Setting up JuiceShop in Heroku

-

The purpose of this post is to provide information about setting up a free instance of JuiceShop in Heroku for use with a CTF. Please read the steps below carefully.

NOTICE

If you create a new account, you will be required to supply a valid credit card number. The Heroku service is free to use, but it is still a business that wants to make money. If you use the free tier, your card will not be charged. If you add options outside of what is spelled out in this document, you are liable for any expenses that you incur. Please don’t go past the ropes unless you know how to swim. OWASP is not responsible for any charges that you may incur from the use of the Heroku service. More information about Heroku’s free tier and pricing can be found here.

 NOTICE PART DEUX

This event is a simple web application capture the flag. There should be no need for you to use denial of service tactics or network attack tools as part of this event. Technically, everything you need is right in your browser and between your ears. Intercept proxy’s like Burp Suite are fine, but there should be no need to run any of the automated attack or scan features found in those tools. Please read Heroku’s acceptable use policy here for more details.

Remember, you are using our host’s internet services. Bad behavior on the Internet can come back to them, so be a good guest. Also, no attacking your opponents' systems. Your focus should be your own Heroku Juice Shop instance. If we see you engaging in bad behavior, we will ask you to leave.

WHAT YOU NEED

  1. A laptop with wireless capabilities and equipped a modern browser.
  2. A basic understanding of web design, SQL, JavaScript, or at least a willingness to learn.
  3. If you have an intercept proxy such as OWASP's Zed Attack Proxy (ZAP) or Burp Suite, you may find it helpful. Technically, most of the work can be done with the developer tools native to the browser, but an intercept proxy is useful. ZAP can be downloaded for free from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project. Burp Suite Community Edition is also a free application that can be downloaded from https://portswigger.net/. 

SETUP
  1. Create a Heroku account and log in, or log in with an existing account if you have one.


     
  2. In a new tab, go to the JuiceShop Github repository and deploy JuiceShop to your Heroku account. Give your new instance a name, using only lower case letters, numbers, and dashes. Spaces are not allowed, and you might have to get creative to come up with an original name!
     
  3. When you are done, click the Deploy App button. Be patient - this can take a few minutes.
  4. When the deployment is complete, click the purple Manage App button at the bottom of the screen.


      
  5. In the management interface, click on the Settings link at the top-right side of the screen.
     
  6. In the Settings screen, click the Reveal Config Vars button to reveal the application’s configuration variables (there shouldn’t be any).


     
  7. Under the Config Vars section, add the following configuration variable and value to put Juice Shop in CTF mode:

    NODE_ENV              ctf


     
  8. Scroll to the top of the screen and click Open App to view your newly-deployed JuiceShop web application!
     
  9. Bookmark this page so you can get back to it easily!
You now should have a fully functional JuiceShop instance in Heroku!

Comments

  1. AnonymousDecember 2, 2018 at 11:03 AM

    Note: If you wish to just set up JuiceShop for your own personal use (i.e. not part of a CTF event), then just skip step 7!

    ReplyDelete

Post a Comment

Popular posts from this blog

OWASP ZAP Tutorial - Part 2: Crawling

-
Image
If you completed part one of this series, you have now successfully intercepted an HTTP request and response with OWASP ZAP. Don't you feel proud and empowered? I knew you would. But guess what? We're not done yet... not by a damn site. Now it's time to learn how to  crawl  a web application with ZAP. Now I know what you're thinking to your self. Your thinking, "Pablo, why do I need to crawl the site? Can't I just do an outright scan? Won't that crawl the site first anyway?" Well, the answer to your question is "yes," you can just scan the site, which usually starts with a crawl. But here is the deal, maybe you don't want to be noticed, especially if you are doing a test where stealth is important. Have you ever worked on a blue team and had your email inbox explode with alerts because some jackhole decided to scan your company's website? If so, then you understand why running a full scan might not be desirable (you may also wa
Read more

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

-
Image
So you want to use OWASP's Zed Attack Proxy to intercept web requests and responses, but you don't know where to start. ZAP isn't quite as pretty as Burp and there isn't even a proxy tab that you can use to intercept traffic and monkey with the parameters! What is the deal!? OK, OK, OK, just take a chill pill there my friend. Although ZAP is a little different from Burp, I think you will find that it is just as useful, and in some cases perhaps more so. Let's jump in with a little exercise that will help you figure out the basics of this often overlooked gem. Before going any further, I am going to take a moment to warn you about testing web applications without permission; don't do it. Testing a site that is not yours is what a friend of mine has referred to as a "non-extradition country career choice" (thanks Adrien de Beupre). Equador is a lovely country, but you probably don't want to live there. Manually Intercepting HTTP Requests and
Read more

OWASP ZAP Tutorial - Part 3: Scanning

-
Image
Good day, eh. Welcome to Part 3. In this post, we will spend a little time walking through how to perform active scanning with ZAP. I'm gonna level with you, this is probably the easiest part of workin with ZAP, but it is also the most perilous. Web scanners have taken down sites, and if the scope isn't configured properly you could find yourself winning an extended stay at Club Fed (located in beautiful Leavenworth, Kansas). As always, don't scan stuff that isn't yours or that you don't have permission to scan. Got it? Good. Let's move forward. As you may or may not know, OWASP ZAP can perform two different levels of scanning: passive scanning and active scanning. Our tutorial will focus on active scanning, but I think it is worthwhile to have a brief discussion about passive scanning. Passive scanning is the scanning that takes place when ZAP is interacting with a web application through any other process other than an active scan. What this means is that
Read more