Walking the "happy path"

When investigating an application for security vulnerabilities, you should never blindly start throwing attack payloads at it. Instead, make sure that you understand how it works before attempting any exploits.

Before commencing security testing, understanding the structure of the application is paramount. Without a thorough understanding of the layout of the application, it is unlikely that it will be tested thoroughly. Map the target application and understand the principal workflows.¹

A good way to gain an understanding for the application, is to actually use it in the way it was meant to be used by a normal user. In regular software testing this is often called "happy path" testing.

Also known as the "sunny day" scenario, the happy path is the "normal" path of execution through a use case or through the software that implements it. Nothing goes wrong, nothing out of the normal happens, and we swiftly and directly achieve the user's or caller's goal.²

The OWASP Juice Shop is a rather simple e-commerce application that covers the typical workflows of a web shop. The following sections briefly walk you through these "happy path" use cases.

Browse products

When visiting the OWASP Juice Shop you will begin on the landing page #/ which initially displays all products offered in the shop. Clicking on the logo in the top left corner of the screen will always bring you back to this screen (or more precisely, to its alias #/search).

This is of course the "bread & butter" screen for any e-commerce site. When you click on the small "eye"-button next to the price of a product, an overlay screen will open showing you that product details including a list of customer reviews for that product (if available). You can also enter a new (or edit an existing) product review in this dialog. Authenticated users can upvote reviews they like.

You can use the Search... box in the navigation bar on the top of the screen to filter the table for specific products by their name and description. Using the controls at the bottom of the table, you can navigate through a the result list that exceeds the Items per page limit.

User login

You might notice that there seems to be no way to actually purchase any of the products. This functionality exists, but is not available to anonymous users. You first have to log in to the shop with your user credentials on the #/login page. There you can either log in with your existing credentials (if you are a returning customer) or with your Google account.

User registration

In case you are a new customer, you must first register by following the corresponding link on the login screen to #/register. There you must enter your email address and a password to create a new user account. With these credentials you can then log in... and finally start shopping! During registration you also choose and answer a security question that will let you recover the account if you ever forget your password.

Forgot Password

By providing your email address, the answer to your security question and a new password, you can recover an otherwise inaccessible account.

Choosing products to purchase

After logging in to the application you will notice a "shopping cart"-icon in every row of the products table. Unsurprisingly this will let you add one or more products into your shopping basket. The Your Basket button in the navigation bar will bring you to the #/basket page, where you can do several things before actually confirming your purchase:

• increase ("+") or decrease ("-") the quantity of individual products in the shopping basket
• remove products from the shopping basket with the "trashcan"-button

Checkout

Still on the #/basket page you also find some purchase related buttons that are worth to be explored:

• unfold the Coupon section with the "gift"-button where you can redeem a code for a discount
• unfold the Payment section with the "credit card"-button where you find donation and merchandise links

Finally you can click the Checkout button to issue an order. You will be forwarded to a PDF with the confirmation of your order right away.

You will not find any "real" payment or delivery address options anywhere in the Juice Shop as it is not a "real" shop, after all.

User Menu

Clicking the user icon right next to the application logo & title, you will give you access to several secondary use cases of the Juice Shop. This menu is obviously only available when you are logged in with your user account.

User Profile

Clicking you your email address in the user menu, you will get to the User Profile screen on /profile. Visiting it might break your user experience a bit, as it looks slightly less sophisticated than the rest of the shop's UI. It is fully functional nonetheless, as it allows you to upload a JPG-format picture of yourself (or link an existing Gravatar) and choose a username for your account.

Request Recycling Box

When logged in you will furthermore see a Recycle button that brings you to the #/recycle page. This is a very innovative feature that allows eco-friendly customers to order pre-stamped boxes for returning fruit pressing leftovers to the Juice Shop.

For greater amounts of pomace the customer can alternatively order a truck to come by and pick it up at a chosen future date.

Order Tracking

Equipped with an order number from your confirmation PDF, you can invoke the #/track-order functionality by clicking Track Orders.

After entering a valid order number, you will be shown the products from your order along with a delivery status and expected delivery date.

Just as there was no "real" payment was happening, you will hopefully understand that there is no "real" order delivery happening - no matter what the order tracking dialog suggested.

Change user password

If you are currently logged in you will find the obligatory Change Password button in the navigation bar. On the #/change-password page you can then choose a new password. To prevent abuse you have of course to supply your current password to legitimate this change.

Contact Us Menu

The Contact Us button in the navigation bar reveals another drop-down menu with up to two options to choose from.

Customer Feedback

Customers are invited to leave feedback about their shopping experience with the Juice Shop. Simply visit the #/contact page by clicking the Customer Feedback menu item. You might recognize that it is also possible to leave feedback as an anonymous user. The contact form is very straightforward with a free text Comment field and a Rating on a 1-5 stars scale. To prevent abuse, you have to solve a simple mathematical problem before being allowed to submit your feeback.

Complain

The Complain? menu item is shown only to logged in users. It brings you to the #/complain page where you can leave a free text Message and also attach an Invoice file in case you had some issues with a recent order at the Juice Shop.

About Us

Like every proper enterprise, the OWASP Juice Shop has of course an #/about page titled About Us. There you find a summary of the interesting history of the shop along with a link to its official Terms of Use document. Additionally the page displays a fancy illustrated slideshow of all customer feedback. Beneath that you can find all important social media contact information of the shop.

Language selection

From a dropdown menu in the navigation bar you can select a multitude of languages you want the user interface to be displayed in. Languages marked with a "flask"-icon next to them offer only rudimentary or partial translation.

If you want to know more about (or even help with) the localization of OWASP Juice Shop, please refer to the Help with translation chapter in part III of this book.

¹. https://www.owasp.org/index.php/Map_execution_paths_through_application_(OTG-INFO-007) ↩

². http://xunitpatterns.com/happy%20path.html ↩