Skip to content

Instantly share code, notes, and snippets.

@abefleming

abefleming/web-appsec-talk.md

Last active November 13, 2019 07:26
Show Gist options
  • Save abefleming/7814611f104f5afe9257ab5f60e42841 to your computer and use it in GitHub Desktop.
Save abefleming/7814611f104f5afe9257ab5f60e42841 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
web-appsec-talk.md

For this hands-on exercise we will need the following installed and configured on our machines.

Juice Shop

OWASP Juice Shop is an intentionally insecure web application written entirely in JavaScript which encompasses the entire range of OWASP Top Ten and other severe security flaws.

It is the vulnerable web application that we will be attacking during this exercise.

Follow the instructions below for a Manual or Automatic installation:

Manual

  1. Install node.js Version 6.11.4 LTS: -Download Link-
  2. Download the juice-shop zip for your operating system: [Windows Version] [Linux Version]
  3. Extract the folder locally and navigate to that folder in a command line.
  4. Run the command npm start inside the juice-shop directory.
  5. Open a browser and go to http://localhost:3000

Automatic

  1. Go to the Juice Shop github page here and click on the "Deploy to Heroku" button.
  2. Create an account with Heroku and follow the guided process.
  3. Once the build is finished, go to your Dashboard in Heroku and find the juice-shop application you just setup.
  4. Open the app page and in the top right, click the "Open app" button. You should have something like this -Live Demo-

Now you OWASP Juice Shop available!

Tool Installation

You can choose one of the two, or both, but they fulfill the same purpose. Burp Suite and OWASP ZAP are internet traffic proxies that allow one to capture all of the traffic happening between the browser and the internet. I will be using Burp for the purposes of this excercise, but feel to play around with ZAP.

  • Download Burp Suite Free -Link
  • Download OWASP Zed Attack Proxy (ZAP) -Link-

First, let us configure our browser so that it routes its traffic through the proxy. We will be using Firefox for this exercise.

  • Direct traffic through proxy -Link-

When using these proxies, you will be seeing both HTTP traffic, and HTTPS traffic. However, for HTTPS to be viewed as plaintext instead of its normal encrypted form during transmission, we will need to install the our Proxy's CA Cert into our browser. Make sure you start up Burp Suite and have it running through Firefox before trying to install the CA Cert.

You are done. Go into Burp Suite, click on the "Proxy" tab and turn intercept off. Click on the neighboring tab "HTTP History" so that it is open. Go back to Firefox and go to the URL for your juice-shop instance.

Navigate around Juice Shop and look at the traffic coming in through Burp.

Congratulations you are ready for the exercise!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment