OWASP Juice Shop 2023 achievements and beyond
Tuesday, October 10, 2023
OWASP Juice Shop had a great year in 2023! Two successful GSoC projects, a brand-new Score Board, MultiJuicer joining the project scope and much more! Read on to learn all about this as well as the team’s plans for the 10th anniversary of OWASP Juice Shop in 2024!
The brand new Score Board
If you are an early-day Juice Shop user, you might remember that the challenge Score Board was pretty simplistic back in the day. With more and more challenges came the need to categorize and tag them as well as introduce more difficulty levels. This, and a growing number of additional features - from coding challenges to local progress backups - led to an ever more complicated and convoluted Score Board UI and accordingly a decrease in user experience. What increased meanwhile, was the loading time of the Score Board. A bad combination. Instead of fixing the existing Score Board, the team decided to start with a clean slate. The visually and UX-wise stunning result can be seen in the screenshot below:
This was made possible thanks to a professional UI/UX design contract generously funded by the OWASP Foundation. Vibhuti Arora created an awesome tile-style new layout in multiple fast-feedback iterations with the Juice Shop core team. Already during the design phase, core team member Jannik Hollenbach tirelessly worked on the implementation of the design, which has been available since OWASP Juice Shop v15.1.0 as a preview with the ability to switch between old and new layout.
Instead of fixing the existing Score Board, the team decided to start with a clean slate.
With the next major release v16.0.0 the new Score Board will become the default, while still allowing to switch back to the old look & feel - although I do not see any good reasons to do so. The major release v17.0.0 is then planned for retiring the old Score Board from the application entirely.
Google Summer of Code 2023
Juice Shop participated in Google Summer of Code for the 6th year in a row under the umbrella of the OWASP Foundation. This year, we had two projects in parallel, supported by 3 mentors from the core team.
Web3 challenges
Shubham and I mentored Rishabh Keshan with Hacking the Blockchain: Building Web3 Challenges for OWASP Juice Shop, which added a suite of 4 brand new Web3-related hacking challenges. They cover a range of ⭐ to ⭐⭐⭐⭐⭐⭐ difficulty and are about finding a Smart Contract sandbox accidentally deployed in production, taking over a Soul-Bound Token (a unique kind of NFT), depleting a user’s Ethereum wallet, and minting enough tokens from a faucet to get the cute honey pot NFT shown below:
You can think about the sustainability and long-term usefulness of Web3 technologies what you like, but it is undeniable that these introduce some new challenges and significant risks into the overall application development stack. Therefore, Juice Shop decided to bring this new roster of challenges into the mix, but without inventing an unnecessary new vulnerability category: The Web3 challenges all boil down to well-known problems in security design, access control etc. The complexity to find the vulnerabilities comes more from the decentralized nature of Web3. All the new challenges were released in OWASP Juice Shop v15.1.0 and they are currently being augmented with multiple Coding Challenges to make them even more educative.
Juice Shop participated in Google Summer of Code for the 6th year in a row under the umbrella of the OWASP Foundation.
New eBook tech stack
The second project this year was all about renovating the companion guide of the project. Jannik, Shubham and I mentored Parth Nanda during his full conversion of the Markdown/Gitbook-based guide, into a much more sophisticated, modern and feature-rich AsciiDoc/Antora stack. The benefits of the Companion Guide Tech Stack project include a massively improved chapter- and section-navigation in the online-version of the guide via the left and right sidebars as seen in the screenshot below. We also significantly enhanced the overall reader experience, especially when it comes to wider content tables and code snippets. Antora also supports publishing multiple versions of the guide in parallel. We now have guide for the current Juice Shop release (latest) as well as the version for the upcoming release (snapshot) available at all times. You can switch between versions via the dropdown at the bottom left of the online guide, as seen in the screenshot below:
But Parth’s GSoC project did not only cover the online version of the companion guide, but also completely renewed the generator for the PDF and EPUB versions, which are still available for free on LeanPub!
MultiJuicer joins the OWASP Juice Shop project
The final achievement of 2023 that I’d like to highlight, doesn’t involve any new features, challenges, or technology. It is about the strategic decision to embrace MultiJuicer in the OWASP Juice Shop’s project scope. MultiJuicer started in 2019 - back then under the name “JuicyCTF” which was later changed into “MultiJuicer” to avoid confusion with the already existing Juice Shop CTF Extension subproject. MultiJuicer was an independently developed open source project created by Jannik and other developers at iteratec GmbH. It’s mission:
MultiJuicer gives you the ability to run separate Juice Shop instances for every participant on a central kubernetes cluster, to run events without the need for local Juice Shop instances.
The project was big success as it makes running CTFs as well as exercise environments for trainings and lectures much less of a headache. Apart from just spinning up instances, it also takes care of isolation between those instances, so different teams cannot mess with each other’s hacking progress:
In May 2023, iteratec donated the project to the OWASP Foundation by adding it to the OWASP Juice Shop scope and moved it into the central GitHub organization https://github.com/juice-shop. This might not seem like a big deal at first glance, but it has more impact than you might think. MultiJuicer was already successful on its own, but coming under the OWASP umbrella makes it obviously more visible to the overall community.
It just made sense to join the existing OWASP Juice Shop Flagship project.
MultiJuicer could also have signed up for becoming a separate OWASP Incubator project. But with its tight coupling to the Juice Shop (as a specialized hosting platform) it just made sense to join the existing OWASP Juice Shop Flagship project in terms of reduced overhead, community exposure, name recognition and positive track record of doing Google Summer of Code projects. You can be sure, that in 2024, we will try to find a student who will do a GSoC project in MultiJuicer!
Call for ideas: Juice Shop’s 10th anniversary
I would like to close this article with a humble request to you, dear reader: In October 2024 the OWASP Juice Shop will celebrate its 10th anniversary! The core team is currently collecting its own ideas to make this a truly extravagant year with many cool features and events around everyone’s favorite vulnerable application! I will only reveal one of our ideas here, to give you a hint of the level of ambition/craziness we have in mind: We are currently looking into ways to embed a working v1.0.0 release of Juice Shop into the latest version of the Juice Shop, so you can literally hack the application within the application. Comparable things have been done in video games, e.g. within 1993’s point-and-click adventure “Day of the Tentacle” you could find a console/computer on which you could play the complete predecessor “Maniac Mansion” from 1987.
In October 2024 the OWASP Juice Shop will celebrate its 10th anniversary!
If you have any ideas - no matter if as crazy as (or even more than…) the example above or more conventional - for our 10th anniversary, please reach out via Slack, Matrix, GitHub issue or eMail. All our contact channels you find on https://owasp-juice.shop! We’re looking forward to hearing from you!