Security (secure development) is very important for most organizations, yet few testers dare to touch it. Learn the basics so you can assist specialized security testers. Learn to use different tools and ways you can test security.
Security testing can feel like a daunting task. It’s a test specialty, and often an afterthought. Testers and test automation engineers won’t replace security testers but can prevent many of the most common security vulnerabilities. Learn about the most common security vulnerabilities according to the OWASP top 10. How do these common vulnerabilities work and why do bad actors want to exploit them? Learn to design applications that an unskilled bad actor can’t crack. Support your team in making the right decisions throughout the application life cycle. And, of course, testing the security of applications. Learn how to security-test forms, find known vulnerabilities in dependencies, test API authorization, and more. To be able to do all these things you need knowledge about common vulnerabilities and the various types of tools that can detect them. In this workshop, you get hands-on experience with various tools that can help you get started with security testing the next working day. This workshop would not be complete without talking about test automation. Your test automation probably also has vulnerabilities! Are these vulnerabilities a problem? How do you make sure your test automation is safe?
The test webshop
The webshop we’re using is made by OWASP. All exercises can be solved without access to the source code, but it can make your life easier. You can find the source code here: https://github.com/juice-shop/juice-shop
There are 2 ways to open the webshop: One that runs on local hardware and one in the cloud.
Cloud hosted
Or, navigate to https://lakitna.nl/juiceshop
If, for whatever reason, this does not work. Try the locally hosted version instead.
Locally hosted
Powered by a Raspberry Pi 4.
Connect to the following WiFi access point. Note: You won’t have access to the internet.
| Name | juicy-wifi |
| Password | expoqa123456 |
Or, navigate to http://juice-shop.local
Automated reports
⚠️ The reports contain spoilers. Please refrain from peeking before the reports are explicitly mentioned.
Attack report
This report has been generated with OWASP ZAP.
ZAP (short for Zed Attack Proxy), formerly known as OWASP ZAP, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.
Code analysis report
This report has been generated with SonarQube.
Sonar’s static application security testing (SAST) engine detects security vulnerabilities in your code so they can be eliminated before you build and test your application.
Dependency audit report
This report has been generated with NPM audit.
The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
References and further reading
- I write articles
- OWASP
- OWASP top 10
- OWASP Cheatsheets
- Tool: OWASP ZAP
- Tool: SonarQube
- Tool: NPM Audit