Jason Haley

Ramblings from an Independent Consultant

How to Setup OWASP Juice Shop on Azure (Part 1 of 3)

Last year when I was working on my Securing Your Web Application in Azure with a WAF talk, I was looking for a way to avoid writing my own site that exposed things like SQL injection and cross site scripting (XSS) and happened to find the Juice Shop project (I think it was Bill Wilder that introduced me to it but I’m not 100% sure).  The OWASP Juice Shop Project is a great site for testing your exploit skills on a modern web app … or in my case testing the effectiveness of a Web Application Firewall (WAF).

There are many resources on the web to find more information on the juice shop project and how to exploit it, I’m going to focus on the two easiest and quickest ways I’ve found in getting it running in Azure:

  • Web App for Containers
  • Azure Container Instances

For the individual walkthroughs, I want to cover both using the Azure portal and the Azure CLI in order to serve as a better reference – so to keep the length shorter I’m going to break this up into three parts:

First a little about these Azure products and their features.

Web App for Containers

Web App for Containers are similar to Web Apps and build on the App Service platform, but there isn’t feature parity between the two.  The most common features of Web Apps are supported including:

  • FTP capability
  • Deployment Slots
  • CI/CD integration
  • Application Settings (think environment variables that can be managed in the control plane)
  • Backups
  • Custom domains
  • SSL Certificates
  • Scale in/out (including autoscale)
  • Scale up/down (though not all App Service tiers are available)

Things special to Web App for Containers:

  • SSH to the container experience
  • Ability to deploy the site from a container registry

Currently only Linux containers are supported – which for the case of running Juice Shop is not a problem.

Web App for Containers seems designed for the scenario when you want to host a web site from a (Linux) container.

Azure Container Instances

Container Instances are basically Containers-as-a-Service and designed for single container workloads.  However you can run multiple containers in container groups (similar to a pod in Kubernetes).

  • Supports both Linux or Windows containers
  • Can run containerized tasks (not designed only for serving web sites that don’t return)
  • Ability mount Azure Files as volumes in a container
  • Can have multiple ports (and not just 80 and 443)
  • Public IP and DNS name labels are optional
  • Using the Kubernetes Connector, ACI can serve as a host in a burst scenario to handle excess capacity and host pods in container groups

Azure Container Instances seems more of a bare container product and designed for shorter run sites or tasks as well as extending existing Kubernetes clusters when needed.

Next

Now that I’ve introduced the products, I will now provide the walkthroughs of the two different options. Next is Web App for Containers.