Skip to content Owasp: Open Worldwide Application Security Project
In this post, we will understand what OWASP is and its main projects e.g. WebGoat, Juice Shop, ZAP and OWASP Top Ten.
Introduction
Source: owasp.org
The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Our programming includes:
- Community-led open source projects including code, documentation, and standards
- Over 250+ local chapters worldwide
- Tens of thousands of members
- Industry-leading educational and training conferences
Owasp Top Ten
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
Webgoat
WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.
Web application security is difficult to learn and practice. Not many people have full blown web applications like online book stores or online banks that can be used to scan for vulnerabilities. In addition, security professionals frequently need to test tools against a platform known to be vulnerable to ensure that they perform as advertised. All of this needs to happen in a safe and legal environment.
Even if your intentions are good, we believe you should never attempt to find vulnerabilities without permission. The primary goal of the WebGoat project is simple: create a de-facto interactive teaching environment for web application security. In the future, the project team hopes to extend WebGoat into becoming a security benchmarking platform and a Java-based Web site Honeypot.
Juice Shop
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
Zap
Zed Attack Proxy (ZAP), formerly known as OWASP ZAP, is a free, open-source penetration testing tool being maintained under the umbrella of The Software Security Project (SSP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.
Let’s Get Started!
- Install JRE, download the WebGoat jar file and run it. Optionally, you could place the java command in a shell script. I did.
devendrashirbad@dz-owasp:~/owasp$ cat webgoat-start.sh
java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.8.jar
devendrashirbad@dz-owasp:~/owasp$ sudo apt install default-jre
devendrashirbad@dz-owasp:~/owasp$ wget https://github.com/WebGoat/WebGoat/releases/download/v2023.8/webgoat-2023.8.jar
devendrashirbad@dz-owasp:~/owasp$ nano webgoat-start.sh
devendrashirbad@dz-owasp:~/owasp$ chmod +x webgoat-start.sh
devendrashirbad@dz-owasp:~/owasp$
devendrashirbad@dz-owasp:~/owasp$ ./webgoat-start.sh
- Install node.js with NVM. Download the Juice Shop app and run it with NPM. NVM and NPM are two different beasts.
devendrashirbad@dz-owasp:~/owasp$ wget https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh
devendrashirbad@dz-owasp:~/owasp$ chmod +x install.sh
devendrashirbad@dz-owasp:~/owasp$ ./install.sh
devendrashirbad@dz-owasp:~/owasp$ nvm install 20
devendrashirbad@dz-owasp:~/owasp$ node -v
devendrashirbad@dz-owasp:~/owasp$ npm -v
devendrashirbad@dz-owasp:~/owasp$ wget https://github.com/juice-shop/juice-shop/releases/download/v17.1.0/juice-shop-17.1.0_node20_linux_x64.tgz
devendrashirbad@dz-owasp:~/owasp$ tar -xvf juice-shop-17.1.0_node20_linux_x64.tgz
devendrashirbad@dz-owasp:~/owasp$ mv juice-shop_17.1.0 juice-shop
devendrashirbad@dz-owasp:~/owasp$ cd juice-shop/
devendrashirbad@dz-owasp:~/owasp/juice-shop$ npm start
- Install ZAP proxy with snap.
devendrashirbad@dz-owasp:~/owasp$ sudo snap install zaproxy --classic
