenshot of OWASP Fruit juice Shop

Frequently , these aren’ t easy queries to answer, even for experienced security professionals working with world class software program engineers as we do at Mozilla.

OK, you can watch guide videos and take a variety of on the internet tests, but it’ s often more fun to try things in actual life with a group of friends or co-workers. Our recent Mozilla all-hands had been one of those opportunities.

The Capture the particular Flag (CTF) occasion offer a sociable hands-on way to find out about security and they are often a tradition on security conferences.

I’ m part of the Mozilla Firefox Operations Security group and we work carefully with all Mozilla developers to make sure that the particular core services Mozilla relies on to construct, ship, and run Firefox are usually as secure as possible.

In this retrospective, I’ ll display how you can easily set up a CTF event using free and open up source software, as the Security group did back in December, when we collected in Austin for Mozilla All Hands event.

Customizing OWASP Juice Shop

All of us chose OWASP Juice Shop , a web application designed intentionally for training reasons to be insecure. Juice Shop utilizes modern technologies like Node. js, Express and AngularJS, and provides an array of security challenges ranging from the simple towards the complex. This was important for us given that our participants had a wide range of abilities, and included developers with small formal security training to expert penetration testers.

Fruit juice Shop is a “ single consumer application, ” but it comes with a CTF mode and detailed instructions designed for Hosting a CTF Event . When this is switched on, the application generates “ CTF-tokens” at any time someone solves one of the challenges. Place then be uploaded to a main scoring server. The CTF setting also disables the hints that might have made some of the challenges too simple for our more advanced players.

Juice Shop can be run inside a wide variety of ways, but to make it simple for your participants I recommend using a docker image , as this has only one dependency: docker.

You can find the official Fruit juice Shop docker image here: https://hub.docker.com/r/bkimminich/juice-shop/ or you can build your own if you want to personalize it. You can customization instructions online .

We enabled the pre-installed CTF mode and changed the application form name and the example products to make it feel more Firefox-y and also to hide its origin (as options for the Juice Shop challenges can be found on the internet).

After we were happy with our changes all of us uploaded our image to dockerhub: mozilla/ctf-austin

Screenshot of Mozilla-customized OWASP Juice Shop

Setting Up a Scoring Machine

You’ ll wish to set up a scoring server, to permit participants to upload their CTF-tokens and compare their scores along with everyone else. It definitely helped encourage competitors among our participants!

A scoring server should also give a summary of each of the challenges as well as the points each challenge is worth. With this we used CTFd – it’ s esy-to-install and there’ s i9000 an officially supported tool regarding importing the Juice Shop issues into CTFd which can be run making use of:

  npm install -g juice-shop-ctf-cli

You’ re after that presented with a set of questions that allow you to melody the setup to your requirements.

Running the CTF

To get your CTF event underway you simply need to tell participants the URL of your own CTFd server and how to get Fruit juice Shop running locally. If you are using the state image, here’ s how to start running Juice Shop locally:

  docker draw bkimminich/juice-shop
docker run -d -e "NODE_ENV=ctf" -p 3000: 3000 bkimminich/juice-shop 

If you’ re using your own image after that change the image name, and if you might have the CTF option enabled in that case your code wont need the -e "NODE_ENV=ctf" part:

  docker pull mozilla/ctf-austin
docker operate -d -p 3000: 3000 mozilla/ctf-austin 

In either case, individuals will now be able to access their own nearby copy of Juice Shop through http://localhost:3000/

Even though some of the Juice Shop security difficulties can be solved just by using Opera, a security tool that proxies your own browser will really help.

A good option for this is OWASP ZAP (for which I’ m the particular project leader), a free and open up source security tool specifically designed to get security vulnerabilities in web apps.

ZAP sits between browser and the application you want to ensure that you shows all of the traffic that runs between them. It also allows you to intercept and alter that traffic and provides a wide range of automatic and manual features that can be used to check the application. If you use ZAP you won’ t need to change your browser configurations, as ZAP can launch Opera (or any other locally installed browser) preconfigured to proxy through MOVE.


Remind all participants to explore Fruit juice Shop as thoroughly as they may – you can’ t discover all the issues if there are functions that you are not aware of. Suggest that they will start with the easiest challenges w(the types with the fewest points) and function upwards, as the challenges are designed to obtain progressively harder.

A graph of the top ten teams and their results at the challenges

If you are operating the CTF over several times (as we did), it’ s i9000 a good idea to be available for help and advice. We all set up a private irc channel, the Google group, and held everyday check-in sessions where anyone can come along and ask us questions concerning the event, and get help on resolving the challenges.

Graphs and charts through CTFd showing Score Charts, Essential Percentages, Category Breakdowns

On the last day of our occasion, we held a final session in order to congratulate the winners, revealed the particular app’ s origin and passed out Juice Shop stickers kindly given by Bjö rn Kimminich (the JuiceShop project lead).

Results and Next Steps

Managing a Capture the Flag event is a superb way to raise security awareness plus knowledge within a team, a company, or even an organization.

Juice Store is an ideal application for a CTF as its based on modern web technology and includes a wide range of challenges. It’ s very well thought out and nicely supported. The fact that it’ s the real application with realistic vulnerabilities, rather than set of convoluted tasks, makes it perfect for learning about application security.

Our Mozilla/Firefox custom Juice Store app is available at https://github.com/mozilla/ctf-austin . Unless you especially want to use a Mozilla-branded version, we all recommend the original Juice Shop application: https://github.com/bkimminich/juice-shop . (Note: It has already been updated given that we forked our copy. )
And if you haven’ to played with it yet, then I highly recommend doing so. It’ s a lot of fun plus you’ ll almost certainly learn some thing.

In the end, over twenty people registered for our event plus their feedback was very beneficial:

“ The cookie and JWT stuff is among the most illuminating part of this. ”

“ This particular whole thing is excellent thanks for putting this together. ”

“ I hate the very fact I can’ t focus on our things because I’ d want to solve more ctf tasks and find out something. ”

“ It’ s amazing because I’ m planning to enhance my sec skills. ”

“ It has been a lot of fun – thanks for configuring it. ”

Photo of Mozilla Y'All-Hands CTF participants

Unsurprisingly 2 of our pen testers who have took part did very well, however they were given a run for their money by one of our own operations staff who clearly understands a lot about security!

Do you have a knack for unveiling security vulnerabilities? At Mozilla, we now have a Internet and Services Bug Bounty System . We welcome your help in making a Mozilla even more secure. You could actually earn some bounty rewards for the efforts. And we’ re continually looking for contributors to help us create ZAP better, so if that seems interesting, have a look at Contributing to OWASP ZAP .

More articles simply by Simon Bennetts…

If you liked Hands-On Web Security: Capture the Banner with OWASP Juice Shop by Simon Bennetts Then you'll love Web Design Agency Miami

Add a Comment

Your email address will not be published. Required fields are marked *