Be A Hacker!

You hear it every day - so and so was compromised, such and such vulnerability was found in this popular application. Ever wondered how to make your developers more aware about security issues so that they can write more secure applications. This is something lots of software engineering folks struggle with - if your developers aren't security conscious they cannot write secure code.

There are plenty of ways to increase security awareness:

• Attending security conferences
• Following popular blogs
• Dedicated training
• Etc.

But, why not make it fun and challenging by actually trying to hack into applications -- just like the pros? :) Obviously, trying to hack into web properties that you don't own is not cool and usually illegal (unless they have a bug bounty program or something similar). But the good news is that there are many intentionally vulnerable applications available that you can run within the confines of your evil lair (have to play the part -- right?). These applications are written with exploitable vulnerabilities so that you can try to use various techniques to see if you can hack them. Some popular ones:

• WebGoat
• Buggy Web Application
• Hack this site

We'll use one of my favorites: OWASP Juice Shop. This is an excellent application from OWASP that is extremely easy to setup and run. It covers all of the OWASP Top 10 vulnerabilities and some more. The Juice Shop is extremely well documented here so that you can follow along, get hints and learn about penetration testing and hacking. So, let's get started and have fun. We'll use Docker to make life simple. If you're not familiar with Docker, I highly recommend that you learn about it - you'll thank me later.

Ok, let's pull the image for the Juice Shop project and run it:

docker pull bkimminich/juice-shop

docker run --rm -p 3000:3000 bkimminich/juice-shop

Now, point your browser to: http://localhost:3000 and you should have the the application running as such:

Now, you're ready to have some fun. You can follow the steps in the documentation but I'll get you started with the first couple of challenges. The first thing to do is to find the hidden score board in the application so that you can track your progress - this is one of the easy challenges. So, how would you go about finding hidden areas of a web application? You can try and guess various links or you can try and look at the source of the web page and see if you can find anything. Looking at the source reveals:

There you go! If you point your browser @ http://localhost:3000/#/score-board - you'll see:

You've solved your first challenge :). I'll help you with one more before I let you loose and have fun solving the rest of them. Let's solve one of the XSS ones. They are usually easy to find and test using text entry boxes that you may have in your application. To attempt an XSS attempt, type: "<script>alert("XSS")</script>" (without the quotes) in the search box on the top of the application and click the "Search" button. Since this application is intentionally insecure, the javascript is executed by the server and you'll see:

It was that simple. Now, if you go back to the new discovered "Score Board" link on the top of the page, you'll see that you've solved another challenge.

That's it. Now go for it -- see how many you can solve. The documentation is excellent and you may need some additional tools in order to solve the others but that's a topic for another day.

Cheers!