You've spent some time learning about OWASP's list of common vulnerabilities and how to prevent them, but now it's time to get into the mind of an attacker. You're going to use all of your security knowledge to test a running application and see how vulnerable it is. Learning to think from this perspective will help you build more secure applications.
Your group will set up a shared web application running on the internet as well as a local version on each of your computers. As a group, you're going to try and complete as many challenges as you can to find this application's vulnerabilities.
Everything you need to know about this project is on this documentation site. It's in a book format and you can read through some of the important chapters on your own:
Deploy to Heroku button
Deploy app button.
Once the build is complete, click the View button. This will open your group's deployed site. Welcome to the Juice Shop! Copy the URL and share it in your group's Slack channel.
While you are waiting for the Heroku build to complete. You can get your local app set up.
cd to your cloned reponpm installnpm startNote: The public app hosted on Heroku is for your group to show your overall progress, however it's meant for ONE person to use at a time.
When you first open the app, a modal window pops up and tells you about the project. The red graduation cap icon will start a tutorial popup. Keep clicking on the popup to get the next hint.
The first challenge is to find the Score Board page on this website that tells you about all the other challenges and keeps track of your progress. Guess the URL if you can, or better yet, open the Chrome DevTools and find the URL somewhere in the JavaScript code on the Sources tab (hint: click the `{}` button to pretty print the minified source code with indentation and newlines).
As a group, you are trying to complete as many of the challenges as you can. Each challenge is listed in the Score Board page and is ranked by difficulty: 1 star for easy challenges, 6 for the hardest ones. Click the number of stars to get a filtered list of all the challenges in that difficulty. The app will track which you've completed.
There are two ways your group can accomplish this, I'll let you decide. Option 1: one of you opens the app on Heroku and acts as the driver while the rest of you are watching through a Slack call and helping navigate. You can all work on one challenge at a time to make sure you're all on the same page as the navigators follow along on their local version. Option 2: you keep a group call going but split up, each working on your own challenge on your local app. When you've solved it, you can open the Heroku app and walk your group through what you did.
Either way, you each can track individual progress locally and group progress on Heroku.
This chapter in the book will give you hints if you are stuck, but try attempting them a few times on your own first. The Score Board page also has the red graduation cap icon for an interactive tutorial for some of the challenges, too!
Some of the harder challenges require other tools or more knowledge of the code or scripting, but we won't bother with these right now. All you need right now is the browser and your terminal. But you could also use this as an excuse to learn how cURL works. It could come in handy!