|
1 | | -#  OWASP Juice Shop |
2 | 1 |
|
3 | | -[](https://owasp.org/projects/#sec-flagships) |
4 | | -[](https://github.com/juice-shop/juice-shop/releases/latest) |
5 | | -[](https://twitter.com/owasp_juiceshop) |
6 | | -[](https://reddit.com/r/owasp_juiceshop) |
| 2 | +<h1 align="center">Securing your code with GitHub Advanced Security</h1> |
| 3 | +<h5 align="center">@joshjohanning @mickeygousset</h3> |
7 | 4 |
|
8 | | - |
9 | | -[](https://codeclimate.com/github/juice-shop/juice-shop/test_coverage) |
10 | | -[](https://codeclimate.com/github/juice-shop/juice-shop/maintainability) |
11 | | -[](https://codeclimate.com/github/juice-shop/juice-shop/trends/technical_debt) |
12 | | -[](https://dashboard.cypress.io/projects/3hrkhu/runs) |
13 | | -[](https://www.bestpractices.dev/projects/223) |
14 | | - |
15 | | -[](CODE_OF_CONDUCT.md) |
| 5 | +<p align="center"> |
| 6 | + <a href="#mega-prerequisites">Prerequisites</a> |
| 7 | + <a href="#workshop-labs">Workshop Labs</a> |
| 8 | + <a href="#book-resources">Resources</a> |
| 9 | +</p> |
16 | 10 |
|
17 | | -> [The most trustworthy online shop out there.](https://twitter.com/dschadow/status/706781693504589824) |
18 | | -> ([@dschadow](https://github.com/dschadow)) — |
19 | | -> [The best juice shop on the whole internet!](https://twitter.com/shehackspurple/status/907335357775085568) |
20 | | -> ([@shehackspurple](https://twitter.com/shehackspurple)) — |
21 | | -> [Actually the most bug-free vulnerable application in existence!](https://youtu.be/TXAztSpYpvE?t=26m35s) |
22 | | -> ([@vanderaj](https://twitter.com/vanderaj)) — |
23 | | -> [First you 😂😂then you 😢](https://twitter.com/kramse/status/1073168529405472768) |
24 | | -> ([@kramse](https://twitter.com/kramse)) — |
25 | | -> [But this doesn't have anything to do with juice.](https://twitter.com/coderPatros/status/1199268774626488320) |
26 | | -> ([@coderPatros' wife](https://twitter.com/coderPatros)) |
| 11 | +- **Who is this for**: Enterprise - Engineering Leadership, Enterprise - Developers, Open Source Developers or Maintainers, Security Professionals, Startups, Security Leadership, Educators |
| 12 | +- **What you'll learn**: Here at GitHub, we like to say that "found means fixed." That's because when issues are found they can more easily be fixed. In this workshop you'll dive into a repository filled with security alerts and begin to remediate them using GitHub Advanced Security (GHAS) and Dependabot, effectively maintaining code integrity. You'll also encounter and resolve a few security issues using GitHub Codespaces and GitHub Copilot. The end goal? To learn and develop strategies to motivate your developers to turn reactive fixes into proactive security habits. |
27 | 13 |
|
28 | | -OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security |
29 | | -trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the |
30 | | -entire |
31 | | -[OWASP Top Ten](https://owasp.org/www-project-top-ten) along with many other security flaws found in real-world |
32 | | -applications! |
| 14 | +--- |
33 | 15 |
|
34 | | - |
| 16 | +## Workshop Labs |
35 | 17 |
|
36 | | -For a detailed introduction, full list of features and architecture overview please visit the official project page: |
37 | | -<https://owasp-juice.shop> |
| 18 | +### Lab 1 - GitHub Advanced Security Feature Introduction |
38 | 19 |
|
39 | | -## Table of contents |
| 20 | +This lab will introduce you to GitHub Advanced Security (GHAS) and its features. |
40 | 21 |
|
41 | | -- [Setup](#setup) |
42 | | - - [From Sources](#from-sources) |
43 | | - - [Packaged Distributions](#packaged-distributions) |
44 | | - - [Docker Container](#docker-container) |
45 | | - - [Vagrant](#vagrant) |
46 | | -- [Demo](#demo) |
47 | | -- [Documentation](#documentation) |
48 | | - - [Node.js version compatibility](#nodejs-version-compatibility) |
49 | | - - [Troubleshooting](#troubleshooting) |
50 | | - - [Official companion guide](#official-companion-guide) |
51 | | -- [Contributing](#contributing) |
52 | | -- [References](#references) |
53 | | -- [Merchandise](#merchandise) |
54 | | -- [Donations](#donations) |
55 | | -- [Contributors](#contributors) |
56 | | -- [Licensing](#licensing) |
| 22 | +- Get started here - [Lab 1](./_labs/lab1.md) |
57 | 23 |
|
58 | | -## Setup |
| 24 | +--- |
59 | 25 |
|
60 | | -> You can find some less common installation variations as well as instructions to run Juice Shop on a variety of cloud computing providers in |
61 | | -> [the _Running OWASP Juice Shop_ documentation](https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html). |
| 26 | +### Lab 2 - Reviewing and Managing Security Alerts |
62 | 27 |
|
63 | | -### From Sources |
| 28 | +This lab will show you how to review and managed the alerts created in Lab 1. |
64 | 29 |
|
65 | | - |
| 30 | +- Get started here - [Lab 2](./_labs/lab2.md) |
66 | 31 |
|
67 | | -1. Install [node.js](#nodejs-version-compatibility) |
68 | | -2. Run `git clone https://github.com/juice-shop/juice-shop.git --depth 1` (or |
69 | | - clone [your own fork](https://github.com/juice-shop/juice-shop/fork) |
70 | | - of the repository) |
71 | | -3. Go into the cloned folder with `cd juice-shop` |
72 | | -4. Run `npm install` (only has to be done before first start or when you change the source code) |
73 | | -5. Run `npm start` |
74 | | -6. Browse to <http://localhost:3000> |
| 32 | +--- |
75 | 33 |
|
76 | | -### Packaged Distributions |
| 34 | +### Lab 3 - Hands-on with Code Scanning |
77 | 35 |
|
78 | | -[](https://github.com/juice-shop/juice-shop/releases/latest) |
79 | | -[](https://sourceforge.net/projects/juice-shop/) |
80 | | -[](https://sourceforge.net/projects/juice-shop/) |
| 36 | +This lab will have you add some bad code, utilize repository rulesets to block the code, and Copilot Autofix to fix the code. |
81 | 37 |
|
82 | | -1. Install a 64bit [node.js](#nodejs-version-compatibility) on your Windows, MacOS or Linux machine |
83 | | -2. Download `juice-shop-<version>_<node-version>_<os>_x64.zip` (or |
84 | | - `.tgz`) attached to |
85 | | - [latest release](https://github.com/juice-shop/juice-shop/releases/latest) |
86 | | -3. Unpack and `cd` into the unpacked folder |
87 | | -4. Run `npm start` |
88 | | -5. Browse to <http://localhost:3000> |
| 38 | +- Get started here - [Lab 3](./_labs/lab3.md) |
89 | 39 |
|
90 | | -> Each packaged distribution includes some binaries for `sqlite3` and |
91 | | -> `libxmljs` bound to the OS and node.js version which `npm install` was |
92 | | -> executed on. |
| 40 | +--- |
93 | 41 |
|
94 | | -### Docker Container |
| 42 | +### Lab 4 - Hands-on with Dependency Review |
95 | 43 |
|
96 | | -[](https://hub.docker.com/r/bkimminich/juice-shop) |
97 | | - |
98 | | -[](https://microbadger.com/images/bkimminich/juice-shop |
99 | | -"Get your own image badge on microbadger.com") |
100 | | -[](https://microbadger.com/images/bkimminich/juice-shop |
101 | | -"Get your own version badge on microbadger.com") |
| 44 | +This lab will have you utilize the Dependency Review action to stop a bad vulnerability in a pull request. |
102 | 45 |
|
103 | | -1. Install [Docker](https://www.docker.com) |
104 | | -2. Run `docker pull bkimminich/juice-shop` |
105 | | -3. Run `docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop` |
106 | | -4. Browse to <http://localhost:3000> (on macOS and Windows browse to |
107 | | - <http://192.168.99.100:3000> if you are using docker-machine instead of the native docker installation) |
| 46 | +- Get started here - [Lab 4](./_labs/lab4.md) |
108 | 47 |
|
109 | | -### Vagrant |
| 48 | +--- |
110 | 49 |
|
111 | | -1. Install [Vagrant](https://www.vagrantup.com/downloads.html) and |
112 | | - [Virtualbox](https://www.virtualbox.org/wiki/Downloads) |
113 | | -2. Run `git clone https://github.com/juice-shop/juice-shop.git` (or |
114 | | - clone [your own fork](https://github.com/juice-shop/juice-shop/fork) |
115 | | - of the repository) |
116 | | -3. Run `cd vagrant && vagrant up` |
117 | | -4. Browse to [192.168.56.110](http://192.168.56.110) |
| 50 | +### Lab 5 - Hands-on with Secret Scanning |
118 | 51 |
|
119 | | -## Demo |
| 52 | +This lab will have you utilize Secret Scanning with Push Protection to prevent secrets from entering the codebase. |
120 | 53 |
|
121 | | -Feel free to have a look at the latest version of OWASP Juice Shop: |
122 | | -<http://demo.owasp-juice.shop> |
| 54 | +- Get started here - [Lab 5](./_labs/lab5.md) |
123 | 55 |
|
124 | | -> This is a deployment-test and sneak-peek instance only! You are __not |
125 | | -> supposed__ to use this instance for your own hacking endeavours! No |
126 | | -> guaranteed uptime! Guaranteed stern looks if you break it! |
| 56 | +--- |
127 | 57 |
|
128 | | -## Documentation |
129 | | - |
130 | | -### Node.js version compatibility |
131 | | - |
132 | | - |
133 | | - |
134 | | - |
135 | | -OWASP Juice Shop officially supports the following versions of |
136 | | -[node.js](http://nodejs.org) in line with the official |
137 | | -[node.js LTS schedule](https://github.com/nodejs/LTS) as close as possible. Docker images and packaged distributions are |
138 | | -offered accordingly. |
139 | | - |
140 | | -| node.js | Supported | Tested | [Packaged Distributions](#packaged-distributions) | [Docker images](#docker-container) from `master` | [Docker images](#docker-container) from `develop` | |
141 | | -|:--------|:------------------------|:----------------------------------------------------------|:--------------------------------------------------|:-------------------------------------------------|:--------------------------------------------------| |
142 | | -| 23.x | :x: | :x: | | | | |
143 | | -| 22.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | |
144 | | -| 21.x | ( :heavy_check_mark: ) | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | |
145 | | -| 20.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | `latest` (`linux/amd64`, `linux/arm64`) | `snapshot` (`linux/amd64`, `linux/arm64`) | |
146 | | -| 19.x | ( :heavy_check_mark: ) | :x: | | | | |
147 | | -| 18.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | |
148 | | -| <18.x | :x: | :x: | | | | |
149 | | - |
150 | | -Juice Shop is automatically tested _only on the latest `.x` minor version_ of each node.js version mentioned above! |
151 | | -There is no guarantee that older minor node.js releases will always work with Juice Shop! |
152 | | -Please make sure you stay up to date with your chosen version. |
153 | | - |
154 | | -### Troubleshooting |
155 | | - |
156 | | -[](https://gitter.im/bkimminich/juice-shop) |
157 | | - |
158 | | -If you need help with the application setup please check our |
159 | | -[our existing _Troubleshooting_](https://pwning.owasp-juice.shop/appendix/troubleshooting.html) |
160 | | -guide. If this does not solve your issue please post your specific problem or question in the |
161 | | -[Gitter Chat](https://gitter.im/bkimminich/juice-shop) where community members can best try to help you. |
162 | | - |
163 | | -:stop_sign: **Please avoid opening GitHub issues for support requests or questions!** |
164 | | - |
165 | | -### Official companion guide |
166 | | - |
167 | | -[](https://www.goodreads.com/review/edit/49557240) |
168 | | - |
169 | | -OWASP Juice Shop comes with an official companion guide eBook. It will give you a complete overview of all |
170 | | -vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even |
171 | | -find complete step-by-step solutions to every challenge. Extensive documentation of |
172 | | -[custom re-branding](https://pwning.owasp-juice.shop/companion-guide/latest/part4/customization.html), |
173 | | -[CTF-support](https://pwning.owasp-juice.shop/companion-guide/latest/part4/ctf.html), |
174 | | -[trainer's guide](https://pwning.owasp-juice.shop/companion-guide/latest/part4/trainers.html) |
175 | | -and much more is also included. |
176 | | - |
177 | | -[Pwning OWASP Juice Shop](https://leanpub.com/juice-shop) is published under |
178 | | -[CC BY-NC-ND 4.0](https://creativecommons.org/licenses/by-nc-nd/4.0/) |
179 | | -and is available **for free** in PDF, Kindle and ePub format on LeanPub. You can also |
180 | | -[browse the full content online](https://pwning.owasp-juice.shop)! |
181 | | - |
182 | | -[<img alt="Pwning OWASP Juice Shop cover" src="https://raw.githubusercontent.com/juice-shop/pwning-juice-shop/master/docs/modules/ROOT/assets/images/cover.jpg" width="200"/>](https://leanpub.com/juice-shop) |
183 | | -[<img alt="Pwning OWASP Juice Shop back cover" src="https://raw.githubusercontent.com/juice-shop/pwning-juice-shop/master/docs/modules/ROOT/assets/images/introduction/back.jpg" width="200"/>](https://leanpub.com/juice-shop) |
184 | | - |
185 | | -## Contributing |
186 | | - |
187 | | -[](https://github.com/juice-shop/juice-shop/graphs/contributors) |
188 | | -[](http://standardjs.com/) |
189 | | -[](https://crowdin.com/project/owasp-juice-shop) |
190 | | - |
191 | | - |
192 | | - |
193 | | -We are always happy to get new contributors on board! Please check |
194 | | -[CONTRIBUTING.md](CONTRIBUTING.md) to learn how to |
195 | | -[contribute to our codebase](CONTRIBUTING.md#code-contributions) or the |
196 | | -[translation into different languages](CONTRIBUTING.md#i18n-contributions)! |
197 | | - |
198 | | -## References |
199 | | - |
200 | | -Did you write a blog post, magazine article or do a podcast about or mentioning OWASP Juice Shop? Or maybe you held or |
201 | | -joined a conference talk or meetup session, a hacking workshop or public training where this project was mentioned? |
202 | | - |
203 | | -Add it to our ever-growing list of [REFERENCES.md](REFERENCES.md) by forking and opening a Pull Request! |
204 | | - |
205 | | -## Merchandise |
206 | | - |
207 | | -* On [Spreadshirt.com](http://shop.spreadshirt.com/juiceshop) and |
208 | | - [Spreadshirt.de](http://shop.spreadshirt.de/juiceshop) you can get some swag (Shirts, Hoodies, Mugs) with the official |
209 | | - OWASP Juice Shop logo |
210 | | -* On |
211 | | - [StickerYou.com](https://www.stickeryou.com/products/owasp-juice-shop/794) |
212 | | - you can get variants of the OWASP Juice Shop logo as single stickers to decorate your laptop with. They can also print |
213 | | - magnets, iron-ons, sticker sheets and temporary tattoos. |
214 | | - |
215 | | -The most honorable way to get some stickers is to |
216 | | -[contribute to the project](https://pwning.owasp-juice.shop/part3/contribution.html) |
217 | | -by fixing an issue, finding a serious bug or submitting a good idea for a new challenge! |
218 | | - |
219 | | -We're also happy to supply you with stickers if you organize a meetup or conference talk where you use or talk about or |
220 | | -hack the OWASP Juice Shop! Just |
221 | | -[contact the mailing list ](mailto:[email protected]) |
222 | | -or [the project leader ](mailto:[email protected]) to discuss your plans! |
223 | | - |
224 | | -## Donations |
225 | | - |
226 | | -[](https://owasp.org/donate/?reponame=www-project-juice-shop&title=OWASP+Juice+Shop) |
227 | | - |
228 | | -The OWASP Foundation gratefully accepts donations via Stripe. Projects such as Juice Shop can then request reimbursement |
229 | | -for expenses from the Foundation. If you'd like to express your support of the Juice Shop project, please make sure to |
230 | | -tick the "Publicly list me as a supporter of OWASP Juice Shop" checkbox on the donation form. You can find our more |
231 | | -about donations and how they are used here: |
232 | | - |
233 | | -<https://pwning.owasp-juice.shop/part3/donations.html> |
234 | | - |
235 | | -## Contributors |
236 | | - |
237 | | -The OWASP Juice Shop core project team are: |
238 | | - |
239 | | -- [Björn Kimminich](https://github.com/bkimminich) aka `bkimminich` |
240 | | - ([Project Leader](https://www.owasp.org/index.php/Projects/Project_Leader_Responsibilities)) |
241 | | - [](https://keybase.io/bkimminich) |
242 | | -- [Jannik Hollenbach](https://github.com/J12934) aka `J12934` |
243 | | -- [Timo Pagel](https://github.com/wurstbrot) aka `wurstbrot` |
244 | | -- [Shubham Palriwala](https://github.com/ShubhamPalriwala) aka `ShubhamPalriwala` |
245 | | - |
246 | | -For a list of all contributors to the OWASP Juice Shop please visit our |
247 | | -[HALL_OF_FAME.md](HALL_OF_FAME.md). |
248 | | - |
249 | | -## Licensing |
250 | | - |
251 | | -[](LICENSE) |
252 | | - |
253 | | -This program is free software: you can redistribute it and/or modify it under the terms of the [MIT license](LICENSE). |
254 | | -OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & the OWASP Juice Shop contributors |
255 | | -2014-2024. |
256 | | - |
257 | | - |
| 58 | +## :book: Resources |
| 59 | +- [GitHub Docs - About GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) |
| 60 | +- [GitHub Security Learning Pathway](https://resources.github.com/learn/pathways/security/) |
0 commit comments