Skip to main content

OWASP Juice Shop

This article will show you how to scan the OWASP Juice Shop app with Qwiet preZero.

Prerequisites

You must have Qwiet preZero installed and authenticated.

You must have a copy of the OWASP Juice Shop; you can obtain the latest OWASP Juice Shop app via GitHub. You can clone the repo to your workstation and run Qwiet preZero locally, or you can fork the repo and create a GitHub Action that calls Qwiet preZero.

Preparing the app for analysis

OWASP Juice Shop is a JavaScript/TypeScript app, and analyzing it is similar to analyzing most other JavaScript/TypeScript apps. However, there are several steps that you should take when scanning Node.js apps (of which Juice Shop is one).

If you're running Qwiet preZero locally, navigate into the Juice Shop folder, then:

  1. Run npm install and remove node_modules:

    npm install
    rm -rf node_modules

  2. If present, you should also remove any directory that your build produces that Qwiet preZero should not include in the analysis (e.g., build or dist directories):

    rm -rf frontend/dist frontend/node_modules dist build

If you're integrating Qwiet preZero into your deployment pipeline, you'll need to include these instructions explicitly. For example, if you're using GitHub Actions to analyze code changes during the pull request process, you'll include something similar to following in your configuration file:

- name: Repo prep for JS apps
    run: |
    npm install
    rm -rf node_modules
    rm -rf frontend/dist frontend/node_modules dist build

Analyzing the application

Once you've prepped the app, you'll need to call sl analyze to begin the code analysis process.

sl analyze --app juice-shop-training --js . \
-- --with-tests --include-configs --exclude node_modules,frontend/dist,frontend/node_modules,vagrant,dist,data/static,build

Alternatively, you can use something like GitHub Actions to automate the process

See sl analyze for more information about sl analyze and its options.

Note the -- followed by additional flags. For JavaScript/TypeScript apps, Qwiet preZero accepts a variety of additional parameters.

For Juice Shop, you'll need:

  • --with-test: Include test files
  • --include-configs: Include configuration files (e.g., *.conf.js, *.config.js, *.json)
  • --exclude node_modules,frontend/dist,frontend/node_modules,vagrant,dist,data/static,build: Exclude the specified directories during code analysis

Please note that the OWASP Juice Shop app analysis can take 20-30 minutes (or more) to complete.