DEV Community

Ghit
Ghit

Posted on

How I Turned OWASP Juice Shop Into a Live Attack-Detection Lab Using SecureNow

Ever wanted to see an attack get caught the moment it happens, instead of just reading about it after the fact? That's what this walkthrough is about.
OWASP Juice Shop is intentionally broken — SQL injection, XSS, broken access control, and a dozen other flaws are baked into its code on purpose, making it one of the best sandboxes for learning how real attacks actually work. But knowing an app is vulnerable is only half the story: the real skill is watching an attack happen and catching it as it unfolds. That's where SecureNow comes in.
In this walkthrough, I set up Juice Shop from scratch, then instrumented it with SecureNow's SDK, CLI, and cloud dashboard to monitor traffic in real time and flag malicious behavior — SQL injection attempts, brute-force logins, account enumeration — the moment it happens. Here's exactly how I did it.

  1. What Is OWASP Juice Shop? OWASP Juice Shop is a deliberately vulnerable web application, developed and maintained by OWASP, used worldwide for learning cybersecurity. It simulates an e-commerce site that sells fruit juices — complete with account creation, product search, reviews, and a chatbot. Under the hood, it packs in a dozen security flaws on purpose. Each one maps to a "challenge" you solve by exploiting it: SQL injection, Cross-Site Scripting (XSS), authentication bypass, broken access control, sensitive data exposure, and more. Tech stack:

Node.js and Express.js on the server side
Angular for the frontend
TypeScript across the entire codebase
Sequelize as the ORM for data persistence

Because nearly every category of the OWASP Top 10 is represented in the app, it's an ideal training ground for understanding — under real conditions — how a web attack works, and therefore how to detect it.

  1. Installing OWASP Juice Shop
    2.1 Getting the Source Code
    Clone the project's repository:
    bashgit clone https://github.com/juice-shop/juice-shop.git
    cd juice-shop
    A quick look at the project structure reveals several key folders worth exploring before moving on.
    2.2 Installing Dependencies
    bashnpm install
    This may print a wave of npm warn deprecated messages, tied to older internal dependencies (outdated versions of glob, rimraf, uuid, etc.). These are harmless — they just flag transitive packages that are no longer maintained, and don't affect installation or app functionality.
    2.3 Building the Project
    Since Juice Shop is written in TypeScript, it needs a build step before the server can start:
    bashnpm run build
    This compiles the TypeScript into JavaScript (into a build/ folder) and prepares the Angular frontend assets.
    2.4 Starting the Server
    bashnpm start
    Once running, the app is available at http://localhost:3000.

  2. Exploring the Application's Functionality
    Before diving into the security side, it's worth browsing the app like an ordinary user would: create an account, log in, search for products, add items to the cart. This builds a mental map of the exposed functionality — an essential foundation for identifying attack surfaces later.

  3. Introducing SecureNow
    SecureNow is an application security solution that monitors an app's traffic in real time and automatically detects behavior matching known attacks — SQL injection, XSS, brute-force, account enumeration, and more.
    It's built around three components:

An SDK installed in the project, which hooks into the HTTP request lifecycle
A CLI for configuring, initializing, and verifying the integration from the command line
A cloud dashboard that centralizes reported events and lets you configure detection rules

  1. Creating the Application on SecureNow
    The first step on the SecureNow side is registering the app to be protected, via the Create New Application form on the dashboard:
    FieldPurposeApplication NameA name identifying the projectHostsDomains associated with the app (left empty or set to localhost for local dev)Discover & monitor all subdomainsUseful for a real public domain; unchecked for a purely local appSecureNow InstanceThe cloud instance receiving traces and logs (Free Trial tier is enough for testing)
    Creating the application automatically generates a unique APPID, which the SDK uses internally to associate reported events with the correct application on the dashboard.

  2. Installing and Authenticating the SDK
    6.1 Installing the Package
    bashnpm install securenow
    6.2 Authentication
    bashnpx securenow login
    This opens the browser for OAuth authentication, linking your local dev environment to your SecureNow account.
    6.3 Initializing the Local Configuration
    bashnpx securenow init
    npx securenow env
    The first command creates a local config file (.securenow/credentials.json) with the integration settings. The second checks that the essential options are properly enabled:

loggingEnabled — enables event logging
captureBody — captures the body of HTTP requests
captureMultipart — captures multipart requests (file uploads)
firewallEnabled — enables the real-time application firewall

  1. Instrumenting the Code
    Instrumentation means making sure the SecureNow SDK runs before the application code, so it can observe all traffic from the moment the server starts.
    Node.js natively supports this via the -r (--require) flag, which loads a module before the script's main entry point. Juice Shop's original startup script in package.json is:
    json"start": "node build/app"
    It gets modified to:
    json"start": "node -r securenow/register build/app"
    This approach has a key advantage: it requires no changes to the application's own source code. The securenow/register module inserts itself transparently into the Node.js process, intercepts HTTP requests at a low level (typically via instrumentation of the native http/https modules or the Express framework), and forwards the relevant events to the SDK.
    After this change, rebuild and restart to apply it:
    bashnpm run build
    npm start

  2. Verifying the Integration
    The SecureNow CLI offers several diagnostic commands to validate each part of the integration:
    bashnpx securenow status
    Confirms the agent is active and properly connected to the configured SecureNow instance.
    bashnpx securenow firewall apps
    Lists applications currently protected by the SecureNow firewall — your app should appear here.
    bashnpx securenow firewall status
    Confirms whether the application firewall is active or inactive.
    bashnpx securenow test-span --env local
    Sends a test event ("span") to the SecureNow instance, providing an end-to-end check that the telemetry chain works — from the SDK all the way to the cloud dashboard.

  3. Validating with Real Application Traffic
    A test span confirms connectivity, but it doesn't guarantee the SDK is correctly capturing real traffic generated by the application. To validate that, I:

Manually browsed the app — logging in, searching for products, adding items to the cart, and attempting a failed login with a wrong password
Watched the SecureNow dashboard to confirm each action produced a corresponding event, visible in near real time

Every action showed up on the dashboard as it happened — proof that the instrumentation was capturing genuine traffic, not just synthetic test pings.

Wrapping Up
Setting up OWASP Juice Shop gives you a realistic, safe environment to practice exploiting the OWASP Top 10. But pairing it with SecureNow turns that exercise into something more valuable: a live demonstration of what real-time detection actually looks like from the defender's side. Instead of just reading about SQL injection or brute-force attacks in theory, you can watch them get flagged on a dashboard the instant they happen — which is a much sharper way to understand both the attack and the defense.

Top comments (0)