DEV Community

How I Turned OWASP Juice Shop Into a Live Attack-Detection Lab Using SecureNow

What Is OWASP Juice Shop?

OWASP Juice Shop is a deliberately vulnerable web application, developed and maintained by OWASP, used worldwide for learning cybersecurity. It simulates an e-commerce site that sells fruit juices - complete with account creation, product search, reviews, and a chatbot. Under the hood, it packs in a dozen security flaws on purpose. Each one maps to a "challenge" you solve by exploiting it: SQL injection, Cross-Site Scripting (XSS), authentication bypass, broken access control, sensitive data exposure, and more.

Tech stack:

  • Node.js and Express.js on the server side
  • Angular for the frontend
  • TypeScript across the entire codebase
  • Sequelize as the ORM for data persistence

Because nearly every category of the OWASP Top 10 is represented in the app, it's an ideal training ground for understanding - under real conditions - how a web attack works, and therefore how to detect it.

Installing OWASP Juice Shop

Getting the Source Code

Clone the project's repository:

git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop

A quick look at the project structure reveals several key folders worth exploring before moving on.

Installing Dependencies

npm install

This may print a wave of npm warn deprecated messages, tied to older internal dependencies (outdated versions of glob, rimraf, uuid, etc.). These are harmless - they just flag transitive packages that are no longer maintained, and don't affect installation or app functionality.

Building the Project

Since Juice Shop is written in TypeScript, it needs a build step before the server can start:

npm run build

This compiles the TypeScript into JavaScript (into a build/ folder) and prepares the Angular frontend assets.

Starting the Server

npm start

Once running, the app is available at http://localhost:3000.

Exploring the Application's Functionality

Before diving into the security side, it's worth browsing the app like an ordinary user would: create an account, log in, search for products, add items to the cart. This builds a mental map of the exposed functionality - an essential foundation for identifying attack surfaces later.

Introducing SecureNow

SecureNow is an application security solution that monitors an app's traffic in real time and automatically detects behavior matching known attacks - SQL injection, XSS, brute-force, account enumeration, and more. It's built around three components:

  • An SDK installed in the project, which hooks into the HTTP request lifecycle
  • A CLI for configuring, initializing, and verifying the integration from the command line
  • A cloud dashboard that centralizes reported events and lets you configure detection rules

Creating the Application on SecureNow

The first step on the SecureNow side is registering the app to be protected, via the Create New Application form on the dashboard:

Field Purpose
Application Name A name identifying the project
Hosts Domains associated with the app (left empty or set to localhost for local dev)
Discover & monitor all subdomains Useful for a real public domain; unchecked for a purely local app
SecureNow Instance The cloud instance receiving traces and logs (Free Trial tier is enough for testing)

Creating the application automatically generates a unique APPID, which the SDK uses internally to associate reported events with the correct application on the dashboard.

Installing and Authenticating the SDK

Installing the Package

npm install securenow

Authentication

npx securenow login

This opens the browser for OAuth authentication, linking your local dev environment to your SecureNow account.

Initializing the Local Configuration

npx securenow init
npx securenow env

The first command creates a local config file (.securenow/credentials.json) with the integration settings. The second checks that the essential options are properly enabled:

  • loggingEnabled - enables event logging
  • captureBody - captures the body of HTTP requests
  • captureMultipart - captures multipart requests (file uploads)
  • firewallEnabled - enables the real-time application firewall

Instrumenting the Code

Instrumentation means making sure the SecureNow SDK runs before the application code, so it can observe all traffic from the moment the server starts. Node.js natively supports this via the -r (--require) flag, which loads a module before the script's main entry point.

Juice Shop's original startup script in package.json is:

"start": "node build/app"

It gets modified to:

"start": "node -r securenow/register build/app"

This approach has a key advantage: it requires no changes to the application's own source code. The securenow/register module inserts itself transparently into the Node.js process, intercepts HTTP requests at a low level (typically via instrumentation of the native http/https modules or the Express framework), and forwards the relevant events to the SDK.

After this change, rebuild and restart to apply it:

npm run build
npm start

Verifying the Integration

The SecureNow CLI offers several diagnostic commands to validate each part of the integration:

npx securenow status

Confirms the agent is active and properly connected to the configured SecureNow instance.

npx securenow firewall apps

Lists applications currently protected by the SecureNow firewall - your app should appear here.

npx securenow firewall status

Confirms whether the application firewall is active or inactive.

npx securenow test-span --env local

Sends a test event ("span") to the SecureNow instance, providing an end-to-end check that the telemetry chain works - from the SDK all the way to the cloud dashboard.

Validating with Real Application Traffic

A test span confirms connectivity, but it doesn't guarantee the SDK is correctly capturing real traffic generated by the application. To validate that, I:

  • Manually browsed the app - logging in, searching for products, adding items to the cart, and attempting a failed login with a wrong password
  • Watched the SecureNow dashboard to confirm each action produced a corresponding event, visible in near real time

Every action showed up on the dashboard as it happened - proof that the instrumentation was capturing genuine traffic, not just synthetic test pings.

Wrapping Up

Setting up OWASP Juice Shop gives you a realistic, safe environment to practice exploiting the OWASP Top 10. But pairing it with SecureNow turns that exercise into something more valuable: a live demonstration of what real-time detection actually looks like from the defender's side. Instead of just reading about SQL injection or brute-force attacks in theory, you can watch them get flagged on a dashboard the instant they happen - which is a much sharper way to understand both the attack and the defense.

Comments

No comments yet. Start the discussion.