search

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.
https://badssl.com
Apache License 2.0
2.83k stars 191 forks source link

BadSSL as ReverseProxy to JuiceShop #463

Open deknos opened 3 years ago

deknos commented 3 years ago

Hello, is it possible/how hard would it be to use badssl as kind of an reverse proxy with juiceshop? so we can like practically show the SSL problems on real shops? So Users can send data and perhaps even show that on a separate instance, because the SSL encryption/certificate verification is broken?

lgarron commented 3 years ago

Most of badssl.com is just a tree of nested nginx configs that happen to be serving static files. You're welcome to fork and replace the static content in places like this:

https://github.com/chromium/badssl.com/blob/0afed648f6430264473b9ac238864e1b4fb739da/common/common.conf#L10

(I don't think it would make a lot of sense to add to the root project itself, though.)

so we can like practically show the SSL problems on real shops? So Users can send data and perhaps even show that on a separate instance

I'm not quite sure what you mean, but I'd like to encourage you to make sure not to put any real users at risk. That would be bad for the users, and might get you in trouble for bad data privacy practices.

deknos commented 3 years ago

I'm not quite sure what you mean, but I'd like to encourage you to make sure not to put any real users at risk. That would be bad for the users, and might get you in trouble for bad data privacy practices.

Hi, i'm not sure, you understood me. juiceshop is a software which anyone can setup/use for learning about security vulnerabilities. like DWVA or DVL back in the day. The idea would be, not only hacking juiceshop with their XSS-Problems, but also combining that with the SSL problems. that makes it even more.. realistic and people understand, why you want good working SSL on your site.