diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..01ea525a7 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,103 @@ +## Goal + +This PR delivers Lab 1: OWASP Juice Shop deployment, triage report, and PR workflow setup. + +## Changes + +- Added `submissions/lab1.md` +- Added `.github/PULL_REQUEST_TEMPLATE.md` +- Documented Juice Shop deployment details, health checks, browser exploration, security headers, and observed risks + +## Testing + +Commands and observed outputs used to verify this PR: + +### Container status + +```bash +docker ps --filter name=juice-shop +``` + +Observed output: + +```text +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +4cf4ae3bf6ab bkimminich/juice-shop:v20.0.0 "/nodejs/bin/node /j…" 57 minutes ago Up 57 minutes 127.0.0.1:3000->3000/tcp juice-shop +``` + +### Homepage health check + +```bash +curl -s -o /dev/null -w "HTTP %{http_code}\n" http://127.0.0.1:3000 +``` + +Observed output: + +```text +HTTP 200 +``` + +### Product API check + +```bash +curl -s http://127.0.0.1:3000/api/Products | jq '.data | length' +``` + +Observed output: + +```text +46 +``` + +### Application version check + +```bash +curl -s http://127.0.0.1:3000/rest/admin/application-version | jq +``` + +Observed output: + +```json +{ + "version": "20.0.0" +} +``` + +### Security headers quick look + +```bash +curl -I http://127.0.0.1:3000 2>&1 | head -20 +``` + +Observed output: + +```text +HTTP/1.1 200 OK +Access-Control-Allow-Origin: * +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +Feature-Policy: payment 'self' +X-Recruiting: /#/jobs +Accept-Ranges: bytes +Cache-Control: public, max-age=0 +Last-Modified: Fri, 12 Jun 2026 17:13:54 GMT +ETag: W/"26af-19ebcd37167" +Content-Type: text/html; charset=UTF-8 +Content-Length: 9903 +Vary: Accept-Encoding +Date: Fri, 12 Jun 2026 18:00:03 GMT +Connection: keep-alive +Keep-Alive: timeout=5 +``` + +## Artifacts & Screenshots + +- Submission file: `submissions/lab1.md` +- PR template: `.github/PULL_REQUEST_TEMPLATE.md` +- Screenshot evidence: Docker Desktop container view and OWASP Juice Shop browser page + +## Checklist + +- [ ] Title is clear (`feat(labN): ` style) +- [ ] No secrets/large temp files committed +- [ ] Submission file at `submissions/labN.md` exists diff --git a/submissions/lab1.md b/submissions/lab1.md new file mode 100644 index 000000000..3f4a1cb0d --- /dev/null +++ b/submissions/lab1.md @@ -0,0 +1,113 @@ +# Lab 1 — Submission + +## Triage Report: OWASP Juice Shop + +### Scope & Asset + +- Asset: OWASP Juice Shop (local lab instance) +- Image: `bkimminich/juice-shop:v20.0.0` +- Image digest: `sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0` +- Host OS: `macOS` +- Docker version: `Docker version 29.4.0, build 9d7ad9f` + +### Deployment Details + +- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v20.0.0` +- Access URL: `http://127.0.0.1:3000` +- Network exposure: 127.0.0.1 only? [x] Yes [ ] No +- Container restart policy: `no` + +### Health Check + +- HTTP code on `/`: `HTTP 200` + +- API check (first 200 chars of `/api/Products`): + +```json +{"status":"success","data":[{"id":1,"name":"Apple Juice (1000ml)","description":"The all-time classic.","price":1.99,"deluxePrice":0.99,"image":"apple_juice.jpg","createdAt":"2026-06-12T17:13:54.109Z" +``` + +- Product count from `/api/Products`: `46` + +- Application version: + +```json +{ + "version": "20.0.0" +} +``` + +- Container uptime: + +```text +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +4cf4ae3bf6ab bkimminich/juice-shop:v20.0.0 "/nodejs/bin/node /j…" 57 minutes ago Up 57 minutes 127.0.0.1:3000->3000/tcp juice-shop +``` + +### Initial Surface Snapshot (from browser exploration) + +- Login/Registration visible: [x] Yes [ ] No — notes: Account menu is visible in the top-right navigation bar. Login and registration are available from this area. +- Product listing/search present: [x] Yes [ ] No — notes: The main page shows product cards, prices, and “Add to Basket” buttons. I observed products such as Apple Juice, Banana Juice, Basil Smoothie, Dragonfruit Juice, Eggfruit Juice, Elderflower Cordial, Fruit Press, Grape Juice, Green Smoothie and Lemon Juice. +- Admin or account area discoverable: [x] Yes [ ] No — notes: Account area is discoverable from the top navigation menu. Admin functionality was not directly shown on the initial page. +- Client-side errors in DevTools console: [ ] Yes [x] No — notes: No blocking client-side errors were noticed during initial page loading and product browsing. +- Pre-populated local storage / cookies: No meaningful pre-populated local storage values were observed during initial browsing. + +### Security Headers (Quick Look) + +Run: + +```bash +curl -I http://127.0.0.1:3000 2>&1 | head -20 +``` + +Paste output: + +```text +HTTP/1.1 200 OK +Access-Control-Allow-Origin: * +X-Content-Type-Options: nosniff +X-Frame-Options: SAMEORIGIN +Feature-Policy: payment 'self' +X-Recruiting: /#/jobs +Accept-Ranges: bytes +Cache-Control: public, max-age=0 +Last-Modified: Fri, 12 Jun 2026 17:13:54 GMT +ETag: W/"26af-19ebcd37167" +Content-Type: text/html; charset=UTF-8 +Content-Length: 9903 +Vary: Accept-Encoding +Date: Fri, 12 Jun 2026 18:00:03 GMT +Connection: keep-alive +Keep-Alive: timeout=5 +``` + +Which of these are MISSING? + +- [x] `Content-Security-Policy` +- [x] `Strict-Transport-Security` +- [ ] `X-Content-Type-Options: nosniff` +- [ ] `X-Frame-Options` + +### Top 3 Risks Observed + +1. **Missing browser security headers** — The response does not include `Content-Security-Policy` and `Strict-Transport-Security`. Missing security headers reduce browser-side protection against attacks such as script injection and insecure transport behavior. This maps to **A02:2025 — Security Misconfiguration**. + +2. **Unauthenticated public API surface** — The `/api/Products` endpoint is accessible without authentication and returns product data in JSON format. This is normal for a public shop catalog, but exposed API endpoints still increase the attack surface and should be checked for authorization mistakes or excessive data exposure. This maps to **A01:2025 — Broken Access Control**. + +3. **Intentionally vulnerable application running as a local service** — OWASP Juice Shop is designed to contain security vulnerabilities for training. If it were exposed using `-p 3000:3000` instead of `127.0.0.1:3000:3000`, other devices on the network could access the vulnerable application. This maps to **A02:2025 — Security Misconfiguration**. + +## PR Template Setup + +- File: `.github/PULL_REQUEST_TEMPLATE.md` +- Sections included: Goal / Changes / Testing / Artifacts & Screenshots +- Checklist items: + - Title is clear (`feat(labN): ` style) + - No secrets/large temp files committed + - Submission file at `submissions/labN.md` exists +- Auto-fill verified: [ ] Yes — PR description showed my template. + +## GitHub Community + +I starred the required repositories because stars help bookmark useful open-source projects and support their visibility in the community. Following developers helps me discover their work, stay connected with the course community, and build professional collaboration habits. +""" +