Capstone Project: Web Security
Audit Using OWASP Juice Shop
Dr EKODECK Stéphane
Academic Year: 2024 – 2025
Objective
The objective of this project is to conduct a security audit of OWASP Juice
Shop, an intentionally vulnerable web application, using a Windows envi-
ronment. Students will identify vulnerabilities, evaluate compliance with
data protection principles, and propose actionable solutions to enhance
security.
Project Description
OWASP Juice Shop replicates common vulnerabilities found in real-world
web applications, such as injection flaws, weak authentication, and insecure
cookie configurations. This project involves:
1. Setting up OWASP Juice Shop on a Windows system.
2. Identifying vulnerabilities using browser tools and Juice Shop’s built-
in challenges.
3. Documenting findings in a professional report with screenshots.
4. Proposing actionable solutions for the identified risks.
Requirements
Before starting the project, ensure the following tools and software are
installed on your Windows system:
1
�• Docker Desktop for Windows: For running Juice Shop locally.
Download from: https://www.docker.com/products/docker-desktop/.
• Google Chrome or Mozilla Firefox: For accessing Juice Shop
and using developer tools.
• Text Editor: For writing the report (e.g., Microsoft Word or Notepad++).
• Optional Tools:
– Burp Suite Community Edition: To intercept and analyze HTTP
traffic.
– Sucuri SiteCheck: For scanning the website.
2
�Setup Instructions for OWASP Juice Shop
Step 1: Install Docker Desktop on Windows
1. Download Docker Desktop from https://www.docker.com/products/
docker-desktop/. 2. Follow the installation instructions provided on the
website. 3. After installation, launch Docker Desktop and ensure it is
running.
Step 2: Pull and Run Juice Shop
1. Open Command Prompt (search for ”cmd” in the Start menu). 2.
Pull the Juice Shop Docker image by running the following command:
d o c k e r p u l l bkimminich / j u i c e −shop
3. Start the Juice Shop container using this command:
d o c k e r run −d −p 3 0 0 0 : 3 0 0 0 bkimminich / j u i c e −shop
4. Open your browser and navigate to http://localhost:3000/ to access
Juice Shop.
Step 3: Verify the Setup
• Ensure the Juice Shop homepage loads correctly.
• Test the challenges dashboard by clicking on the Score Board link
in the application.
3
�Audit Steps
Step 1: Analyze the Platform
Explore Juice Shop and identify vulnerabilities. Focus on:
• Login and Authentication:
– Test for weak passwords.
– Attempt to bypass login mechanisms.
• Input Fields:
– Check for injection vulnerabilities (e.g., SQL Injection).
– Try injecting JavaScript to exploit XSS.
• Cookies and Session Management:
– Inspect cookies using browser developer tools.
– Verify if cookies have secure flags like ‘HttpOnly‘ and ‘Secure‘.
Step 2: Evaluate Compliance with Data Protection
Regulations
Check the following:
• Presence of a cookie consent banner.
• Availability of a privacy policy.
• Secure handling of sensitive user data.
Step 3: Simulate Attacks
Use developer tools to perform basic simulated attacks:
• Inspect and modify HTTP requests to test for security gaps.
• Identify areas where user input is improperly sanitized.
4
�Deliverables
Security Audit Report
Prepare a structured report with the following sections:
• Introduction:
– Brief description of OWASP Juice Shop.
– Purpose of the audit.
• Findings:
– List of vulnerabilities discovered (e.g., weak passwords, missing
cookie flags).
– Screenshots and descriptions of each issue.
• Proposed Solutions:
– Specific recommendations for fixing each vulnerability.
– Suggested tools or configurations (e.g., enabling ‘HttpOnly‘ for
cookies).
• Conclusion:
– Summary of key issues and their potential impact.
– Steps for further improving security.
Presentation
Prepare a 10-minute presentation summarizing:
• Key findings from the audit.
• Proposed solutions.
• Visual aids such as screenshots or diagrams.
5
�Evaluation Criteria
• Thoroughness of Audit: Coverage of all key areas (login, cookies,
input fields, etc.).
• Accuracy of Findings: Clear and correct identification of vulner-
abilities.
• Actionable Solutions: Practicality and effectiveness of proposed
fixes.
• Report Quality: Clarity, detail, and organization of the document.
• Presentation Quality: Professionalism, clarity, and use of visuals.
Conclusion
By completing this project, students will gain hands-on experience with
web security concepts relevant to digital marketing platforms. They will
learn to identify vulnerabilities, evaluate risks, and implement solutions to
enhance platform security.
