<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Ghit</title>
    <description>The latest articles on DEV Community by Ghit (@ghat).</description>
    <link>https://dev.to/ghat</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4035210%2Ffd0d42a5-5d2d-42f6-9d2c-1739062cb51a.png</url>
      <title>DEV Community: Ghit</title>
      <link>https://dev.to/ghat</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/ghat"/>
    <language>en</language>
    <item>
      <title>How I Turned OWASP Juice Shop Into a Live Attack-Detection Lab Using SecureNow</title>
      <dc:creator>Ghit</dc:creator>
      <pubDate>Sat, 18 Jul 2026 12:01:56 +0000</pubDate>
      <link>https://dev.to/ghat/how-i-turned-owasp-juice-shop-into-a-live-attack-detection-lab-using-securenow-46na</link>
      <guid>https://dev.to/ghat/how-i-turned-owasp-juice-shop-into-a-live-attack-detection-lab-using-securenow-46na</guid>
      <description>&lt;p&gt;Ever wanted to see an attack get caught the moment it happens, instead of just reading about it after the fact? That's what this walkthrough is about.&lt;br&gt;
OWASP Juice Shop is intentionally broken — SQL injection, XSS, broken access control, and a dozen other flaws are baked into its code on purpose, making it one of the best sandboxes for learning how real attacks actually work. But knowing an app is vulnerable is only half the story: the real skill is watching an attack happen and catching it as it unfolds. That's where SecureNow comes in.&lt;br&gt;
In this walkthrough, I set up Juice Shop from scratch, then instrumented it with SecureNow's SDK, CLI, and cloud dashboard to monitor traffic in real time and flag malicious behavior — SQL injection attempts, brute-force logins, account enumeration — the moment it happens. Here's exactly how I did it.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;What Is OWASP Juice Shop?
OWASP Juice Shop is a deliberately vulnerable web application, developed and maintained by OWASP, used worldwide for learning cybersecurity. It simulates an e-commerce site that sells fruit juices — complete with account creation, product search, reviews, and a chatbot.
Under the hood, it packs in a dozen security flaws on purpose. Each one maps to a "challenge" you solve by exploiting it: SQL injection, Cross-Site Scripting (XSS), authentication bypass, broken access control, sensitive data exposure, and more.
Tech stack:&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Node.js and Express.js on the server side&lt;br&gt;
Angular for the frontend&lt;br&gt;
TypeScript across the entire codebase&lt;br&gt;
Sequelize as the ORM for data persistence&lt;/p&gt;

&lt;p&gt;Because nearly every category of the OWASP Top 10 is represented in the app, it's an ideal training ground for understanding — under real conditions — how a web attack works, and therefore how to detect it.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Installing OWASP Juice Shop&lt;br&gt;
2.1 Getting the Source Code&lt;br&gt;
Clone the project's repository:&lt;br&gt;
bashgit clone &lt;a href="https://github.com/juice-shop/juice-shop.git" rel="noopener noreferrer"&gt;https://github.com/juice-shop/juice-shop.git&lt;/a&gt;&lt;br&gt;
cd juice-shop&lt;br&gt;
A quick look at the project structure reveals several key folders worth exploring before moving on.&lt;br&gt;
2.2 Installing Dependencies&lt;br&gt;
bashnpm install&lt;br&gt;
This may print a wave of npm warn deprecated messages, tied to older internal dependencies (outdated versions of glob, rimraf, uuid, etc.). These are harmless — they just flag transitive packages that are no longer maintained, and don't affect installation or app functionality.&lt;br&gt;
2.3 Building the Project&lt;br&gt;
Since Juice Shop is written in TypeScript, it needs a build step before the server can start:&lt;br&gt;
bashnpm run build&lt;br&gt;
This compiles the TypeScript into JavaScript (into a build/ folder) and prepares the Angular frontend assets.&lt;br&gt;
2.4 Starting the Server&lt;br&gt;
bashnpm start&lt;br&gt;
Once running, the app is available at &lt;a href="http://localhost:3000" rel="noopener noreferrer"&gt;http://localhost:3000&lt;/a&gt;.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Exploring the Application's Functionality&lt;br&gt;
Before diving into the security side, it's worth browsing the app like an ordinary user would: create an account, log in, search for products, add items to the cart. This builds a mental map of the exposed functionality — an essential foundation for identifying attack surfaces later.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Introducing SecureNow&lt;br&gt;
SecureNow is an application security solution that monitors an app's traffic in real time and automatically detects behavior matching known attacks — SQL injection, XSS, brute-force, account enumeration, and more.&lt;br&gt;
It's built around three components:&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;An SDK installed in the project, which hooks into the HTTP request lifecycle&lt;br&gt;
A CLI for configuring, initializing, and verifying the integration from the command line&lt;br&gt;
A cloud dashboard that centralizes reported events and lets you configure detection rules&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Creating the Application on SecureNow&lt;br&gt;
The first step on the SecureNow side is registering the app to be protected, via the Create New Application form on the dashboard:&lt;br&gt;
FieldPurposeApplication NameA name identifying the projectHostsDomains associated with the app (left empty or set to localhost for local dev)Discover &amp;amp; monitor all subdomainsUseful for a real public domain; unchecked for a purely local appSecureNow InstanceThe cloud instance receiving traces and logs (Free Trial tier is enough for testing)&lt;br&gt;
Creating the application automatically generates a unique APPID, which the SDK uses internally to associate reported events with the correct application on the dashboard.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Installing and Authenticating the SDK&lt;br&gt;
6.1 Installing the Package&lt;br&gt;
bashnpm install securenow&lt;br&gt;
6.2 Authentication&lt;br&gt;
bashnpx securenow login&lt;br&gt;
This opens the browser for OAuth authentication, linking your local dev environment to your SecureNow account.&lt;br&gt;
6.3 Initializing the Local Configuration&lt;br&gt;
bashnpx securenow init&lt;br&gt;
npx securenow env&lt;br&gt;
The first command creates a local config file (.securenow/credentials.json) with the integration settings. The second checks that the essential options are properly enabled:&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;loggingEnabled — enables event logging&lt;br&gt;
captureBody — captures the body of HTTP requests&lt;br&gt;
captureMultipart — captures multipart requests (file uploads)&lt;br&gt;
firewallEnabled — enables the real-time application firewall&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;p&gt;Instrumenting the Code&lt;br&gt;
Instrumentation means making sure the SecureNow SDK runs before the application code, so it can observe all traffic from the moment the server starts.&lt;br&gt;
Node.js natively supports this via the -r (--require) flag, which loads a module before the script's main entry point. Juice Shop's original startup script in package.json is:&lt;br&gt;
json"start": "node build/app"&lt;br&gt;
It gets modified to:&lt;br&gt;
json"start": "node -r securenow/register build/app"&lt;br&gt;
This approach has a key advantage: it requires no changes to the application's own source code. The securenow/register module inserts itself transparently into the Node.js process, intercepts HTTP requests at a low level (typically via instrumentation of the native http/https modules or the Express framework), and forwards the relevant events to the SDK.&lt;br&gt;
After this change, rebuild and restart to apply it:&lt;br&gt;
bashnpm run build&lt;br&gt;
npm start&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Verifying the Integration&lt;br&gt;
The SecureNow CLI offers several diagnostic commands to validate each part of the integration:&lt;br&gt;
bashnpx securenow status&lt;br&gt;
Confirms the agent is active and properly connected to the configured SecureNow instance.&lt;br&gt;
bashnpx securenow firewall apps&lt;br&gt;
Lists applications currently protected by the SecureNow firewall — your app should appear here.&lt;br&gt;
bashnpx securenow firewall status&lt;br&gt;
Confirms whether the application firewall is active or inactive.&lt;br&gt;
bashnpx securenow test-span --env local&lt;br&gt;
Sends a test event ("span") to the SecureNow instance, providing an end-to-end check that the telemetry chain works — from the SDK all the way to the cloud dashboard.&lt;/p&gt;&lt;/li&gt;
&lt;li&gt;&lt;p&gt;Validating with Real Application Traffic&lt;br&gt;
A test span confirms connectivity, but it doesn't guarantee the SDK is correctly capturing real traffic generated by the application. To validate that, I:&lt;/p&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Manually browsed the app — logging in, searching for products, adding items to the cart, and attempting a failed login with a wrong password&lt;br&gt;
Watched the SecureNow dashboard to confirm each action produced a corresponding event, visible in near real time&lt;/p&gt;

&lt;p&gt;Every action showed up on the dashboard as it happened — proof that the instrumentation was capturing genuine traffic, not just synthetic test pings.&lt;/p&gt;

&lt;p&gt;Wrapping Up&lt;br&gt;
Setting up OWASP Juice Shop gives you a realistic, safe environment to practice exploiting the OWASP Top 10. But pairing it with SecureNow turns that exercise into something more valuable: a live demonstration of what real-time detection actually looks like from the defender's side. Instead of just reading about SQL injection or brute-force attacks in theory, you can watch them get flagged on a dashboard the instant they happen — which is a much sharper way to understand both the attack and the defense.&lt;/p&gt;

</description>
      <category>webdev</category>
      <category>ai</category>
      <category>programming</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
