Daylight Studio

Vulnerability Hunting Practice Using OWASP Juice Shop

Vulnerability Hunting Practice Using OWASP Juice Shop

This past week, I facilitated an OWASP Juice Shop CTF at New Relic for the Portland OWASP Chapter to help those beginning in their development or AppSec careers to have an opportunity to learn from the Portland AppSec community. 

What does that even mean?

OWASP stands for the Open Web Application Security Project. OWASP exists to raise awareness and understanding of software security. They are a global non-profit with chapters all over the world and a plethora of projects and documents to help developers, DevOps, and security people up their game.

The OWASP Juice Shop is an open-sourced, intentionally insecure javascript web application.  Embedded in the application are a wide range of security vulnerabilities you can hunt for and mark complete on the scoreboard as you probe the application. The vulnerabilities encompass the OWASP Top Ten, another flagship OWASP project which surveys and outlines the most critical security risks to web applications. 

The Current Top Ten:
Broken Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting (XSS)
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging & Monitoring

CTF means Capture the Flag. You are probably thinking - you brought computers into the woods and ran around hacking on them while trying to find the other team’s flags. Not quite. In the infosec world, CTF consists of gamified challenges where you uncover “flags” representing different vulnerabilities. You get points for finding them and teams compete against each other by earning more points / finding flags first / etc. 

The Event

If you haven’t yet been to an event at New Relic, check out Calagator and find yourself something interesting to attend. New Relic does a great job being a community partner and opening up their space to improve the Portland tech scene. 

We started with a brief overview of OWASP, the Juice Shop, and then broke into teams to learn and practice together vulnerability hunting. The Capture the Flag only lasted for a few hours, but it was great to see the teams making breakthroughs, talking together, laughing together, hacking on the juice shop. For some in the room, it was there first time learning vulnerability hunting, others were old hands. We tried to team up across skill levels to balance the teams and allow more experienced folks to show a few tricks to those starting out. 

Want to Learn More about Application Security? 

Come to the Portland OWASP chapter meetings!  We meet monthly and you can join our meetup group to be notified on the time and location of our next one (Jama / December 6th / 6:30 pm). 

Host your own Juice Shop CTF among friends or colleagues!  Bjorn Kimminich (the Juice Shop project lead) has written a great guide in his book on the Juice Shop.  Fellow OWASP Member Josh Grossman also has a useful write-up on his setup.

And go to to read to your heart’s content all things app security.


Quiz Quisenberry

Have a Goal in Mind?

The Daylight team is ready to shape your ideas into tangible business results.

Let's Collaborate