diff --git a/JUICESHOP_README.md b/JUICESHOP_README.md new file mode 100644 index 0000000000..f35d9d5019 --- /dev/null +++ b/JUICESHOP_README.md @@ -0,0 +1,321 @@ +# ![Juice Shop Logo](https://raw.githubusercontent.com/juice-shop/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_100px.png) OWASP Juice Shop + +[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://owasp.org/projects/#sec-flagships) +[![GitHub release](https://img.shields.io/github/release/juice-shop/juice-shop.svg)](https://github.com/juice-shop/juice-shop/releases/latest) +[![Twitter Follow](https://img.shields.io/twitter/follow/owasp_juiceshop.svg?style=social&label=Follow)](https://twitter.com/owasp_juiceshop) +[![Subreddit subscribers](https://img.shields.io/reddit/subreddit-subscribers/owasp_juiceshop?style=social)](https://reddit.com/r/owasp_juiceshop) + +![CI/CD Pipeline](https://github.com/juice-shop/juice-shop/workflows/CI/CD%20Pipeline/badge.svg?branch=master) +[![Test Coverage](https://api.codeclimate.com/v1/badges/6206c8f3972bcc97a033/test_coverage)](https://codeclimate.com/github/juice-shop/juice-shop/test_coverage) +[![Maintainability](https://api.codeclimate.com/v1/badges/6206c8f3972bcc97a033/maintainability)](https://codeclimate.com/github/juice-shop/juice-shop/maintainability) +[![Code Climate technical debt](https://img.shields.io/codeclimate/tech-debt/juice-shop/juice-shop)](https://codeclimate.com/github/juice-shop/juice-shop/trends/technical_debt) +[![Cypress tests](https://img.shields.io/endpoint?url=https://dashboard.cypress.io/badge/simple/3hrkhu/master&style=flat&logo=cypress)](https://dashboard.cypress.io/projects/3hrkhu/runs) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/223/badge)](https://www.bestpractices.dev/projects/223) +![GitHub stars](https://img.shields.io/github/stars/juice-shop/juice-shop.svg?label=GitHub%20%E2%98%85&style=flat) +[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) + +> [The most trustworthy online shop out there.](https://twitter.com/dschadow/status/706781693504589824) +> ([@dschadow](https://github.com/dschadow)) — +> [The best juice shop on the whole internet!](https://twitter.com/shehackspurple/status/907335357775085568) +> ([@shehackspurple](https://twitter.com/shehackspurple)) — +> [Actually the most bug-free vulnerable application in existence!](https://youtu.be/TXAztSpYpvE?t=26m35s) +> ([@vanderaj](https://twitter.com/vanderaj)) — +> [First you 😂😂then you 😢](https://twitter.com/kramse/status/1073168529405472768) +> ([@kramse](https://twitter.com/kramse)) — +> [But this doesn't have anything to do with juice.](https://twitter.com/coderPatros/status/1199268774626488320) +> ([@coderPatros' wife](https://twitter.com/coderPatros)) + +OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security +trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the +entire +[OWASP Top Ten](https://owasp.org/www-project-top-ten) along with many other security flaws found in real-world +applications! + +![Juice Shop Screenshot Slideshow](screenshots/slideshow.gif) + +For a detailed introduction, full list of features and architecture overview please visit the official project page: + + +## Table of contents + +- [Setup](#setup) + - [From Sources](#from-sources) + - [Packaged Distributions](#packaged-distributions) + - [Docker Container](#docker-container) + - [Vagrant](#vagrant) + - [Amazon EC2 Instance](#amazon-ec2-instance) + - [Azure Container Instance](#azure-container-instance) + - [Google Compute Engine Instance](#google-compute-engine-instance) + - [Heroku](#heroku) + - [Gitpod](#gitpod) +- [Demo](#demo) +- [Documentation](#documentation) + - [Node.js version compatibility](#nodejs-version-compatibility) + - [Troubleshooting](#troubleshooting) + - [Official companion guide](#official-companion-guide) +- [Contributing](#contributing) +- [References](#references) +- [Merchandise](#merchandise) +- [Donations](#donations) +- [Contributors](#contributors) +- [Licensing](#licensing) + +## Setup + +> You can find some less common installation variations in +> [the _Running OWASP Juice Shop_ documentation](https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html). + +### From Sources + +![GitHub repo size](https://img.shields.io/github/repo-size/juice-shop/juice-shop.svg) + +1. Install [node.js](#nodejs-version-compatibility) +2. Run `git clone https://github.com/juice-shop/juice-shop.git --depth 1` (or + clone [your own fork](https://github.com/juice-shop/juice-shop/fork) + of the repository) +3. Go into the cloned folder with `cd juice-shop` +4. Run `npm install` (only has to be done before first start or when you change the source code) +5. Run `npm start` +6. Browse to + +### Packaged Distributions + +[![GitHub release](https://img.shields.io/github/downloads/juice-shop/juice-shop/total.svg)](https://github.com/juice-shop/juice-shop/releases/latest) +[![SourceForge](https://img.shields.io/sourceforge/dm/juice-shop?label=sourceforge%20downloads)](https://sourceforge.net/projects/juice-shop/) +[![SourceForge](https://img.shields.io/sourceforge/dt/juice-shop?label=sourceforge%20downloads)](https://sourceforge.net/projects/juice-shop/) + +1. Install a 64bit [node.js](#nodejs-version-compatibility) on your Windows, MacOS or Linux machine +2. Download `juice-shop-___x64.zip` (or + `.tgz`) attached to + [latest release](https://github.com/juice-shop/juice-shop/releases/latest) +3. Unpack and `cd` into the unpacked folder +4. Run `npm start` +5. Browse to + +> Each packaged distribution includes some binaries for `sqlite3` and +> `libxmljs` bound to the OS and node.js version which `npm install` was +> executed on. + +### Docker Container + +[![Docker Pulls](https://img.shields.io/docker/pulls/bkimminich/juice-shop.svg)](https://hub.docker.com/r/bkimminich/juice-shop) +![Docker Stars](https://img.shields.io/docker/stars/bkimminich/juice-shop.svg) +[![](https://images.microbadger.com/badges/image/bkimminich/juice-shop.svg)](https://microbadger.com/images/bkimminich/juice-shop +"Get your own image badge on microbadger.com") +[![](https://images.microbadger.com/badges/version/bkimminich/juice-shop.svg)](https://microbadger.com/images/bkimminich/juice-shop +"Get your own version badge on microbadger.com") + +1. Install [Docker](https://www.docker.com) +2. Run `docker pull bkimminich/juice-shop` +3. Run `docker run --rm -p 3000:3000 bkimminich/juice-shop` +4. Browse to (on macOS and Windows browse to + if you are using docker-machine instead of the native docker installation) + +### Vagrant + +1. Install [Vagrant](https://www.vagrantup.com/downloads.html) and + [Virtualbox](https://www.virtualbox.org/wiki/Downloads) +2. Run `git clone https://github.com/juice-shop/juice-shop.git` (or + clone [your own fork](https://github.com/juice-shop/juice-shop/fork) + of the repository) +3. Run `cd vagrant && vagrant up` +4. Browse to [192.168.56.110](http://192.168.56.110) + +### Amazon EC2 Instance + +1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_ +2. In _Step 1: Choose an Amazon Machine Image (AMI)_ choose an _Amazon Linux AMI_ or _Amazon Linux 2 AMI_ +3. In _Step 3: Configure Instance Details_ unfold _Advanced Details_ and copy the script below into _User Data_ +4. In _Step 6: Configure Security Group_ add a _Rule_ that opens port 80 for HTTP +5. Launch your instance +6. Browse to your instance's public DNS + +``` +#!/bin/bash +yum update -y +yum install -y docker +service docker start +docker pull bkimminich/juice-shop +docker run -d -p 80:3000 bkimminich/juice-shop +``` + +### Azure Container Instance + +1. Open and login (via `az login`) to your + [Azure CLI](https://azure.github.io/projects/clis/) **or** login to the [Azure Portal](https://portal.azure.com), + open the _CloudShell_ + and then choose _Bash_ (not PowerShell). +2. Create a resource group by running `az group create --name --location ` +3. Create a new container by + running `az container create --resource-group --name --image bkimminich/juice-shop --dns-name-label --ports 3000 --ip-address public` +4. Your container will be available at `http://..azurecontainer.io:3000` + +### Google Compute Engine Instance + +1. Login to the Google Cloud Console and + [open Cloud Shell](https://console.cloud.google.com/home/dashboard?cloudshell=true). +2. Launch a new GCE instance based on the juice-shop container. Take note of the `EXTERNAL_IP` provided in the output. + +``` +gcloud compute instances create-with-container owasp-juice-shop-app --container-image bkimminich/juice-shop +``` + +3. Create a firewall rule that allows inbound traffic to port 3000 + +``` +gcloud compute firewall-rules create juice-rule --allow tcp:3000 +``` + +4. Your container is now running and available at + `http://:3000/` + +### Heroku + +1. [Sign up to Heroku](https://signup.heroku.com/) and + [log in to your account](https://id.heroku.com/login) +2. Click the button below and follow the instructions + +[![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy) + +If you have forked the Juice Shop repository on GitHub, the _Deploy to +Heroku_ button will deploy your forked version of the application. + +## Demo + +Feel free to have a look at the latest version of OWASP Juice Shop: + + +> This is a deployment-test and sneak-peek instance only! You are __not +> supposed__ to use this instance for your own hacking endeavours! No +> guaranteed uptime! Guaranteed stern looks if you break it! + +## Documentation + +### Node.js version compatibility + +![GitHub package.json dynamic](https://img.shields.io/github/package-json/cpu/bkimminich/juice-shop) +![GitHub package.json dynamic](https://img.shields.io/github/package-json/os/bkimminich/juice-shop) + +OWASP Juice Shop officially supports the following versions of +[node.js](http://nodejs.org) in line with the official +[node.js LTS schedule](https://github.com/nodejs/LTS) as close as possible. Docker images and packaged distributions are +offered accordingly. + +| node.js | Supported | Tested | [Packaged Distributions](#packaged-distributions) | [Docker images](#docker-container) from `master` | [Docker images](#docker-container) from `develop` | +|:--------|:------------------------|:----------------------------------------------------------|:--------------------------------------------------|:-------------------------------------------------|:--------------------------------------------------| +| 22.x | :x: | :x: | | | | +| 21.x | ( :heavy_check_mark: ) | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | +| 20.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | `latest` (`linux/amd64`, `linux/arm64`) | `snapshot` (`linux/amd64`, `linux/arm64`) | +| 20.6.0 | :x: | :bug: https://github.com/angular/angular-cli/issues/25782 | | | | +| 19.x | ( :heavy_check_mark: ) | :x: | | | | +| 18.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | +| <18.x | :x: | :x: | | | | + +Juice Shop is automatically tested _only on the latest `.x` minor version_ of each node.js version mentioned above! +There is no guarantee that older minor node.js releases will always work with Juice Shop! +Please make sure you stay up to date with your chosen version. + +### Troubleshooting + +[![Gitter](http://img.shields.io/badge/gitter-join%20chat-1dce73.svg)](https://gitter.im/bkimminich/juice-shop) + +If you need help with the application setup please check our +[our existing _Troubleshooting_](https://pwning.owasp-juice.shop/appendix/troubleshooting.html) +guide. If this does not solve your issue please post your specific problem or question in the +[Gitter Chat](https://gitter.im/bkimminich/juice-shop) where community members can best try to help you. + +:stop_sign: **Please avoid opening GitHub issues for support requests or questions!** + +### Official companion guide + +[![Write Goodreads Review](https://img.shields.io/badge/goodreads-write%20review-49557240.svg)](https://www.goodreads.com/review/edit/49557240) + +OWASP Juice Shop comes with an official companion guide eBook. It will give you a complete overview of all +vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even +find complete step-by-step solutions to every challenge. Extensive documentation of +[custom re-branding](https://pwning.owasp-juice.shop/part1/customization.html), +[CTF-support](https://pwning.owasp-juice.shop/part1/ctf.html), +[trainer's guide](https://pwning.owasp-juice.shop/appendix/trainers.html) +and much more is also included. + +[Pwning OWASP Juice Shop](https://leanpub.com/juice-shop) is published under +[CC BY-NC-ND 4.0](https://creativecommons.org/licenses/by-nc-nd/4.0/) +and is available **for free** in PDF, Kindle and ePub format on LeanPub. You can also +[browse the full content online](https://pwning.owasp-juice.shop)! + +[Pwning OWASP Juice Shop cover](https://leanpub.com/juice-shop) +[Pwning OWASP Juice Shop back cover](https://leanpub.com/juice-shop) + +## Contributing + +[![GitHub contributors](https://img.shields.io/github/contributors/bkimminich/juice-shop.svg)](https://github.com/juice-shop/juice-shop/graphs/contributors) +[![JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/) +[![Crowdin](https://d322cqt584bo4o.cloudfront.net/owasp-juice-shop/localized.svg)](https://crowdin.com/project/owasp-juice-shop) +![GitHub issues by-label](https://img.shields.io/github/issues/bkimminich/juice-shop/help%20wanted.svg) +![GitHub issues by-label](https://img.shields.io/github/issues/bkimminich/juice-shop/good%20first%20issue.svg) + +We are always happy to get new contributors on board! Please check +[CONTRIBUTING.md](CONTRIBUTING.md) to learn how to +[contribute to our codebase](CONTRIBUTING.md#code-contributions) or the +[translation into different languages](CONTRIBUTING.md#i18n-contributions)! + +## References + +Did you write a blog post, magazine article or do a podcast about or mentioning OWASP Juice Shop? Or maybe you held or +joined a conference talk or meetup session, a hacking workshop or public training where this project was mentioned? + +Add it to our ever-growing list of [REFERENCES.md](REFERENCES.md) by forking and opening a Pull Request! + +## Merchandise + +* On [Spreadshirt.com](http://shop.spreadshirt.com/juiceshop) and + [Spreadshirt.de](http://shop.spreadshirt.de/juiceshop) you can get some swag (Shirts, Hoodies, Mugs) with the official + OWASP Juice Shop logo +* On + [StickerYou.com](https://www.stickeryou.com/products/owasp-juice-shop/794) + you can get variants of the OWASP Juice Shop logo as single stickers to decorate your laptop with. They can also print + magnets, iron-ons, sticker sheets and temporary tattoos. + +The most honorable way to get some stickers is to +[contribute to the project](https://pwning.owasp-juice.shop/part3/contribution.html) +by fixing an issue, finding a serious bug or submitting a good idea for a new challenge! + +We're also happy to supply you with stickers if you organize a meetup or conference talk where you use or talk about or +hack the OWASP Juice Shop! Just +[contact the mailing list](mailto:owasp_juice_shop_project@lists.owasp.org) +or [the project leader](mailto:bjoern.kimminich@owasp.org) to discuss your plans! + +## Donations + +[![](https://img.shields.io/badge/support-owasp%20juice%20shop-blue)](https://owasp.org/donate/?reponame=www-project-juice-shop&title=OWASP+Juice+Shop) + +The OWASP Foundation gratefully accepts donations via Stripe. Projects such as Juice Shop can then request reimbursement +for expenses from the Foundation. If you'd like to express your support of the Juice Shop project, please make sure to +tick the "Publicly list me as a supporter of OWASP Juice Shop" checkbox on the donation form. You can find our more +about donations and how they are used here: + + + +## Contributors + +The OWASP Juice Shop core project team are: + +- [Björn Kimminich](https://github.com/bkimminich) aka `bkimminich` + ([Project Leader](https://www.owasp.org/index.php/Projects/Project_Leader_Responsibilities)) + [![Keybase PGP](https://img.shields.io/keybase/pgp/bkimminich)](https://keybase.io/bkimminich) +- [Jannik Hollenbach](https://github.com/J12934) aka `J12934` +- [Timo Pagel](https://github.com/wurstbrot) aka `wurstbrot` +- [Shubham Palriwala](https://github.com/ShubhamPalriwala) aka `ShubhamPalriwala` + +For a list of all contributors to the OWASP Juice Shop please visit our +[HALL_OF_FAME.md](HALL_OF_FAME.md). + +## Licensing + +[![license](https://img.shields.io/github/license/bkimminich/juice-shop.svg)](LICENSE) + +This program is free software: you can redistribute it and/or modify it under the terms of the [MIT license](LICENSE). +OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & the OWASP Juice Shop contributors +2014-2023. + +![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) diff --git a/README.md b/README.md index f35d9d5019..66cbcc8d29 100644 --- a/README.md +++ b/README.md @@ -1,321 +1,86 @@ -# ![Juice Shop Logo](https://raw.githubusercontent.com/juice-shop/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_100px.png) OWASP Juice Shop +*[original Juice Shop readme](./JUICESHOP_README.md)* -[![OWASP Flagship](https://img.shields.io/badge/owasp-flagship%20project-48A646.svg)](https://owasp.org/projects/#sec-flagships) -[![GitHub release](https://img.shields.io/github/release/juice-shop/juice-shop.svg)](https://github.com/juice-shop/juice-shop/releases/latest) -[![Twitter Follow](https://img.shields.io/twitter/follow/owasp_juiceshop.svg?style=social&label=Follow)](https://twitter.com/owasp_juiceshop) -[![Subreddit subscribers](https://img.shields.io/reddit/subreddit-subscribers/owasp_juiceshop?style=social)](https://reddit.com/r/owasp_juiceshop) +# Snyk Juice Shop -![CI/CD Pipeline](https://github.com/juice-shop/juice-shop/workflows/CI/CD%20Pipeline/badge.svg?branch=master) -[![Test Coverage](https://api.codeclimate.com/v1/badges/6206c8f3972bcc97a033/test_coverage)](https://codeclimate.com/github/juice-shop/juice-shop/test_coverage) -[![Maintainability](https://api.codeclimate.com/v1/badges/6206c8f3972bcc97a033/maintainability)](https://codeclimate.com/github/juice-shop/juice-shop/maintainability) -[![Code Climate technical debt](https://img.shields.io/codeclimate/tech-debt/juice-shop/juice-shop)](https://codeclimate.com/github/juice-shop/juice-shop/trends/technical_debt) -[![Cypress tests](https://img.shields.io/endpoint?url=https://dashboard.cypress.io/badge/simple/3hrkhu/master&style=flat&logo=cypress)](https://dashboard.cypress.io/projects/3hrkhu/runs) -[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/223/badge)](https://www.bestpractices.dev/projects/223) -![GitHub stars](https://img.shields.io/github/stars/juice-shop/juice-shop.svg?label=GitHub%20%E2%98%85&style=flat) -[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) +This is a vulnerable by design repository for demonstrating Snyk Insights. Do not deploy this in production. -> [The most trustworthy online shop out there.](https://twitter.com/dschadow/status/706781693504589824) -> ([@dschadow](https://github.com/dschadow)) — -> [The best juice shop on the whole internet!](https://twitter.com/shehackspurple/status/907335357775085568) -> ([@shehackspurple](https://twitter.com/shehackspurple)) — -> [Actually the most bug-free vulnerable application in existence!](https://youtu.be/TXAztSpYpvE?t=26m35s) -> ([@vanderaj](https://twitter.com/vanderaj)) — -> [First you 😂😂then you 😢](https://twitter.com/kramse/status/1073168529405472768) -> ([@kramse](https://twitter.com/kramse)) — -> [But this doesn't have anything to do with juice.](https://twitter.com/coderPatros/status/1199268774626488320) -> ([@coderPatros' wife](https://twitter.com/coderPatros)) +## Step 0: Prepare Demo Environemnt -OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security -trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the -entire -[OWASP Top Ten](https://owasp.org/www-project-top-ten) along with many other security flaws found in real-world -applications! +### Install Tools -![Juice Shop Screenshot Slideshow](screenshots/slideshow.gif) +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) +- [helm](https://helm.sh/docs/intro/install/) +- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) -For a detailed introduction, full list of features and architecture overview please visit the official project page: - +### Fork & Import -## Table of contents +Fork this repository and import it in a new or existing org. -- [Setup](#setup) - - [From Sources](#from-sources) - - [Packaged Distributions](#packaged-distributions) - - [Docker Container](#docker-container) - - [Vagrant](#vagrant) - - [Amazon EC2 Instance](#amazon-ec2-instance) - - [Azure Container Instance](#azure-container-instance) - - [Google Compute Engine Instance](#google-compute-engine-instance) - - [Heroku](#heroku) - - [Gitpod](#gitpod) -- [Demo](#demo) -- [Documentation](#documentation) - - [Node.js version compatibility](#nodejs-version-compatibility) - - [Troubleshooting](#troubleshooting) - - [Official companion guide](#official-companion-guide) -- [Contributing](#contributing) -- [References](#references) -- [Merchandise](#merchandise) -- [Donations](#donations) -- [Contributors](#contributors) -- [Licensing](#licensing) - -## Setup - -> You can find some less common installation variations in -> [the _Running OWASP Juice Shop_ documentation](https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html). - -### From Sources - -![GitHub repo size](https://img.shields.io/github/repo-size/juice-shop/juice-shop.svg) - -1. Install [node.js](#nodejs-version-compatibility) -2. Run `git clone https://github.com/juice-shop/juice-shop.git --depth 1` (or - clone [your own fork](https://github.com/juice-shop/juice-shop/fork) - of the repository) -3. Go into the cloned folder with `cd juice-shop` -4. Run `npm install` (only has to be done before first start or when you change the source code) -5. Run `npm start` -6. Browse to - -### Packaged Distributions - -[![GitHub release](https://img.shields.io/github/downloads/juice-shop/juice-shop/total.svg)](https://github.com/juice-shop/juice-shop/releases/latest) -[![SourceForge](https://img.shields.io/sourceforge/dm/juice-shop?label=sourceforge%20downloads)](https://sourceforge.net/projects/juice-shop/) -[![SourceForge](https://img.shields.io/sourceforge/dt/juice-shop?label=sourceforge%20downloads)](https://sourceforge.net/projects/juice-shop/) - -1. Install a 64bit [node.js](#nodejs-version-compatibility) on your Windows, MacOS or Linux machine -2. Download `juice-shop-___x64.zip` (or - `.tgz`) attached to - [latest release](https://github.com/juice-shop/juice-shop/releases/latest) -3. Unpack and `cd` into the unpacked folder -4. Run `npm start` -5. Browse to - -> Each packaged distribution includes some binaries for `sqlite3` and -> `libxmljs` bound to the OS and node.js version which `npm install` was -> executed on. - -### Docker Container - -[![Docker Pulls](https://img.shields.io/docker/pulls/bkimminich/juice-shop.svg)](https://hub.docker.com/r/bkimminich/juice-shop) -![Docker Stars](https://img.shields.io/docker/stars/bkimminich/juice-shop.svg) -[![](https://images.microbadger.com/badges/image/bkimminich/juice-shop.svg)](https://microbadger.com/images/bkimminich/juice-shop -"Get your own image badge on microbadger.com") -[![](https://images.microbadger.com/badges/version/bkimminich/juice-shop.svg)](https://microbadger.com/images/bkimminich/juice-shop -"Get your own version badge on microbadger.com") - -1. Install [Docker](https://www.docker.com) -2. Run `docker pull bkimminich/juice-shop` -3. Run `docker run --rm -p 3000:3000 bkimminich/juice-shop` -4. Browse to (on macOS and Windows browse to - if you are using docker-machine instead of the native docker installation) - -### Vagrant - -1. Install [Vagrant](https://www.vagrantup.com/downloads.html) and - [Virtualbox](https://www.virtualbox.org/wiki/Downloads) -2. Run `git clone https://github.com/juice-shop/juice-shop.git` (or - clone [your own fork](https://github.com/juice-shop/juice-shop/fork) - of the repository) -3. Run `cd vagrant && vagrant up` -4. Browse to [192.168.56.110](http://192.168.56.110) +``` +git clone https://github.com/somerset-inc/juice-shop-goof.git +cd juice-shop +``` -### Amazon EC2 Instance +### Deploy Juice Shop to EKS -1. In the _EC2_ sidenav select _Instances_ and click _Launch Instance_ -2. In _Step 1: Choose an Amazon Machine Image (AMI)_ choose an _Amazon Linux AMI_ or _Amazon Linux 2 AMI_ -3. In _Step 3: Configure Instance Details_ unfold _Advanced Details_ and copy the script below into _User Data_ -4. In _Step 6: Configure Security Group_ add a _Rule_ that opens port 80 for HTTP -5. Launch your instance -6. Browse to your instance's public DNS +In A Cloud Guru create an AWS sandbox environment, then add the following as GitHub Actions Variables: ``` -#!/bin/bash -yum update -y -yum install -y docker -service docker start -docker pull bkimminich/juice-shop -docker run -d -p 80:3000 bkimminich/juice-shop +AWS_ACCESS_KEY_ID +AWS_SECRET_ACCESS_KEY +SNYK_ORG_ID +SNYK_TOKEN ``` -### Azure Container Instance +Edit the [_build_flag](./_build_flag) file to trigger EKS provisioning and Juice Shop deployment. -1. Open and login (via `az login`) to your - [Azure CLI](https://azure.github.io/projects/clis/) **or** login to the [Azure Portal](https://portal.azure.com), - open the _CloudShell_ - and then choose _Bash_ (not PowerShell). -2. Create a resource group by running `az group create --name --location ` -3. Create a new container by - running `az container create --resource-group --name --image bkimminich/juice-shop --dns-name-label --ports 3000 --ip-address public` -4. Your container will be available at `http://..azurecontainer.io:3000` +## Step 1: Deploy the Kubernetes Connector -### Google Compute Engine Instance - -1. Login to the Google Cloud Console and - [open Cloud Shell](https://console.cloud.google.com/home/dashboard?cloudshell=true). -2. Launch a new GCE instance based on the juice-shop container. Take note of the `EXTERNAL_IP` provided in the output. +Create Snyk Service Acount with minimum scope: [docs](https://docs.snyk.io/manage-risk/snyk-apprisk/risk-based-prioritization-for-snyk-apprisk/prioritization-setup/prioritization-setup-kubernetes-connector#step-2-create-a-new-role) +Log into AWS CLI: ``` -gcloud compute instances create-with-container owasp-juice-shop-app --container-image bkimminich/juice-shop +aws configure +aws eks update-kubeconfig --region us-east-1 --name juice-shop-cluster ``` -3. Create a firewall rule that allows inbound traffic to port 3000 - +Add the secret ``` -gcloud compute firewall-rules create juice-rule --allow tcp:3000 +kubectl create secret generic insights-secret --from-literal=snykServiceAccountToken=YOUR_SNYK_TOKEN ``` -4. Your container is now running and available at - `http://:3000/` - -### Heroku - -1. [Sign up to Heroku](https://signup.heroku.com/) and - [log in to your account](https://id.heroku.com/login) -2. Click the button below and follow the instructions - -[![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy) - -If you have forked the Juice Shop repository on GitHub, the _Deploy to -Heroku_ button will deploy your forked version of the application. - -## Demo - -Feel free to have a look at the latest version of OWASP Juice Shop: - - -> This is a deployment-test and sneak-peek instance only! You are __not -> supposed__ to use this instance for your own hacking endeavours! No -> guaranteed uptime! Guaranteed stern looks if you break it! - -## Documentation - -### Node.js version compatibility - -![GitHub package.json dynamic](https://img.shields.io/github/package-json/cpu/bkimminich/juice-shop) -![GitHub package.json dynamic](https://img.shields.io/github/package-json/os/bkimminich/juice-shop) - -OWASP Juice Shop officially supports the following versions of -[node.js](http://nodejs.org) in line with the official -[node.js LTS schedule](https://github.com/nodejs/LTS) as close as possible. Docker images and packaged distributions are -offered accordingly. - -| node.js | Supported | Tested | [Packaged Distributions](#packaged-distributions) | [Docker images](#docker-container) from `master` | [Docker images](#docker-container) from `develop` | -|:--------|:------------------------|:----------------------------------------------------------|:--------------------------------------------------|:-------------------------------------------------|:--------------------------------------------------| -| 22.x | :x: | :x: | | | | -| 21.x | ( :heavy_check_mark: ) | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | -| 20.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | `latest` (`linux/amd64`, `linux/arm64`) | `snapshot` (`linux/amd64`, `linux/arm64`) | -| 20.6.0 | :x: | :bug: https://github.com/angular/angular-cli/issues/25782 | | | | -| 19.x | ( :heavy_check_mark: ) | :x: | | | | -| 18.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | -| <18.x | :x: | :x: | | | | - -Juice Shop is automatically tested _only on the latest `.x` minor version_ of each node.js version mentioned above! -There is no guarantee that older minor node.js releases will always work with Juice Shop! -Please make sure you stay up to date with your chosen version. - -### Troubleshooting - -[![Gitter](http://img.shields.io/badge/gitter-join%20chat-1dce73.svg)](https://gitter.im/bkimminich/juice-shop) - -If you need help with the application setup please check our -[our existing _Troubleshooting_](https://pwning.owasp-juice.shop/appendix/troubleshooting.html) -guide. If this does not solve your issue please post your specific problem or question in the -[Gitter Chat](https://gitter.im/bkimminich/juice-shop) where community members can best try to help you. - -:stop_sign: **Please avoid opening GitHub issues for support requests or questions!** - -### Official companion guide - -[![Write Goodreads Review](https://img.shields.io/badge/goodreads-write%20review-49557240.svg)](https://www.goodreads.com/review/edit/49557240) - -OWASP Juice Shop comes with an official companion guide eBook. It will give you a complete overview of all -vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even -find complete step-by-step solutions to every challenge. Extensive documentation of -[custom re-branding](https://pwning.owasp-juice.shop/part1/customization.html), -[CTF-support](https://pwning.owasp-juice.shop/part1/ctf.html), -[trainer's guide](https://pwning.owasp-juice.shop/appendix/trainers.html) -and much more is also included. - -[Pwning OWASP Juice Shop](https://leanpub.com/juice-shop) is published under -[CC BY-NC-ND 4.0](https://creativecommons.org/licenses/by-nc-nd/4.0/) -and is available **for free** in PDF, Kindle and ePub format on LeanPub. You can also -[browse the full content online](https://pwning.owasp-juice.shop)! - -[Pwning OWASP Juice Shop cover](https://leanpub.com/juice-shop) -[Pwning OWASP Juice Shop back cover](https://leanpub.com/juice-shop) - -## Contributing - -[![GitHub contributors](https://img.shields.io/github/contributors/bkimminich/juice-shop.svg)](https://github.com/juice-shop/juice-shop/graphs/contributors) -[![JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/) -[![Crowdin](https://d322cqt584bo4o.cloudfront.net/owasp-juice-shop/localized.svg)](https://crowdin.com/project/owasp-juice-shop) -![GitHub issues by-label](https://img.shields.io/github/issues/bkimminich/juice-shop/help%20wanted.svg) -![GitHub issues by-label](https://img.shields.io/github/issues/bkimminich/juice-shop/good%20first%20issue.svg) - -We are always happy to get new contributors on board! Please check -[CONTRIBUTING.md](CONTRIBUTING.md) to learn how to -[contribute to our codebase](CONTRIBUTING.md#code-contributions) or the -[translation into different languages](CONTRIBUTING.md#i18n-contributions)! - -## References - -Did you write a blog post, magazine article or do a podcast about or mentioning OWASP Juice Shop? Or maybe you held or -joined a conference talk or meetup session, a hacking workshop or public training where this project was mentioned? - -Add it to our ever-growing list of [REFERENCES.md](REFERENCES.md) by forking and opening a Pull Request! - -## Merchandise - -* On [Spreadshirt.com](http://shop.spreadshirt.com/juiceshop) and - [Spreadshirt.de](http://shop.spreadshirt.de/juiceshop) you can get some swag (Shirts, Hoodies, Mugs) with the official - OWASP Juice Shop logo -* On - [StickerYou.com](https://www.stickeryou.com/products/owasp-juice-shop/794) - you can get variants of the OWASP Juice Shop logo as single stickers to decorate your laptop with. They can also print - magnets, iron-ons, sticker sheets and temporary tattoos. - -The most honorable way to get some stickers is to -[contribute to the project](https://pwning.owasp-juice.shop/part3/contribution.html) -by fixing an issue, finding a serious bug or submitting a good idea for a new challenge! - -We're also happy to supply you with stickers if you organize a meetup or conference talk where you use or talk about or -hack the OWASP Juice Shop! Just -[contact the mailing list](mailto:owasp_juice_shop_project@lists.owasp.org) -or [the project leader](mailto:bjoern.kimminich@owasp.org) to discuss your plans! - -## Donations - -[![](https://img.shields.io/badge/support-owasp%20juice%20shop-blue)](https://owasp.org/donate/?reponame=www-project-juice-shop&title=OWASP+Juice+Shop) - -The OWASP Foundation gratefully accepts donations via Stripe. Projects such as Juice Shop can then request reimbursement -for expenses from the Foundation. If you'd like to express your support of the Juice Shop project, please make sure to -tick the "Publicly list me as a supporter of OWASP Juice Shop" checkbox on the donation form. You can find our more -about donations and how they are used here: - - +Add the Helm chart +``` +helm repo add kubernetes-scanner https://snyk.github.io/kubernetes-scanner +helm repo update +``` -## Contributors +Install the chart +``` +helm install insights \ + --set "secretName=insights-secret" \ + --set "config.clusterName=juice-shop-cluster" \ + --set "config.routes[0].organizationID=YOUR_ORG_ID" \ + --set "config.routes[0].clusterScopedResources=true" \ + --set "config.routes[0].namespaces[0]=*" \ + kubernetes-scanner/kubernetes-scanner +``` -The OWASP Juice Shop core project team are: +Run `kubectl get pods` to verify the pod is running. -- [Björn Kimminich](https://github.com/bkimminich) aka `bkimminich` - ([Project Leader](https://www.owasp.org/index.php/Projects/Project_Leader_Responsibilities)) - [![Keybase PGP](https://img.shields.io/keybase/pgp/bkimminich)](https://keybase.io/bkimminich) -- [Jannik Hollenbach](https://github.com/J12934) aka `J12934` -- [Timo Pagel](https://github.com/wurstbrot) aka `wurstbrot` -- [Shubham Palriwala](https://github.com/ShubhamPalriwala) aka `ShubhamPalriwala` +## Step 2: Scan and Tag Container Images -For a list of all contributors to the OWASP Juice Shop please visit our -[HALL_OF_FAME.md](HALL_OF_FAME.md). +Add tags to container images: [see example workflow](./.github/workflows/container-build-and-test.yml#L35). -## Licensing +``` +snyk container monitor your/image:tag --tags="component=pkg:${{ github.repository }}@${{ github.ref_name }}" +snyk container monitor your/image:tag --tags="component=pkg:github/org/repo@branch" +``` -[![license](https://img.shields.io/github/license/bkimminich/juice-shop.svg)](LICENSE) +## Step 3: Tag Open Source and Code projects -This program is free software: you can redistribute it and/or modify it under the terms of the [MIT license](LICENSE). -OWASP Juice Shop and any contributions are Copyright © by Bjoern Kimminich & the OWASP Juice Shop contributors -2014-2023. +Review script at [insights/apply-tags.py](./insights/apply-tags.py). -![Juice Shop Logo](https://raw.githubusercontent.com/bkimminich/juice-shop/master/frontend/src/assets/public/images/JuiceShop_Logo_400px.png) +``` +python3 insights/apply-tags.py --org-id your-org-id --snyk-token your-snyk-token --origin github +``` diff --git a/insights/apply-tags.py b/insights/apply-tags.py new file mode 100644 index 0000000000..8ac22fb851 --- /dev/null +++ b/insights/apply-tags.py @@ -0,0 +1,74 @@ +import requests +from argparse import ArgumentParser + +parser = ArgumentParser() +parser.add_argument("--org-id", dest="org_id", help="your Snyk Org ID", required=True) +parser.add_argument("--snyk-token", dest="snyk_token", help="your Snyk Token", required=True) +parser.add_argument("--origin", dest="origin", help="SCM type. Possible values: github, github-enterprise, azure-repos, bitbucket, gitlab", required=True) + +args = parser.parse_args() + +SNYK_TOKEN = args.snyk_token +ORG_ID = args.org_id +ORIGIN = args.origin + +BASE_URL = "https://api.snyk.io" + +def get_projects_page(next_url): + + # Add "next url" on to the BASE URL + url = BASE_URL + next_url + + headers = { + 'Accept': 'application/vnd.api+json', + 'Authorization': f'token {SNYK_TOKEN}' + } + + return requests.request("GET", url, headers=headers) + +def get_all_projects(): + next_url = f"/rest/orgs/{ORG_ID}/projects?version=2024-03-12&limit=100&origins={ORIGIN}" + + all_projects = [] + + while next_url is not None: + res = get_projects_page(next_url).json() + + if 'links' in res and 'next' in res['links']: + next_url = res['links']['next'] + else: + next_url = None + + # add to list + if 'data' in res: + all_projects.extend(res['data']) + + return all_projects + +def tag_project(project_id, key, value): + url = f'https://api.snyk.io/v1/org/{ORG_ID}/project/{project_id}/tags' + + payload = { + "key": key, + "value": value + } + headers = { + 'Content-Type': 'application/json', + 'Authorization': f'token {SNYK_TOKEN}' + } + + return requests.request("POST", url, headers=headers, json=payload) + +def main(): + projects = get_all_projects() + + for p in projects: + project_id = p['id'] + repo = p['attributes']['name'].split(":")[0].split("(")[0] + branch = p['attributes']['target_reference'] + tag_value = f'pkg:{repo}@{branch}' + + res = tag_project(project_id, 'component', tag_value) + print(res.status_code, project_id, tag_value) + +main() \ No newline at end of file diff --git a/terraform/vpc.tf b/terraform/vpc.tf index ab677eb64b..dea6685e52 100644 --- a/terraform/vpc.tf +++ b/terraform/vpc.tf @@ -14,9 +14,11 @@ module "vpc" { public_subnet_tags = { "kubernetes.io/role/elb" = 1 + "kubernetes.io/cluster/${var.name}" = "shared" } private_subnet_tags = { "kubernetes.io/role/internal-elb" = 1 + "kubernetes.io/cluster/${var.name}" = "shared" } } \ No newline at end of file