Classroom Public page

SEC-101 Lab 7: OWASP Juice Shop Walkthrough

828 words

Week: 9 Graded: Yes Time estimate: 90-120 minutes Tools: OWASP Juice Shop (Docker); OWASP ZAP or Burp Suite Community; browser developer tools

Learning objective

Complete at least 12 challenges across the OWASP Top 10 categories in OWASP Juice Shop. Document each technique and the underlying vulnerability class. (Bloom's L3: Apply -- exploit each vulnerability class in a controlled, authorized environment; L4: Analyze -- identify which OWASP category each challenge belongs to and why.)

Setup

If Juice Shop is not already running from Lab 5:

docker run -p 3000:3000 bkimminich/juice-shop

Open http://localhost:3000.

Install an HTTP proxy (optional but recommended)

For challenges involving request manipulation, an HTTP proxy (OWASP ZAP or Burp Suite Community) lets you intercept and modify HTTP requests between your browser and Juice Shop.

OWASP ZAP (free, open-source):

  • Download from zaproxy.org.
  • Launch ZAP, configure your browser to use ZAP's proxy (default: localhost:8080).
  • Or use ZAP's built-in browser.

Burp Suite Community (free):

  • Download from portswigger.net/burp.
  • Launch Burp, use the Proxy tab, configure your browser to use localhost:8080.
  • Or use Burp's built-in Chromium browser.

For SEC-101 lab purposes, browser developer tools (Network tab) are sufficient for most challenges. The proxy becomes more useful in PEN-101.

Step-by-step instructions

Complete at least 12 challenges from the Juice Shop score board (http://localhost:3000/#/score-board). You must complete at least one challenge from each of the following OWASP Top 10 categories:

Required categories (complete at least one from each):

A01: Broken Access Control -- Look for challenges involving accessing admin functionality, other users' data (IDOR), or bypass of access restrictions.

A02: Cryptographic Failures -- Look for challenges involving sensitive data in plaintext, exposed credentials in API responses, or weak hashing.

A03: Injection -- Look for challenges involving SQL injection in search fields, login forms, or other input fields.

A05: Security Misconfiguration -- Look for challenges involving directory listing, exposed endpoints, misconfigured security headers, or admin interfaces with default credentials.

A07: Identification and Authentication Failures -- You have Lab 5 challenges in this category. For Lab 7, complete one additional challenge you did not complete in Lab 5.

A08: Software and Data Integrity Failures -- Look for challenges involving manipulating a JWT token or bypassing signature verification.

XSS (part of A03 in 2021 list) -- Look for reflected XSS, stored XSS, and DOM-based XSS challenges.

How to document each challenge

For each of the 12 challenges, write in your lab notebook:

  1. Challenge name from the score board.
  2. OWASP category (A01, A02, A03, etc.).
  3. Vulnerability class (e.g., IDOR, SQLi, stored XSS, weak password storage, misconfiguration).
  4. Technique used (what you did, step by step -- enough detail that another student could reproduce it).
  5. The correct defense (what the developer should have done to prevent this vulnerability).

Example documentation entry

Challenge: Admin Section
OWASP category: A05 Security Misconfiguration
Vulnerability class: Exposed admin interface, no server-side access control
Technique: Browsed to http://localhost:3000/#/administration directly without being an admin. The route is only hidden from the navigation menu; the path is present in the client-side JavaScript bundle and is accessible to any logged-in user without server-side role verification.
Defense: The administration API endpoints must check on the server that the requesting user has admin role before returning any data. Client-side route hiding is not access control.

Deliverable

Documentation for all 12 (minimum) challenges in the format above. Then write a 200-word capstone reflection covering:

  1. Which OWASP category had the most challenges in Juice Shop and why you think Juice Shop emphasizes it.
  2. Which challenge was most surprising (a vulnerability you didn't expect) and what it changed about how you think about that category.
  3. One question the lab raised that you don't know the answer to. This is the forward pointer for PEN-101 or RE-011.

Grading rubric

Criterion Points Notes
At least 12 challenges documented (one per required category, remainder from any) 60 5 points each; all four documentation fields required per challenge
All seven required OWASP categories represented 14 2 points per category
Capstone reflection: all three questions answered 18 The "question I don't know the answer to" must be a genuine technical question, not "how do I get better at CTF?"
Technique descriptions are reproducible (enough detail to follow) 8 Spot-checked against two challenges
Total 100

Important note on scope

This lab is authorized against your Juice Shop instance (localhost:3000) or an instructor-provided URL only. The techniques in this lab, including SQL injection, XSS payloads, and authentication bypass, are illegal against any system you do not own or have explicit written authorization to test.

picoCTF connection

The Juice Shop walkthrough covers the same vulnerability classes as the picoCTF Web Exploitation intermediate and advanced challenges. After this lab, return to the picoCTF Web Exploitation category. Challenges that seemed opaque before will map to specific OWASP categories you've now applied in practice. Forward pointer: if you get stuck on a picoCTF Web Exploitation challenge, ask "which OWASP category does this challenge's hint suggest?" and trace the answer back to what you did in Juice Shop.

Lab 7 of 9. Next: Lab 8 (CVE-record-walk, Week 11).