1. Home
  2. Training Library
  3. Web Penetration Testing with Juice Shop

What is Juice Shop?

What is Juice Shop?
2h 6m

This course puts into practice a lot of the concepts we've covered so far. We'll be using a vulnerable website called Juice Shop to solve a variety of challenges. This will give us opportunity to practice what we have learned so far, and also learn about new techniques and new vulnerabilities as well, such as XX vulnerabilities.


Within this section, we're going  to cover Juice Shop. So, what is Juice Shop?

It's a website that you can order juice or any other related products. But, of course, it's a vulnerable website. We're going to actually install this website on a cloud server, and we're going to do everything we have learned so far. We're going to practice everything we have learned so far. It's going to be great. Let me show you what I mean. I'm going to go over to google.com and just find the Juice Shop and the related websites. So, I'm going  to show you how to install this, how to use this. First of all, you're going  to have to know about the OWASP. We have talked about this before, but I'm going to show you what I mean. So, let me just search for Juice Shop OWASP. Like that. You don't have to do this by the way. I'm just going to show you why are we doing this, and what it is. I'm going to open  the owasp.org and let's open this OWASP Juice Shop GitHub page as well. So, here you go. OWASP is the Open Web Application Security Project. And we have covered this a little bit before. And Juice Shop is one of the projects of the OWASP.

So, OWASP is a foundation as I said before. They are trying to make Internet a better place, a safer place by finding vulnerabilities and helping web developers to overcome these vulnerabilities or difficulties they experience in daily routines and just develop  a better web applications  or better websites so that they cannot get hacked or something like that. They make just  safer websites. So, OWASP is a tool for that as well. So, this is a vulnerable project, and the beauty of this project is it's very up-to-date. So, it's not using the old technologies; it's using the latest technologies. I'm going  to talk about that a little bit more before. So, let me first go to owasp.org. As you can see, it's Open Web Application Security Project, and this is a foundation as I said before, it's a non-profit organization, and they are very cool. If you come over here  to 'PROJECTS', you can see Juice Shop is one of them, but OWASP Top Ten is one of them as well. So, OWASP Top Ten, maybe you have heard this term before. It contains the 10 most popular vulnerabilities that can be seen in the Internet. And actually, we have covered many of those, like injections, broken authentication, sensitive data exposure.

So, these are the vulnerabilities that we covered in the previous sections, and we're going  to learn about new things in this section as well, like XML external entities. So, we covered the XXS, for example. We didn't cover the fourth one. So, XXE, we're going  to cover this in this section. So, we're going  to practice what we have learned so far. But on top of that, we're going  to learn new stuff as well. So, trust me. This is going to be great. This is one of the most entertaining sections that we're going  to get, and that we're going to see in this course. So, if we come back to Juice Shop as you can see, it's written in Node.js, Express and Angular. So, these are the popular frameworks or popular tools that we use today in web application development, in web development generally. And it's very up-to-date. So, it's not using old technologies; it's using the latest technologies, but it's still is very easy to do misconfigurations or write some nodes where you save codes and the latest technologies as well. So, this will be the closest thing that we're going to see to a real web application pentesting. Of course, they're very easy challenges that we're going to see as well. But it's the nature of this; it's a vulnerable website. It's made to teach us how to find these vulnerabilities, and how to make them right.

So, it's kind of a CTF like capture the flag challenge, but it's much more than that. It's a whole project. It's not something that you can do within a day or within a couple of hours. So, let me go to GitHub page. As you can see,  we can see all the codes. So, it's totally open-source. It's very good. And there are couple of ways to install this. Deploying on Heroku, which is a cloud server, and we can just clone this and run it on our own web server to test this. Since we have done the running locally thing before, I'm going to just go to heroku.com or github.com, and I'm going to fork this to my own GitHub. Actually, I have forked this to my own GitHub. I'm going  to share the link with you guys so that you can just follow me and install this on Heroku. Because this time, we're going to just have all of this stuff in cloud so that we can have a real-life experience as well. So, this is the link that you're going  to have to come over. I'm going to share this link  at the resources of this lecture as well, but it's basically github.com my name atilsamancioglu/juice-shop. I'm going  to show you how to set this up, and how to deploy this on Heroku and what is Heroku generally in the next lecture. So, come over here and meet me in the next lecture to set this up.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.