Skip to content

feat(lab1): juice shop deploy and triage report #1038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
karmihkr wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(lab1): juice shop deploy and triage report #1038

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6963f28
feat(lab1): juice shop deploy and triage report
karmihkr Jun 12, 2026
9f75b96
docs(lab1): add GitHub community task
karmihkr Jun 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
72 changes: 72 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
\## Goal



This PR completes Lab 1 and documents the deployment and initial assessment of OWASP Juice Shop.



\## Changes



\* Added `submissions/lab1.md`

\* Deployed OWASP Juice Shop locally

\* Documented deployment details and security observations



\## Testing



Commands run:



```bash

docker ps

curl.exe -I http://127.0.0.1:3000

curl.exe -s http://127.0.0.1:3000/rest/admin/application-version

```



Observed output:



\* Container running successfully

\* HTTP 200 returned

\* Application version 20.0.0 confirmed



\## Artifacts \& Screenshots



\* `submissions/lab1.md`



\## Checklist



\* \[ ] Title is clear (`feat(labN): <topic>` style)

\* \[ ] No secrets/large temp files committed

\* \[ ] Submission file at `submissions/labN.md` exists



194 changes: 194 additions & 0 deletions submissions/lab1.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,194 @@
\# Lab 1 — Submission



\## Triage Report: OWASP Juice Shop



\### Scope \& Asset



\* Asset: OWASP Juice Shop (local lab instance)

\* Image: `bkimminich/juice-shop:v20.0.0`

\* Image digest: `sha256:fd58bdc9745416afce8184ee0666278a436574633ea7880365153a63bfd418b0`

\* Host OS: Windows 11

\* Docker version: `Docker version 29.5.3, build d1c06ef`



\### Deployment Details



\* Run command used:

&nbsp; `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v20.0.0`

\* Access URL: http://127.0.0.1:3000

\* Network exposure: 127.0.0.1 only? \[x] Yes \[ ] No

\* Container restart policy: `no`



\### Health Check



\* HTTP code on `/`: `HTTP 200`

\* API check: `/api/Products` returned a JSON product list successfully.

\* Application version:



```json

{"version":"20.0.0"}

```



\* Container uptime:



```text

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

c8698cd3f29f bkimminich/juice-shop:v20.0.0 "/nodejs/bin/node /j…" 2 minutes ago Up 2 minutes 127.0.0.1:3000->3000/tcp juice-shop

```



\### Initial Surface Snapshot



\* Login/Registration visible: \[x] Yes — Login is visible in the Account area.

\* Product listing/search present: \[x] Yes — Products are displayed on the main page.

\* Admin or account area discoverable: \[x] Yes — Account menu is visible in the top navigation area.

\* Client-side errors in DevTools console: \[ ] Yes \[x] No — no visible red console errors observed.

\* Pre-populated local storage / cookies: Local Storage for `http://127.0.0.1:3000` was empty during inspection.



\### Security Headers (Quick Look)



Run:



```bash

curl.exe -I http://127.0.0.1:3000

```



Output:



```text

HTTP/1.1 200 OK

Access-Control-Allow-Origin: \*

X-Content-Type-Options: nosniff

X-Frame-Options: SAMEORIGIN

Feature-Policy: payment 'self'

X-Recruiting: /#/jobs

Accept-Ranges: bytes

Cache-Control: public, max-age=0

Last-Modified: Fri, 12 Jun 2026 19:46:40 GMT

ETag: W/"26af-19ebd5f4f17"

Content-Type: text/html; charset=UTF-8

Content-Length: 9903

Vary: Accept-Encoding

Date: Fri, 12 Jun 2026 19:48:49 GMT

Connection: keep-alive

Keep-Alive: timeout=5

```



Which of these are MISSING?



\* \[x] `Content-Security-Policy`

\* \[x] `Strict-Transport-Security`

\* \[ ] `X-Content-Type-Options: nosniff`

\* \[ ] `X-Frame-Options`



\### Top 3 Risks Observed



\#### 1. Security Misconfiguration



The application does not return some common hardening headers such as Content-Security-Policy and Strict-Transport-Security. Missing security headers can weaken browser-side protections and increase the impact of other vulnerabilities. This maps to \*\*OWASP Top 10:2025 A06 – Security Misconfiguration\*\*.



\#### 2. Broken Access Control



The application exposes account-related functionality and user interaction features. Access-control weaknesses are one of the most common classes of vulnerabilities and could allow unauthorized actions if not properly implemented. This maps to \*\*OWASP Top 10:2025 A01 – Broken Access Control\*\*.



\#### 3. Injection Risk



The application provides multiple API endpoints and accepts user-controlled input. Since Juice Shop is intentionally vulnerable, injection-style attacks against search, authentication, and API functionality are realistic concerns. This maps to \*\*OWASP Top 10:2025 A04 – Injection\*\*.


## GitHub Community

I starred the course repository and the simple-container-com/api repository to keep track of useful open-source projects related to the course.

I followed the course instructor, teaching assistants, and several classmates to stay connected with the course community and observe collaborative development practices on GitHub.