Today, we will give you a master guide on "How to install OWASP Juice Shop on your Kali Linux system."
For people getting started with penetration testing or even professionals who want to refresh their skills, you will need a playground where you can practice your hacking skills and the various exploitation tools that come with security distributions like Kali Linux, Parrot, etc.
Previously, we wrote two articles around the same topic.
- Install DVWA on Kali Linux: Damn Vulnerable Web Application (DVWA) is a vulnerable web app that you can use to practice your skills by exploiting the bugs left (intentionally) on this app. It's a good option for beginners and professionals as you can set the difficulty level by switching between easy - medium -hard.
- Setup Virtual Penetration Testing Lab: When learning penetration testing, we discourage testing your skills or exploitation tools on other systems without authorization. This post will give you a detailed guide on "how to set up a virtual penetration testing lab" where you can sharpen your skills and test your exploitation tools.
What is OWASP Juice Shop?
OWASP Juice Shop is a web application intentionally developed to be vulnerable, giving penetration testers and ethical hackers a platform to practice their hacking skills and test their exploitation tools. Compared to other vulnerable web applications used for security testing, OWASP Juice Shop is quite sophisticated, making it the go-to application when learning offensive security, security awareness talks, and practicing/ playing Capture the Flag challenges (CTFs).
One of the best features of OWASP Juice hop is that it presents some of the common vulnerabilities you can find in real-world applications. It also encompasses all the OWASP Top 10 vulnerabilities. When writing this post (2022), the OWASP Top 10 vulnerabilities include:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security misconfigurations
- Vulnerable and Outdated Components
- Identification and authentication failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-side Request Forgery
The OWASP Juice Shop web app is written in NodeJS, Express, and Angular. It comes with various challenges that a pentester can exploit, and they all have different difficulty levels. Your progress is tracked on a scoreboard, and the exciting bit is that you need to find this scoreboard first (it's not hard).
This post will give you a step-by-step guide to installing and setting up OWASP Juice Shop on your Kali Linux system. There are three main methods that you can use to install OWASP Juice Shop.
- Using NodeJS (Recommended)
- Using Docker
- Deploy OWASP Juice Shop to Heroku
Install OWASP Juice Shop with NodeJS (Recommended)
This is one of the easiest and recommended ways of installing and running OWASP Juice Shop locally on your Kali Linux system. Even though Docker is also an option, there is no need to install a whole containerization platform to run a single application. Follow the steps below to install Juice Shop using NodeJS.
Step 1. Download OWASP Juice Shop
First, we need to download the latest release of OWASP Juice Shop from their official-GitHub page. As of writing this post, the latest release is Version 14.0.1. We will use the wget
command to download the file in our desired location to keep things clean and simple. Therefore, right-click on the OWASP version you want to download and select the option "copy link address or copy link location."
Launch the Kali Linux Terminal and use the cd command to navigate to the location where you want to download the OWASP Juice Shop file. Use the syntax below to download the zip file on your system.
sudo wget [file-link] e.g sudo wget https://github.com/juice-shop/juice-shop/releases/download/v14.0.1/juice-shop-14.0.1_node14_linux_x64.tgz
We need to extract the contents since we downloaded the file in a "zip" format. Use the unzip command as shown below.
tar zxvf [file-name.tgz] e.g tar zxvf juice-shop-14.0.1_node14_linux_x64.tgz
You will see the newly extracted OWASP Juice Shop folder with the version of your web app.
Step 2. Install NodeJS and NPM
Now, we need to install NodeJS and NPM on our system. But there is a catch!
Note: You should only install the NodeJS version similar to the version of the OWASP Juice Shop setup file you downloaded. For example, in our case, we downloaded OWASP Juice Shop version 14.0.1. Therefore, we will need to download NodeJS version 14.
Navigate to the official NodeJS releases website and download the NodeJS setup for Linux systems. We highly recommend using the link provided since that is the only official page where you can download earlier versions of NodeJS. In our case, we will download the file using the wget
command. We will copy the link address for "NodeJS for x64 Linux systems" and use the syntax below to download the file on our system.
sudo wget https://nodejs.org/download/release/v14.1.0/node-v14.1.0-linux-x64.tar.xz
Now follow the steps below to install NodeJS and NPM on our system.
Extract the contents of the file we downloaded using the tar command.
sudo tar -xvf file-name e.g sudo tar -xvf node-v14.1.0-linux-x64.tar.xz
You will see a new "Node" folder created on your system. There are several files we need to copy from this newly extracted folder to the /usr
directory to install NodeJS and NPM on our system. Execute the command below to keep things simple.
sudo cp -r [extracted-directory-name]/{bin,include,lib,share} /usr/ e.g sudo cp -r node-v14.1.0-linux-x64/{bin,include,lib,share} /usr/
That's it! You have successfully installed NodeJS and NPm on your system. You can verify that by running the --version command as shown below.
node --version npm --version
Now, we can finish installing and setting up OWASP Juice Shop on our system.
Step 3. Install Node Dependecies
Now, go back to the OWASP Juice Shop you extracted in Step 1. Use the cd
command to change your directory to that folder and execute the command to install the Node packages required to run OWASP Juice Shop.
npm install
This process might take some time, depending on the speed of your internet. Please be patient. When done, execute the command below to run OWASP Juice Shop.
npm start
This command will start the web app on port 3000. However, if there is another application running on that port, you will see an option to use a different port like 3001. Launch your browser and enter the URL below to access the web application.
http://localhost:[PORT-NUMBER]/ e.g., http://localhost:3000/
You should see a web page similar to the image below. It is a simple web page with several Fruit juices that you can buy (well, not like you would on Amazon).
That's it! We have successfully installed OWASP Juice Shop on our Kali Linux machine. I recommend you start with the first obvious challenge of finding the "Score Board." If you have developed a website before, this shouldn't be hard. You can try browsing the source code, guessing URLs, or checking the Javascript files.
Conclusion
I hope this tutorial was of great help, and you now have OWASP Juice Shop running on your system. How were you able to find the scoreboard? Please share your tips and tricks in the comments below. If you encounter any issues during the installation process, please let us know, and we will help where we can.