Scanning OWASP Juice Shop with Acunetix

Juice Shop is an intentionally vulnerable web application developed by OWASP for educational purposes. We will go through the steps of deploying this web application and we will run a scan on it using Acunetix as a DAST (black box) tool.

The OWASP Juice Shop web application contains a number of vulnerabilities, with a varying level of effort required to exploit them.

Prepare Your Server

The first step is to prepare your server. For this test, we will start with a clean installation of Ubuntu 18.04.3.

Update Your Server

We can bring our server OS up to date before going further, using:

sudo apt update
sudo apt upgrade

Now we need to install curl:

sudo apt install curl

Install Node.js and NPM (Node.js Package Manager)

The regular Ubuntu repositories do not provide us with the correct software versions for this exercise – we need more up-to-date versions from the Node.js website. Run the following commands:

wget https://deb.nodesource.com/setup_13.x
chmod +x setup_13.x
sudo ./setup_13.x
sudo apt install nodejs

…and confirm version numbers:

echo -e "NodeJS Version: \c" && nodejs --version && echo -e "NPM Version: \c" && npm --version

…and we should see:

NodeJS Version: v13.12.0
NPM Version: 6.14.4

Download and Run the OWASP Juice Shop Web Application

wget  https://github.com/bkimminich/juice-shop/releases/download/v10.0.0/juice-shop-10.0.0_node13_linux_x64.tgz
tar -xvzf juice-shop-10.0.0_node13_linux_x64.tgz 
cd juice-shop_10.0.0
npm start

Create an Acunetix Target

In the Acunetix UI, go to Targets -> Add Target:

…replacing the correct IP Address for your server (the Juice Shop application is set up to listen on port 3000) and click on the Save button. This will present a more complete interface to define your target. In this case, the default settings are sufficient. Click on the Save button again.

Scanning the Target

This document describes 3 different scan configurations, with the scope of illustrating the different possibilities, and the changes in effectiveness that result from making configuration changes. If you want to jump to the best result, you can scroll down immediately to the section with the title Your Third Scan – with Pre-Recorded Login Sequence.

Create Your First Scan on Your New Target

Go to Targets, click on your new target, and click the Scan button. Leave default setting in the Choose Scanning Options dialog and click on the Create Scan button.

Results of the First Scan

The default settings are already sufficient to expose a number of vulnerabilities, including high severity vulnerabilities. The Juice Shop application will display some pop-ups on the main page as an indication that the discovery of one of the vulnerabilities intentionally included in the application has been detected. This first scan will expose around 20 vulnerabilities.

Do keep in mind that we have given no way, at this stage, for Acunetix to test the parts of the application that would be exposed after login. To make progress in this area, we need to show Acunetix how to log in to the site, allowing it to test those areas.

Your Second Scan – with Auto Login Enabled

Adding Login Information to Your Target

The first task is to create a user in the Juice Shop. Once we have a user created in the web application, we can instruct Acunetix to use the credentials to log in and test the logged-in version of the application for additional vulnerabilities.

In the Targets menu, click on your target to open up the information page and enable the Site Login feature. We will use the Acunetix auto-login feature for this attempt – enter the username and password for the user you have created and click on the Save button.

Results of the Second Scan

Start a new scan on your target, again with default scanning options. Even before the scan is completed, we can see that the Acunetix activity panel shows us the message Automatic login failed. This tells us that we will need to be more explicit when instructing Acunetix on how to log in to the application.

Your Third Scan – with Pre-Recorded Login Sequence

Adding a Login Sequence to Your Target

Open up your target information page, navigate to the Site Login section, and select the Use pre-recorded login sequence option. Click on the New option under the prompt for the login sequence filename – Acunetix will launch the Login Sequence Recorder to create the login sequence file.

1. Click on the Dismiss button to remove the welcome dialog and expose the rest of the site.
2. Click on the Account menu.
3. Click on the Login menu item.
4. Enter your username (email address).
5. Enter your password.
6. Click on the Log In button; this ends the part where we capture the login sequence, so click on Next at the bottom of the Login Sequence Recorder window to move to the Record Restrictions step.
7. Go to the Account menu and click on the Logout link; this will present a dialog to confirm that this will be a restricted request, meaning that Acunetix will know that this request would log the user out of the application, and therefore will avoid making such requests while testing the logged-in portion of the website.
8. Click on the Restrict request using exact match button in the first dialog presented; when the second such dialog appears, click on the Forward all button. Click on Next to go to the user session detection stage.
9. Many times, the Acunetix Login Sequence Recorder is able to immediately identify the user session pattern and will present you with a dialog in your browser to inform you of this.
10. If the Login Sequence Recorder has not identified the user session pattern, it will present a dialog notifying you of this. Simply use the LSR browser to log in again and navigate to the shopping basket and maybe some other pages, until the LSR notifies you that it has successfully identified the pattern.
11. Click on the Finish button at the bottom of the LSR window to complete this task.
12. Click on Save at the top of the target information page.

Results of the Third Scan

Start a new scan on your target, again with default scanning options. This time, Acunetix will be able to use the sequence and perform a more complete scan. You should see about 50 vulnerabilities detected, including a number of high-severity items.