SC 120: Finding Security Issues with Semgrep (15 pts)

What You Need

GitHub Account and Vulnerable Codebase

You should already have prepared a GitHub account with the OWASP Juice Shop code in it in a previous project. If you did not do that, do the steps in the blue box below.

Make a Github Account

In a Web browser, go to

Create an account and log in.

Forking the OWASP Juice Shop Core

This is a deliberately vulnerable codebase from OWASP. Instead of forking the original code from OWASP, which may be changing, you'll copy my version, which is frozen in the state the code was on Mar 3, 2024.

In a Web browser, go to

At the top right, click the drop-down arrow next to "Fork". Click "Create a new fork", as shown below.

On the "Create a new fork" page, change the Repository name to juice-shop-working, and, at the bottom right, click the "Create fork" button, as shown below.

Make a Semgrep Account

In a Web browser, go to

On the right, click the "Sign in with GitHub" button.

Log in to Github if you are prompted to.

When you see it, click the green "Authorize semgrep-app" button.

On the "Let's start with your oganization" page, click the blue "Create new oganization" button. as shown below.

Scanning a Project on Your Machine

You see instructions for your OS, as shown below.

Install Semgrep

Follow the instructions to install Semgrep on your system.

Log into Semgrep CLI

Click the blue "Create CLI token" button.

A command appears. Execute that command on your system. It will look something like this:

SEMGREP_APP_TOKEN=1bca664ffbcccccccccccccccccccccccccccc6aceba semgrep login 

Clone the Juice Shop Repository

First, install git as explained here:
Installing Git
Execute these commands on your system:
git clone
cd juice-shop-orig

Scanning the Code

Execute these commands on your system:
semgrep ci

Viewing the Results

Go to the URL the output shows, as shown below.

You see a list of findings. At the top, click the Filter button and click High severity, as shown below.

Close the pop-up window.

There are 19 findings in five categories, as shown below.


In the "express-sequelize-injection" section, click the first link to code, outlined in blue in the image below.

The vulnerable line of code appears in GitHub, as shown below.

Flag SC 120.1: Generic Secret (15 pts)

Semgrep finds a "Generic Secret". Examine that code.

The flag is covered by a green rectangle in the image below.


OWASP Juice Shop Github

Posted 2-26-24