Metlo Juice Shop
Getting Started
OWASP Juice Shop is a modern insecure web application! We’ve created a forked version of the repo that has Metlo preinstalled. Go through this guide to get a feel of how Metlo works and find vulnerabilities on an insecure app.
Thanks to @bkimminich and the rest of the Juice Shop contributors for making a fantastic playground to test security tools!
1. Sign Up for Metlo Cloud ☁️
The first step is to sign up for our cloud service at https://app.metlo.com! Once you’ve logged in, follow the instructions on the Onboarding flow for the Node setup and get an API Key.
2. Setup Metlo Juice Shop
After you sign up for the cloud and have an API Key, setup Juice Shop by following the instructions in the README. We recommend setting it up using the docker version!
To run tests from Metlo Cloud you need a public URL for our Juice Shop app. If you’re running it locally, you can use ngrok to create a public URL.
3. Install Metlo’s CLI
Install Metlo’s CLI from npm following the instructions here.
4. Initialize Data
After you have the Juice Shop server running and Metlo CLI setup, you can run
this command to populate Juice Shop with some test data. Be sure to replace
<JUICE_SHOP_URL>
with your juice shop address.
$ metlo juice-shop init-data -h <JUICE_SHOP_URL>
You should see all the requests getting tracked on your Metlo dashboard. It will take around 15 minutes for the sensitive data class classifications to show up on the dashboard.
Restarting Juice Shop
Run the init data command everytime you restart Juice Shop because the database gets deleted on restart!
5. Metlo Config
To give Metlo more context for how the app works, you can provide configurations
in the Metlo Config
tab of the Settings
page. Paste the following into the
Metlo Config (replace the host
value with the host shown in the Endpoints
page):
authentication:
- host: <YOUR_HOST>
authType: jwt
headerKey: Authorization
jwtUserPath: data.email
globalTestEnv:
- name: USER_1_EMAIL
value: user1@juice.shop
- name: USER_1_PASSWORD
value: password
- name: USER_2_EMAIL
value: user2@juice.shop
- name: USER_2_PASSWORD
value: password
This will allow Metlo to know how authentication is handled in the Juice Shop
app which in this case is through Json Web Tokens. The globalTestEnv
object
will be used later in the Testing feature.