Web Application Firewall and OWASP Juice Shop

Web Application Firewall and OWASP Juice Shop

Johannes Zelger

Exploring Web Application Security: Learning with OWASP Juice Shop and ModSecurity

At Incentrium, we’re always looking to deepen our understanding of web security. Recently, our team implemented a ModSecurity web application firewall (WAF) with OWASP’s Core Rule Set to boost our security measures. During the process, we discovered an incredibly valuable tool: OWASP Juice Shop – a deliberately vulnerable application designed to teach security concepts hands-on. This discovery has opened new learning pathways for our team, and we’re excited to share our insights and provide you with a way to experience it firsthand.

What is OWASP Juice Shop?

OWASP Juice Shop is an intentionally insecure web application that mimics an online retail store. However, unlike a real webshop, it’s riddled with security flaws. These vulnerabilities serve as a powerful tool to educate security professionals, developers, and anyone interested in cybersecurity about web application threats and how to counter them. Each vulnerability presents a challenge, leading users through common and advanced security issues in a safe, controlled environment.

Whether you’re exploring Cross-Site Scripting (XSS), SQL Injection, or Insecure Deserialization, Juice Shop provides a real-world context for understanding each risk. The interactive challenges make security learning engaging and relevant, ensuring users don’t just read about best practices – they see them in action and understand why they matter.

Why Combine Juice Shop with a Web Application Firewall?

Adding ModSecurity’s WAF to this setup introduces another layer of learning. ModSecurity, with the OWASP Core Rule Set, can act as a gatekeeper, blocking potentially malicious requests before they ever reach the application. By running Juice Shop with ModSecurity, we can observe how WAF rules mitigate specific security flaws and see where additional application-level protections are essential.

This combination of a vulnerable application with a WAF is particularly enlightening. It gives developers and security teams an opportunity to:

  • Understand how WAF rules protect applications and identify limitations.
  • Recognize the importance of secure coding, even with perimeter defenses in place.
  • Practice detecting and remediating vulnerabilities that might otherwise go unnoticed.

Try It Yourself – Docker Compose Setup

To make this exploration easy for others, we’ve created a Docker Compose file that sets up OWASP Juice Shop alongside ModSecurity. This setup allows anyone to quickly deploy Juice Shop with a WAF on their local machine. It’s a chance to dive into a fully configured security environment, experiment with different scenarios, and better understand the relationship between application code and WAF rules.

Getting Started

To get started, all you need is Docker installed on your computer. With our Compose file, you’ll have Juice Shop up and running with ModSecurity in minutes. Just put it in a directory called modsecurity and use it as a lab environment, test out vulnerabilities, or experiment with WAF configurations. It’s a valuable, hands-on approach to learning security concepts that’s accessible to developers, security teams, and tech enthusiasts alike.

services:
services:
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - 1234:3000
  modsec2-nginx:
    container_name: modsec2-nginx
    image: owasp/modsecurity-crs:nginx
    environment:
      PORT: "8080"
      PROXY: 1
      BACKEND: http://modsecurity-juice-shop-1:3000
      MODSEC_RULE_ENGINE: off
      BLOCKING_PARANOIA: 2
      TZ: "${TZ}"
      MODSEC_TMP_DIR: "/tmp"
      MODSEC_RESP_BODY_ACCESS: "On"
      MODSEC_RESP_BODY_MIMETYPE: "text/plain text/html text/xml application/json"
      COMBINED_FILE_SIZES: "65535"
    ports:
      - "80:8080"

Final Thoughts

Web security is an evolving challenge, and practical experience is invaluable. Tools like OWASP Juice Shop provide an engaging way to learn about security risks, while integrating ModSecurity highlights the essential role of layered defenses in protecting web applications.

At Incentrium, we’re committed to building secure, reliable software. This exploration is part of our ongoing efforts to understand the ever-changing security landscape and to equip our team with the skills needed to keep applications safe. We hope you find the Docker Compose setup as helpful as we did and encourage you to try it out. After all, there’s no better way to learn than by getting your hands dirty!

Stay secure, and happy learning!

Tags:
Share:

Related Posts

Successful SOC 1 Audit for Incentrium

Successful SOC 1 Audit for Incentrium

Ensuring Trust and Security in Share-Based Compensation Management with successful SOC 1 Audit for Incentrium