SC 120: Finding Security Issues with Semgrep (15 pts)

What You Need

• A computer with a Web browser

GitHub Account and Vulnerable Codebase

Make a Github Account In a Web browser, go to https://github.com/ Create an account and log in. Forking the OWASP Juice Shop Core This is a deliberately vulnerable codebase from OWASP. Instead of forking the original code from OWASP, which may be changing, you'll copy my version, which is frozen in the state the code was on Mar 3, 2024. In a Web browser, go to https://github.com/sambowne/juice-shop-orig At the top right, click the drop-down arrow next to "Fork". Click "Create a new fork", as shown below. On the "Create a new fork" page, change the Repository name to juice-shop-working, and, at the bottom right, click the "Create fork" button, as shown below.

Make a Semgrep Account

On the right, click the "Sign in with GitHub" button.

Log in to Github if you are prompted to.

When you see it, click the green "Authorize semgrep-app" button.

On the "Let's start with your oganization" page, click the blue "Create new oganization" button. as shown below.

Scanning a Project on Your Machine

Install Semgrep

Log into Semgrep CLI

A command appears. Execute that command on your system. It will look something like this:

SEMGREP_APP_TOKEN=1bca664ffbcccccccccccccccccccccccccccc6aceba semgrep login 

Clone the Juice Shop Repository

Installing Git

git clone https://github.com/sambowne/juice-shop-orig.git
cd juice-shop-orig

Scanning the Code

semgrep ci

Viewing the Results

There are 19 findings in five categories, as shown below.

express-sequelize-injection

Flag SC 120.1: Generic Secret (15 pts) Semgrep finds a "Generic Secret". Examine that code. The flag is covered by a green rectangle in the image below.

References

Posted 2-26-24