Appendix B - Trainer's guide

Co-authored by Timo Pagel

Instances

Make sure all participants have their own running Juice Shop instance to work with. While attempting challenges like RCE or XXE students might occasionally take down their server and would severely impact other participants if they shared an instance.

There are multiple Run Options which you can choose from. It is perfectly fine to run multiple docker containers on one host. They do not effect each other.

Customization

Especially in awareness trainings for management you might want to create a higher immersion by making the Juice Shop look like an application in the corporate design of the participants' own company. Juice Shop offers various customization options to achieve this.

Several custom configurations already come packaged with the Juice Shop source code, the two most sophisticated ones being 7 Minute Security and Mozilla.

In addition, you might want to disable all challenge notifications during awareness trainings to avoid distraction. The Quiet configuration demonstrates the necessary options to achieve this.

Quiet mode

For a really sophisticated and immersive demo consider performing some Additional Browser tweaks. These will let you use OAuth2 login via Google and cast the illusion that coupon codes were actually tweeted by your customer's company.

Classroom hints

In a class room setup you have to find a way to distribute the URL of each instance to the participants. For small groups, it is probably fine to just spin up a number of containers and tell all participants which URL they have to use. An example to spin up 10 Docker containers on a UNIX based system is to run

for i in {10..19}; do docker run -d -p 40$i:3000 bkimminich/juice-shop; done

If you want to track progress centrally during the training, you might want to host a central CTF server where participants can post the challenges they already solved. You might consider turning off public visibility of the leader board on the CTF server unless you want to encourage the students to hack very competitively.

Existing trainings

One existing training which uses the Juice Shop for example is a Timo Pagel's University Module. The structure mostly is as follows:

  1. Introduce a topic (e.g. SQL Injection)
  2. Let the participants try it out in the Juice Shop
  3. Show mitigation/counter measures

Björn Kimminich's Web Application Security Training slides as well as the web attack chapters of his IT Security Lecture follow a similar pattern of

  1. Introduction
  2. Timeboxed exercise
  3. Demonstration of the hack (for all who did not finish the exercise in time)
  4. Explaining mitigation and prevention

You can find more links to existing material in the Lectures and Trainings section of the project references on on GitHub.

Challenges for demos

The following challenges are well suited for live demonstrations in trainings or talks. You should always begin by showing how to find the Score Board ( :star: ) so you can then pick any of the challenge below to further demonstrate certain categories of vulnerabilities.

Challenge Category Difficulty Time for demo Dependencies
XSS Tier 1 XSS :star: :hourglass_flowing_sand: None
Confidential Document Sensitive Data Exposure :star: :hourglass_flowing_sand: None
Login Admin Injection :star::star: :hourglass_flowing_sand: None
XSS Tier 0 XSS :star: :hourglass_flowing_sand: Log in as any user
XSS Tier 1.5 XSS :star: :hourglass_flowing_sand: Log in as any user
Privacy Policy Tier 1 Roll your own Security :star: :hourglass_flowing_sand: Log in as any user
Privacy Policy Tier 2 Security through Obscurity :star::star::star: :hourglass_flowing_sand::hourglass_flowing_sand: Privacy Policy Tier 1
Admin Section Broken Access Control :star::star: :hourglass_flowing_sand::hourglass_flowing_sand: Login Admin or Admin Registration
Basket Access Broken Access Control :star::star: :hourglass_flowing_sand::hourglass_flowing_sand: Log in with two different users
Easter Egg Tier 1 Roll your own Security :star::star::star::star: :hourglass_flowing_sand::hourglass_flowing_sand::hourglass_flowing_sand: Explain Poison Null Byte
Easter Egg Tier 2 Security through Obscurity :star::star::star::star: :hourglass_flowing_sand::hourglass_flowing_sand::hourglass_flowing_sand: Easter Egg Tier 1
Forgotten Developer Backup Roll your own Security :star::star::star::star: :hourglass_flowing_sand::hourglass_flowing_sand::hourglass_flowing_sand: Explain Poison Null Byte
Forged Coupon Sensitive Data Exposure :star::star::star::star::star::star: :hourglass_flowing_sand::hourglass_flowing_sand::hourglass_flowing_sand::hourglass_flowing_sand: Forgotten Developer Backup and z85-cli installed or Forgotten Sales Backup or tracing coupons from Twitter/Reddit back to https://travis-ci.org/bkimminich/juicy-coupon-bot

A particularly impressive showcase of XSS site-defacement combined with a keylogger is provided explicitly for live demos and awareness trainings.

There is also a video recording available on YouTube: https://www.youtube.com/watch?v=L7ZEMWRm7LA. This is a good fallback in case the Docker-based setup does not work for you.

results matching ""

    No results matching ""