Penetration Test - Assignment

Introduction

Juice Shop is aiming to be the next big thing in online juice shopping.

The company behind has hired you🫵 to make a penetration test on their site.

Their two main concerns. The first is damage to reputation, as they’re aiming to position themselves as brand that consumers can trust. The other is direct financial loss.

Getting started

Before you begin on the assignment, you need to set up a lab environment.

The easiest way is with docker.

You can find the docker image for juice-shop here.

The application has a score board built-in that tracks your progress. First challenge is to find the scoreboard.

What you need to do

Your task is to find and document security vulnerabilities.

It is a good idea to keep a sitemap as you move along. A sitemap is a listing of all sub-pages you find.

You need to document your findings in a small report that you hand-in.

Your report should include the following for each vulnerability you find:

Sitemap list of sub-pages you evaluated
Identification number or short name for the vulnerability
Severity rate the severity of the vulnerability. You are free to invent your own system, but it must be documented.
Description What is the vulnerability. How did you find it. Steps to exploit.

The report MUST be handed in as PDF (upload on moodle).

Scope

In a real world penetration test, the goal is to be as thorough as possible.

The Juice Shop application has a lot of vulnerabilities of increasingly difficulty. It would be unrealistic for you cover them all.

So for this assignment I would expect you to cover between 8-16 vulnerabilities. Feel free to cover more.

Rules of Engagement

You are expected to do a black-box pentest. The entire juice-shop web application is in scope.

The penetration test will be conducted in a lab environment on testers on machine using the provided Docker image. Tester has no restrictions on the attacks that can be attempted within the lab environment. Attacking anything external to the lab environment is strongly prohibited.

Expected delivery is report documenting any findings.

Tools

Install Burp Suite Community Edition.

Start a temporary project and use default configuration
Click on “Proxy” tab
Click “Open browser” button and navigate to juice-shop
You can use the “Intercept is off” button to turn interception on, so you can tamper with requests

Secure Software Development

Assignments and code examples.