Install OWASP Juice Shop on Kali Linux [Step-by-Step]


Ethical hacking

Today, we will give you a master guide on "How to install OWASP Juice Shop on your Kali Linux system."

For people getting started with penetration testing or even professionals who want to refresh their skills, you will need a playground where you can practice your hacking skills and the various exploitation tools that come with security distributions like Kali Linux, Parrot, etc.

Previously, we wrote two articles around the same topic.

  • Install DVWA on Kali Linux: Damn Vulnerable Web Application (DVWA) is a vulnerable web app that you can use to practice your skills by exploiting the bugs left (intentionally) on this app. It's a good option for beginners and professionals as you can set the difficulty level by switching between easy - medium -hard.
  • Setup Virtual Penetration Testing Lab: When learning penetration testing, we discourage testing your skills or exploitation tools on other systems without authorization. This post will give you a detailed guide on "how to set up a virtual penetration testing lab" where you can sharpen your skills and test your exploitation tools.

 

 

What is OWASP Juice Shop?

OWASP Juice Shop is a web application intentionally developed to be vulnerable, giving penetration testers and ethical hackers a platform to practice their hacking skills and test their exploitation tools. Compared to other vulnerable web applications used for security testing, OWASP Juice Shop is quite sophisticated, making it the go-to application when learning offensive security, security awareness talks, and practicing/ playing Capture the Flag challenges (CTFs).

One of the best features of OWASP Juice hop is that it presents some of the common vulnerabilities you can find in real-world applications. It also encompasses all the OWASP Top 10 vulnerabilities. When writing this post (2022), the OWASP Top 10 vulnerabilities include:

  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Insecure Design
  • Security misconfigurations
  • Vulnerable and Outdated Components
  • Identification and authentication failures
  • Software and Data Integrity Failures
  • Security Logging and Monitoring Failures
  • Server-side Request Forgery

The OWASP Juice Shop web app is written in NodeJS, Express, and Angular. It comes with various challenges that a pentester can exploit, and they all have different difficulty levels. Your progress is tracked on a scoreboard, and the exciting bit is that you need to find this scoreboard first (it's not hard).

This post will give you a step-by-step guide to installing and setting up OWASP Juice Shop on your Kali Linux system. There are three main methods that you can use to install OWASP Juice Shop.

  • Using NodeJS (Recommended)
  • Using Docker
  • Deploy OWASP Juice Shop to Heroku

 

Install OWASP Juice Shop with NodeJS (Recommended)

This is one of the easiest and recommended ways of installing and running OWASP Juice Shop locally on your Kali Linux system. Even though Docker is also an option, there is no need to install a whole containerization platform to run a single application. Follow the steps below to install Juice Shop using NodeJS.

 

Step 1. Download OWASP Juice Shop

First, we need to download the latest release of OWASP Juice Shop from their official-GitHub page. As of writing this post, the latest release is Version 14.0.1. We will use the wget command to download the file in our desired location to keep things clean and simple. Therefore, right-click on the OWASP version you want to download and select the option "copy link address or copy link location."

Launch the Kali Linux Terminal and use the cd command to navigate to the location where you want to download the OWASP Juice Shop file. Use the syntax below to download the zip file on your system.

sudo wget [file-link]
e.g
sudo wget https://github.com/juice-shop/juice-shop/releases/download/v14.0.1/juice-shop-14.0.1_node14_linux_x64.tgz

Dowload OWASP Juice shop

We need to extract the contents since we downloaded the file in a "zip" format. Use the unzip command as shown below.

tar zxvf [file-name.tgz]
e.g
tar zxvf juice-shop-14.0.1_node14_linux_x64.tgz

You will see the newly extracted OWASP Juice Shop folder with the version of your web app.

Extract the zip file

 

Step 2. Install NodeJS and NPM

Now, we need to install NodeJS and NPM on our system. But there is a catch!

Note: You should only install the NodeJS version similar to the version of the OWASP Juice Shop setup file you downloaded. For example, in our case, we downloaded OWASP Juice Shop version 14.0.1. Therefore, we will need to download NodeJS version 14.

Navigate to the official NodeJS releases website and download the NodeJS setup for Linux systems. We highly recommend using the link provided since that is the only official page where you can download earlier versions of NodeJS. In our case, we will download the file using the wget command. We will copy the link address for "NodeJS for x64 Linux systems" and use the syntax below to download the file on our system.

sudo wget https://nodejs.org/download/release/v14.1.0/node-v14.1.0-linux-x64.tar.xz

Download NodeJS v14

Now follow the steps below to install NodeJS and NPM on our system.

Extract the contents of the file we downloaded using the tar command.

sudo tar -xvf file-name
e.g
sudo tar -xvf node-v14.1.0-linux-x64.tar.xz

You will see a new "Node" folder created on your system. There are several files we need to copy from this newly extracted folder to the /usr directory to install NodeJS and NPM on our system. Execute the command below to keep things simple.

sudo cp -r [extracted-directory-name]/{bin,include,lib,share} /usr/
e.g
sudo cp -r node-v14.1.0-linux-x64/{bin,include,lib,share} /usr/

Copy files to the usr directory

That's it! You have successfully installed NodeJS and NPm on your system. You can verify that by running the --version command as shown below.

node --version
npm --version

Now, we can finish installing and setting up OWASP Juice Shop on our system.

 

Step 3. Install Node Dependecies

Now, go back to the OWASP Juice Shop you extracted in Step 1. Use the cd command to change your directory to that folder and execute the command to install the Node packages required to run OWASP Juice Shop.

npm install

Install Node Packages

This process might take some time, depending on the speed of your internet. Please be patient. When done, execute the command below to run OWASP Juice Shop.

npm start

Run OWASP Juice Shop

This command will start the web app on port 3000. However, if there is another application running on that port, you will see an option to use a different port like 3001. Launch your browser and enter the URL below to access the web application.

http://localhost:[PORT-NUMBER]/
e.g.,
http://localhost:3000/

You should see a web page similar to the image below. It is a simple web page with several Fruit juices that you can buy (well, not like you would on Amazon).

OWASP Juice Shop

That's it! We have successfully installed OWASP Juice Shop on our Kali Linux machine. I recommend you start with the first obvious challenge of finding the "Score Board." If you have developed a website before, this shouldn't be hard. You can try browsing the source code, guessing URLs, or checking the Javascript files.

 

Conclusion

I hope this tutorial was of great help, and you now have OWASP Juice Shop running on your system. How were you able to find the scoreboard? Please share your tips and tricks in the comments below. If you encounter any issues during the installation process, please let us know, and we will help where we can.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment