Scribd
Upload
43 views5 pages

Cyberproject

This document provides a step-by-step guide for conducting penetration testing on the OWASP Juice Shop using Kali Linux. It includes project setup instructions, tools to be used, phases of penetration testing, methods for exploiting vulnerabilities, and guidelines for documenting and reporting the findings. The project aims to enhance understanding of web application vulnerabilities and security measures.

Uploaded by

shwetavairagi.cse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
43 views5 pages

Cyberproject

This document provides a step-by-step guide for conducting penetration testing on the OWASP Juice Shop using Kali Linux. It includes project setup instructions, tools to be used, phases of penetration testing, methods for exploiting vulnerabilities, and guidelines for documenting and reporting the findings. The project aims to enhance understanding of web application vulnerabilities and security measures.

Uploaded by

shwetavairagi.cse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Got it!

Let's break down the step-by-step guide for your project so you can follow it easily
for your college project on Penetration Testing of OWASP Juice Shop using Kali Linux.
This guide will include the necessary steps and explain what you need to do to complete the
project.

Project: Penetration Testing of OWASP


Juice Shop using Kali Linux
1. Introduction (Project Overview)
 Objective: The aim of this project is to conduct penetration testing on OWASP Juice
Shop, a deliberately vulnerable web application. This will allow you to explore and
exploit common web application vulnerabilities using Kali Linux and associated
tools.
 Tools: Kali Linux, Burp Suite, Nikto, Nmap, Dirbuster, OWASP Juice Shop.

2. Project Setup
2.1. Setting Up the Environment

1. Install Kali Linux:


o If you don’t have Kali Linux installed, you can either install it as a virtual
machine (using VirtualBox or VMware) or as a dual boot setup.
o Kali Linux comes pre-installed with various penetration testing tools that will
be helpful for this project.
2. Install Docker (for running OWASP Juice Shop):
o Open a terminal on Kali Linux and install Docker:
o sudo apt update
o sudo apt install docker.io
o sudo systemctl start docker
o sudo systemctl enable docker
3. Install Burp Suite:
o Burp Suite is pre-installed in Kali Linux. If you need to install it manually, use
the following command:
o sudo apt install burpsuite

2.2. Running OWASP Juice Shop

1. Download and Run OWASP Juice Shop via Docker:


o Run the following command in your Kali Linux terminal:
o sudo docker run -d -p 3000:3000 bkimminich/juice-shop
o This will pull the OWASP Juice Shop image and start the application on port
3000.
2. Verify the Application:
o Open your web browser and visit http://localhost:3000 to see the Juice
Shop web application.

3. Penetration Testing Phase


In this phase, you'll use different penetration testing tools to find and exploit vulnerabilities in
the Juice Shop application.

3.1. Using Burp Suite for Web Proxy

1. Configure Burp Suite:


o Launch Burp Suite from the Kali Linux applications menu.
o Under Proxy → Options, make sure Burp Suite is listening on
127.0.0.1:8080.
2. Configure Browser to Use Burp Suite Proxy:
o Open your browser and go to the proxy settings (e.g., in Firefox: Preferences
→ Network Settings).
o Set the HTTP Proxy to 127.0.0.1 and the Port to 8080.
3. Intercept Traffic:
o Go to http://localhost:3000 (the Juice Shop site). Burp Suite will now
intercept the traffic.
o You can modify requests, test for vulnerabilities, and explore the application’s
behavior.
4. Spidering and Scanning:
o Spider: Use Burp Suite's Spider tool to automatically crawl the web
application and map all the available endpoints and forms.
o Active Scan: Once spidering is complete, use Burp Suite’s Scanner to
perform an automated vulnerability scan.

3.2. Run Nikto Web Server Scanner

1. Run Nikto:
o In your Kali terminal, run the following command:
o nikto -h http://localhost:3000
oThis will scan the Juice Shop application for common vulnerabilities like
outdated software, misconfigurations, etc.
2. Analyze Results:
o Nikto will provide a list of vulnerabilities, such as insecure HTTP methods or
potential security risks in the application.

3.3. Scan with Nmap

1. Run Nmap for Port Scanning:


o Use Nmap to scan the Juice Shop server’s open ports:
o nmap -p 3000 localhost
oThis command checks if port 3000 is open, which is where the Juice Shop
application is running.
2. Analyze Nmap Results:
o Nmap will confirm that port 3000 is open and that the application is
accessible.

3.4. Run Dirbuster for Directory Brute-Forcing

1. Run Dirbuster:
o Dirbuster is used to find hidden directories or files on the web server.
o Run this command:
o dirbuster -u http://localhost:3000 -w
/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
2. Analyze Results:
o Dirbuster will attempt to discover hidden resources on the web server. Look
for sensitive files or directories that could potentially expose data.

4. Manual Exploitation of Vulnerabilities


Now that you've identified potential vulnerabilities, you can begin exploiting them to see the
impact.

4.1. SQL Injection Test

1. Test for SQL Injection on the login form or any other input form.
2. Example payload to test for SQL injection:
3. ' OR 1=1 --
o Input this in the login form’s email field and check if it bypasses
authentication.

4.2. Cross-Site Scripting (XSS)

1. Test for XSS by injecting JavaScript code in the input fields (like the search bar).
2. Example payload for XSS:
3. <script>alert('XSS')</script>
o If the script runs in the browser, it indicates an XSS vulnerability.

4.3. Command Injection

1. Test for Command Injection in input fields that may execute system commands.
2. Example payload:
3. ; ls
o If this command executes and lists files, it indicates a command injection
vulnerability.
5. Capture Flags
OWASP Juice Shop has challenges that can be completed by exploiting vulnerabilities.
These challenges are known as flags, and capturing them will prove you’ve successfully
exploited the vulnerabilities.

 Some examples of flags might include:


o SQL Injection flag: Exploiting SQL injection to retrieve sensitive data.
o XSS flag: Injecting a malicious script that reveals a flag.
o API flag: Exploiting insecure APIs to retrieve the flag.

6. Documentation & Reporting


6.1. Writing the Report

After performing the penetration test, document everything you've done in your project
report. Your report should include:

1. Introduction:
o Briefly explain the objective of the penetration test and the tools used.
2. Methodology:
o Outline the steps followed, such as configuring Burp Suite, scanning with
Nikto, and running Nmap and Dirbuster.
3. Vulnerabilities Found:
o Describe the vulnerabilities you identified (e.g., SQL Injection, XSS) and
provide screenshots or code snippets as proof.
4. Exploitation:
o Demonstrate how you exploited these vulnerabilities (e.g., bypassing login
using SQL injection).
5. Flags Captured:
o List the flags you captured and the challenges you completed.
6. Impact:
o Analyze the severity of each vulnerability and its potential impact on the
application.
7. Recommendations:
o Provide recommendations to fix the vulnerabilities (e.g., input sanitization for
SQL injection, securing APIs, etc.).
8. Conclusion:
o Summarize the findings and the importance of securing web applications.

6.2. Submission

 Ensure your report is well-organized and includes all relevant information, such as
screenshots, proof of exploitation, and code examples.
 Submit your report along with any supporting files (e.g., screenshots, scripts) to your
college platform.
7. Conclusion
This project gives you hands-on experience with penetration testing using real-world tools
and a deliberately vulnerable application. By exploiting the OWASP Juice Shop, you'll
understand common web application vulnerabilities and learn how to secure web applications
against them.

Good luck with your project! Let me know if you need further help.

You might also like