Walking the "happy path"

When investigating an application for security vulnerabilities, you should never blindly start throwing attack payloads at it. Instead, make sure you understand how it works before attempting any exploits.

A good way to gain an understanding for the application, is to actually use it in the way it was meant to be used by a normal user. In regular software testing this is often called "happy path" testing.

The OWASP Juice Shop is a rather simple e-commerce application that covers the typical workflows of a web shop. The following sections briefly walk you through these "happy path" use cases.

When visiting the OWASP Juice Shop you will begin on the landing page #/ which initially displays all products offered in the shop. Clicking on the logo in the top left corner of the screen will always bring you back to this screen (or more precisely, to its alias #/search).

This is of course the "bread & butter" screen for any e-commerce site. When you click on the small "eye"-button next to the price of a product, an overlay screen will open showing you that product details including a list of customer reviews for that product (if available). You can also enter a new (or edit an existing) product review in this dialog. Authenticated users can upvote reviews they like.

You can use the Search…​ box in the navigation bar at the top of the screen to filter the table for specific products by their name and description. Using the controls at the bottom of the table, you can navigate through the result list that exceeds the Items per page limit.

You might notice that there seems to be no way to actually purchase any of the products. This functionality exists, but is not available to anonymous users. You first have to log in to the shop with your user credentials on the #/login page. There you can either log in with your existing credentials (if you are a returning customer) or with your Google account.

In case you are a new customer, you must first register by following the corresponding link on the login screen to #/register. There you must enter your email address and a password to create a new user account. With these credentials you can then log in…​ and finally start shopping! During registration, you also choose and answer a security question that will let you recover the account if you ever forget your password.

By providing your email address, the answer to your security question and a new password, you can recover an otherwise inaccessible account.

After logging in to the application you will notice a "shopping cart"-icon in every row of the products table. Unsurprisingly this will let you add one or more products into your shopping basket. The Your Basket button in the navigation bar will bring you to the #/basket page, where you can do several things before actually confirming your purchase:

During checkout, you will be guided through a series of steps to set your delivery address, desired delivery method and credit card.

🚨 Do not enter any real credit card or address data anywhere in the Juice Shop! Always remember that it is not a real shop, and it is intentionally riddled with security and privacy flaws!

In the Add a coupon section you can redeem a code for a discount. Unfold the Other payment options section to see links with donation and merchandise links of the Juice Shop open source project.

Finally, you can click the Checkout button to issue an order. You will be forwarded to a confirmation of your order right away. It also includes a link to a printable PDF confirmation for your order and as well as a tracking link.

Clicking the user icon right next to the application logo & title, you will give you access to several secondary use cases of the Juice Shop. This menu is obviously only available when you are logged in with your user account.

ℹ️ We will cover only a fraction of the available functionality from the user menu in the following sub-sections. It is recommended to explore the rest on your own before diving into any hacking exercises.

Clicking you your email address in the user menu, you will get to the User Profile screen on /profile+. Visiting it might break your user experience a bit, as it looks slightly less sophisticated than the rest of the shop’s UI. It is fully functional nonetheless, as it allows you to upload a JPG-format picture of yourself (or link an existing Gravatar) and choose a username for your account.

This page lists your saved addresses and provides you with the ability to edit or delete already saved addresses as well as add new ones.

🚨 Do not enter real address data here!

This page lists your saved cards and provides you with the ability to delete already saved cards or to add new ones.

🚨 Do not enter real credit card data here!

This page allows you to add money to your wallet and to check the existing balance. All the bonuses on your purchase are directly credited to your wallet.

This page allows you to view the details of all your current and previous orders and the status of their delivery.

This page informs you about the policies regarding the collection, use and disclosure of personal data when you use the OWASP Juice Shop and the choices you have when it comes to your data.

This page allows you to obtain a copy of all your data saved in the Juice Shop.

This page allows you to request a complete erasure of your account and any associated data from the Juice Shop.

If you are currently logged in you will find the obligatory Change Password button in the navigation bar. On the #/privacy-security/change-password page you can then choose a new password. To prevent abuse you have of course to supply your current password to legitimate this change.

This page allows you to secure your account with an additional factor by providing you with a barcode to scan.

This page displays the IP from which your account was last logged in.

When logged in you will furthermore see a Recycle button that brings you to the #/recycle page. This is a very innovative feature that allows eco-friendly customers to order pre-stamped boxes for returning fruit pressing leftovers to the Juice Shop.

For greater amounts of pomace the customer can alternatively order a truck to come by and pick it up at a chosen future date.

Equipped with an order number from your confirmation PDF, you can invoke the #/track-order functionality by clicking Track Orders.

After entering a valid order number, you will be shown the products from your order along with a delivery status and expected delivery date.

Just as there was no "real" payment was happening, you will hopefully understand that there is no "real" order delivery happening - no matter what the order tracking dialog suggested.

The sidebar menu button left of the application logo reveals some more options to choose from.

Customers are invited to leave feedback about their shopping experience with the Juice Shop. Simply visit the #/contact page by clicking the Customer Feedback menu item. You might recognize that it is also possible to leave feedback as an anonymous user. The contact form is very straightforward with a free text Comment field and a Rating on a 1-5 stars scale. To prevent abuse, you have to solve a simple mathematical problem before being allowed to submit your feedback.

The Complain? menu item is shown only to logged in users. It brings you to the #/complain page where you can leave a free text Message and attach an Invoice file in case you had some issues with a recent order at the Juice Shop.

In the Support Chat you can talk to an (almost) AI-powered chat bot and get answers to questions like product prices, deluxe membership benefits and more.

Like every proper enterprise, the OWASP Juice Shop has of course an #/about page titled About Us. There you find a summary of the interesting history of the shop along with a link to its official Terms of Use document. Additionally, the page displays a fancy illustrated slideshow of all customer feedback. Beneath that you can find all important social media contact information of the shop.

The OWASP Juice Shop also has an #/photo-wall page titled Photo Wall which allows its users to share their memories with other customers of the Juice Shop.

The OWASP Juice Shop offers a deluxe membership to its customers which provides them with exclusive offers, free fast delivery and an unrestricted purchase of the items they like.

From a dropdown menu in the navigation bar you can select a multitude of languages you want the user interface to be displayed in. Languages marked with a "flask"-icon next to them offer only rudimentary or partial translation.

If you want to know more about (or even help with) the localization of OWASP Juice Shop, please refer to the part3/translation.adoc#_helping_with_translations[Help with translation] chapter in part III of this book.