diff --git a/labs/screenshots/juice-shop-home.png b/labs/screenshots/juice-shop-home.png new file mode 100644 index 00000000..aa0f23e0 Binary files /dev/null and b/labs/screenshots/juice-shop-home.png differ diff --git a/labs/submission01.md b/labs/submission01.md new file mode 100644 index 00000000..773af14f --- /dev/null +++ b/labs/submission01.md @@ -0,0 +1,98 @@ +# Triage Report — OWASP Juice Shop + +## Scope & Asset +- Asset: OWASP Juice Shop (local lab instance) +- Image: bkimminich/juice-shop:v19.0.0 +- Release link/date: [link](https://github.com/juice-shop/juice-shop/releases/tag/v19.0.0) — September 4, 2025 +- Image digest (optional): sha256:2765a26de7647609099a338d5b7f61085d95903c8703bb70f03fcc4b12f0818d + +## Environment +- Host OS: Arch Linux 6.18.3 +- Docker: 29.1.4, build 0e6fee6c52 + +## Deployment Details +- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v19.0.0` +- Access URL: http://127.0.0.1:3000 +- Network exposure: 127.0.0.1 only [x] Yes [ ] No (explain if No) + +## Health Check +- Page load: ![Home Page](screenshots/juice-shop-home.png) +- API check: +```json +{ + "status": "success", + "data": [ + { + "id": 1, + "name": "Apple Juice (1000ml)", + "description": "The all-time classic.", + "price": 1.99, + "deluxePrice": 0.99, + "image": "apple_juice.jpg", + "createdAt": "2026-02-04T15:29:14.178Z", + "updatedAt": "2026-02-04T15:29:14.178Z", + "deletedAt": null + } + ] +} +``` + +## Surface Snapshot (Triage) +- Login/Registration visible: [x] Yes [ ] No — notes: The entry and registration icon is visible in the upper right corner. +- Product listing/search present: [x] Yes [ ] No — notes: The main page shows 12 product items. There is a search button near the Account button. +- Admin or account area discoverable: [ ] Yes [x] No — notes: The admin/user panel is not visible without authorization. +- Client-side errors in console: [ ] Yes [x] No — notes: There are no errors when loading the page in the developer console. +- Security headers (quick look — optional): `curl -I http://127.0.0.1:3000` → CSP/HSTS present? notes: No, + + there are basic headers: X-Content-Type-Options, X-Frame-Options, Feature-Policy, but critical ones are missing: CSP, HSTS, X-XSS-Protection. + +## Risks Observed (Top 3) +1) Implementation vulnerabilities - High risk due to potential issues with input fields like search and login that may not be properly handled. +2) Lack of HSTS header — Risk of downgrade attacks and traffic interception when switching to HTTPS in production +3) No protection from brute force — There are no restrictions on login attempts, which allows you to brute-force find passwords. + +## PR Template Setup +### PR Template Creation Process +```bash +git checkout main # switch to main branch +mkdir -p .github # create folder for github templates +touch .github/pull_request_template.md +``` + +### Template filling +```markdown +## Goal + + +## Changes + + +## Testing + + +## Artifacts & Screenshots + + +## Checklist +- [ ] Clear PR title +- [ ] Doc updated is needed +- [ ] No secrets or temporary large files committed +``` + +### Commit and push the template +```bash +git add .github/pull_request_template.md # add to stage template file +git commit -m "chore: add PR template for standardized submissions" +git push +``` + +### Analysis: How Templates Improve Collaboration Workflow +PR templates transform the code review process from a chaotic exchange of messages into a structured, efficient workflow. They are especially valuable in educational projects where students are just learning the right practices for collaborative development. + + +## GitHub Community +### Why starring repositories matters in open source: +Starring repositories serves as both a bookmarking tool for personal reference and a public endorsement that helps projects gain visibility, attracting more contributors and showing appreciation to maintainers for their work. + +### How following developers helps in team projects and professional growth: +Following developers enables you to stay updated on their projects and insights, fostering collaboration and knowledge sharing that accelerates team productivity and your own skill development in the tech community. \ No newline at end of file