Let me introduce you to the best hacker sandbox: Juice Shop.
I’m not a hacker, but as a software engineer, I try to stay updated on the most common vulnerabilities and how to avoid them.
For that, I wanted to write this introduction to one of the best hacker sandboxes: The Juice Shop. But before, let me explain where it comes from.
Code can sometimes contain bugs like the Mariner 1, which cost NASA $18.5 million in 1962) or any other of the most costly errors in code. But sometimes those errors are harmless unless you exploit them taking advantage of a vulnerability that could cost so much pain and money.
To avoid companies having those vulnerabilities exposed, there is a project called OWASP (Open Web Application Security Project). This project collects and exposes the top vulnerabilities and tries to educate people to avoid falling into them.
The Juice Shop is a contained website that you can run on your local machine in various ways to try to use those common vulnerabilities against it. https://owasp.org/assets/images/logo.png
It’s quite fun, it even shows a nice animation of confetti when you solve a new exploit!
You can do different types of attacks like the popular SQL injection, XSS injection, URL mutations and many more.
We will use the installation way of Docker container:
- Install Docker
- Run
docker pull bkimminich/juice-shop
- Run
docker run --rm -p 3000:3000 bkimminich/juice-shop
- Browse to http://localhost:3000 (on macOS and Windows browse to http://192.168.99.100:3000 if you are using docker-machine instead of the native docker installation)
After having it running, you might want to install a proxy server to intercept all the traffic going from and to your juice shop. This allows you to modify the payloads of the requests and discover faster the vulnerabilities.
After you have the proxy installed, you need to configure your browser so it will redirect all the traffic from it to the proxy before the proxy forwards it to the juice shop server.
To do that you can install the FOXY Proxy for Firefox and configure the ZAP proxy address that you started the proxy on (by default localhost 8080).
You might also need to install the certificates from the OWASP ZAP into your browser to allow you to connect via SSL without complaining.
Then you need to start debugging the proxy to be able to stop every HTTP call that is done.
This way you can see how the application is behaving, what parameters are sending and receiving and change the payloads as you please.
The Juice shop has a Scoreboard that allows you to track your progress and check exploits that you did not yet discover.
Some useful links:
- Tutorial in-depth for installation and navigating – https://pwning.owasp-juice.shop/
- Github Page – https://github.com/juice-shop/juice-shop
- OWASP Top 10 – https://owasp.org/www-project-top-ten/
- The Juice Shop page – https://owasp.org/www-project-juice-shop/
Now you can hit the Juice shop and start becoming a true hacker!
I love this. So simple yet so powerful!
Thanks again.
Very helpful, thank you