Skip to content

Latest commit

 

History

History
31 lines (24 loc) · 2.39 KB

README.md

File metadata and controls

31 lines (24 loc) · 2.39 KB

OWASP Juice Shop Security Testing Script

This GitHub repository contains a Bash script designed for security testing of the OWASP Juice Shop, a deliberately insecure web application used for training and testing purposes. The script performs various types of attacks and exploits to demonstrate common security vulnerabilities in web applications.

Script Features

  1. Injection Attacks: Uses SQL injection techniques to manipulate the Juice Shop's product search API.
  2. Broken Authentication and Session Management: Attempts to log in with random credentials and access user information.
  3. Cross-Site Scripting (XSS): Injects a script tag into the feedback API to test for XSS vulnerabilities.
  4. Insecure Direct Object References: Tries to access BasketItems directly through their IDs.
  5. Security Misconfiguration: Checks for publicly accessible robots.txt.
  6. Sensitive Data Exposure: Attempts to expose sensitive data like passwords during the login process.
  7. Cross-Site Request Forgery (CSRF): Simulates a CSRF attack by submitting feedback with a forged referer header.
  8. Using Components with Known Vulnerabilities: Tries to exploit known vulnerabilities in the Juice Shop's components.
  9. Insufficient Logging and Monitoring: Tests the application's logging capabilities by making requests to the BasketItems API.
  10. Cleanup: Removes the cookie.txt file generated during the testing.

Usage Scenario

This script is intended for educational purposes, particularly for cybersecurity professionals, penetration testers, and developers looking to understand and test for common web application vulnerabilities.

Prerequisites

  • Access to an instance of OWASP Juice Shop, typically running locally.
  • A Bash shell environment to execute the script.
  • curl installed for making HTTP requests.

Security and Best Practices

  • Use this script only in a safe, controlled environment, such as a local setup of the OWASP Juice Shop.
  • Do not use this script against any web application without explicit permission, as it performs potentially harmful actions that simulate real attacks.

This readme summary provides an overview of the script's functionality, emphasizing its role in demonstrating and testing common web application vulnerabilities using OWASP Juice Shop. It serves as a guide for users aiming to learn about web security through practical testing scenarios.