BulatGazizov-dev · BulatGazizov-dev · Sep 18, 2025 · Sep 19, 2025 · Sep 21, 2025 · Sep 25, 2025
diff --git a/README.md b/README.md
diff --git a/labs/lab1.md b/labs/lab1.md
@@ -4,174 +4,200 @@
 ![topic](https://img.shields.io/badge/topic-AppSec%20Basics-blue)
 ![points](https://img.shields.io/badge/points-10-orange)
 
-> **Goal:** Run an OWASP Juice Shop locally, complete a triage report, and standardize PR submissions.
-> **Deliverable:** A PR from `feature/lab1` containing `labs/submission1.md`, issues created, and the PR template in place.
+> **Goal:** Run OWASP Juice Shop locally, complete a triage report, and standardize PR submissions.  
+> **Deliverable:** A PR from `feature/lab1` to the course repo with `labs/submission1.md` containing triage report and PR template setup. Submit the PR link via Moodle.
 
 ---
 
 ## Overview
 
 In this lab you will practice:
+- Launching **OWASP Juice Shop** for security testing
+- Capturing a **triage report** covering version, URL, health check, exposure, risks, and next actions
+- Bootstrapping a **repeatable PR workflow** with a template
 
-* Launching a **Juice Shop App**.
-* Capturing a **triage report** — version, URL, health check, exposure, risks, and next actions.
-* Bootstrapping a **repeatable PR workflow** with a template.
-
-> We **do not** copy Juice Shop code into the repo. You’ll run the official Docker image and keep **only lab artifacts** in your fork. Run instructions come from Juice Shop’s docs; we’ll pin a known release tag. ([pwning.owasp-juice.shop][1], [GitHub][2], [Docker Hub][3])
+> We **do not** copy Juice Shop code into the repo. You'll run the official Docker image and keep **only lab artifacts** in your fork.
 
 ---
 
 ## Tasks
 
-### Task 1 — Triage (Juice Shop) (6 pts)
+### Task 1 — OWASP Juice Shop Deployment (6 pts)
 
-**Objective:** Run a Juice Shop locally and complete a Triage report to capture the deployment, quick health, exposure, and top risks.
+**Objective:** Run Juice Shop locally and complete a Triage report capturing deployment, health check, exposure, and top risks.
 
-1. **Create the submission file**
+#### 1.1: Deploy Juice Shop Container
 
-   * Create `labs/submission1.md` with these fields:
+```bash
+docker run -d --name juice-shop \
+  -p 127.0.0.1:3000:3000 \
+  bkimminich/juice-shop:v19.0.0
+```
 
-     * `image: bkimminich/juice-shop:19.0.0`
-     * release date (from GitHub Releases) and a link to the release notes.
+#### 1.2: Initial Verification
 
-2. **Run the container (detached)**
+- Browse to `http://localhost:3000` and confirm the app loads
+- Verify API responds: `curl -s http://127.0.0.1:3000/rest/products | head`
 
-   ```bash
-   docker run -d --name juice-shop \
-     -p 127.0.0.1:3000:3000 \
-     bkimminich/juice-shop:19.0.0
-   ```
+#### 1.3: Complete Triage Report
 
-   * Browse to `http://localhost:3000` and confirm the app loads.
+Create `labs/submission1.md` using this template:
 
-3. **Quick health check**
+```markdown
+# Triage Report — OWASP Juice Shop
 
-   * Verify the API responds:
+## Scope & Asset
+- Asset: OWASP Juice Shop (local lab instance)
+- Image: bkimminich/juice-shop:v19.0.0
+- Release link/date: <link> — <date>
+- Image digest (optional): <sha256:...>
 
-     ```bash
-     curl -s http://127.0.0.1:3000/rest/products | head
-     ```
-   * Take a screenshot of the home page or paste the first 5–10 JSON lines from the API.
+## Environment
+- Host OS: <e.g., macOS 14.5 / Ubuntu 22.04>
+- Docker: <e.g., 24.0.x>
 
-4. **Fill the Triage report**
+## Deployment Details
+- Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:v19.0.0`
+- Access URL: http://127.0.0.1:3000
+- Network exposure: 127.0.0.1 only [ ] Yes  [ ] No  (explain if No)
 
-   * In `labs/submission1.md`, copy/paste this template and fill it out:
+## Health Check
+- Page load: attach screenshot of home page (path or embed)
+- API check: first 5–10 lines from `curl -s http://127.0.0.1:3000/rest/products | head`
 
-   ```markdown
-   # Triage Report — OWASP Juice Shop
+## Surface Snapshot (Triage)
+- Login/Registration visible: [ ] Yes  [ ] No — notes: <...>
+- Product listing/search present: [ ] Yes  [ ] No — notes: <...>
+- Admin or account area discoverable: [ ] Yes  [ ] No — notes: <...>
+- Client-side errors in console: [ ] Yes  [ ] No — notes: <...>
+- Security headers (quick look — optional): `curl -I http://127.0.0.1:3000` → CSP/HSTS present? notes: <...>
 
-   ## Scope & Asset
-   - Asset: OWASP Juice Shop (local lab instance)
-   - Image: bkimminich/juice-shop:19.0.0
-   - Release link/date: <link> — <date>
-   - Image digest (optional): <sha256:...>
+## Risks Observed (Top 3)
+1) <risk + 1‑line rationale>
+2) <risk + 1‑line rationale>
+3) <risk + 1‑line rationale>
+```
 
-   ## Environment
-   - Host OS: <e.g., macOS 14.5 / Ubuntu 22.04>
-   - Docker: <e.g., 24.0.x>
+In `labs/submission1.md`, document:
+- Complete triage report using provided template
+- Screenshots or API output demonstrating working deployment
+- Environment details and security observations
+- Analysis of top 3 security risks identified during assessment
 
-   ## Deployment Details
-   - Run command used: `docker run -d --name juice-shop -p 127.0.0.1:3000:3000 bkimminich/juice-shop:19.0.0`
-   - Access URL: http://127.0.0.1:3000
-   - Network exposure: 127.0.0.1 only [ ] Yes  [ ] No  (explain if No)
+---
 
-   ## Health Check
-   - Page load: attach screenshot of home page (path or embed)
-   - API check: first 5–10 lines from `curl -s http://127.0.0.1:3000/rest/products | head`
+### Task 2 — PR Template Setup (4 pts)
 
-   ## Surface Snapshot (Triage)
-   - Login/Registration visible: [ ] Yes  [ ] No — notes: <...>
-   - Product listing/search present: [ ] Yes  [ ] No — notes: <...>
-   - Admin or account area discoverable: [ ] Yes  [ ] No — notes: <...>
-   - Client-side errors in console: [ ] Yes  [ ] No — notes: <...>
-   - Security headers (quick look — optional): `curl -I http://127.0.0.1:3000` → CSP/HSTS present? notes: <...>
+**Objective:** Standardize submissions so every lab PR has the same sections and checks.
 
-   ## Risks Observed (Top 3)
-   1) <risk + 1‑line rationale>
-   2) <risk + 1‑line rationale>
-   3) <risk + 1‑line rationale>
+#### 2.1: Create PR Template
 
-   ```
+Create `.github/pull_request_template.md` with:
+- Sections: **Goal**, **Changes**, **Testing**, **Artifacts & Screenshots**
+- Checklist (3 items): clear title, docs updated if needed, no secrets/large temp files
 
-> Resources: Juice Shop Docker image on Docker Hub; official run docs. ([Docker Hub][3], [pwning.owasp-juice.shop][1])
+```bash
+# Commit message example:
+git commit -m "docs: add PR template"
+```
 
----
+#### 2.2: Verify Template Application
 
-### Task 2 — PR Template (4 pts)
+```bash
+git checkout -b feature/lab1
+git add labs/submission1.md
+git commit -m "docs(lab1): add submission1 triage report"
+git push -u origin feature/lab1
+```
 
-**Objective:** Standardize submissions so every lab PR has the same sections and checks.
+Verify that:
+- PR description auto-fills with sections & checklist
+- Fill in **Goal / Changes / Testing / Artifacts & Screenshots** and tick checkboxes
+- Screenshots and API snippet are embedded in `labs/submission1.md`
+
+In `labs/submission1.md`, document:
+- PR template creation process and verification
+- Evidence that template auto-fills correctly
+- Analysis of how templates improve collaboration workflow
+
+<details>
+<summary>One-time Bootstrap Note</summary>
 
-> ⚠️ **One-time bootstrap:** GitHub loads PR templates from the **default branch of your fork (`main`)**. Add the template to `main` first, then open your lab PR from `feature/lab1`.
+GitHub loads PR templates from the **default branch of your fork (`main`)**. Add the template to `main` first, then open your lab PR from `feature/lab1`.
 
-1. **Create the PR template on `main`**
-   Path: `.github/pull_request_template.md`
-   Commit message: `docs: add PR template`
-   Include exactly these sections and checklist:
+</details>
 
-   * Sections: **Goal**, **Changes**, **Testing**, **Artifacts & Screenshots**
-   * Checklist (3 items): clear title, docs updated if needed, no secrets/large temp files
+---
+
+## How to Submit
 
-2. **Create your lab branch, add your submission file, open PR**
+1. Create a branch for this lab and push it to your fork:
 
    ```bash
-   git checkout -b feature/lab1
-   # add labs/submission1.md
+   git switch -c feature/lab1
+   # create labs/submission1.md with your findings
    git add labs/submission1.md
-   git commit -m "docs(lab1): add submission1 triage report"
+   git commit -m "docs: add lab1 submission"
    git push -u origin feature/lab1
    ```
 
-   * Open a PR from `feature/lab1` → `main` **in your fork**.
+2. Open a PR from your fork's `feature/lab1` branch → **course repository's main branch**.
 
-3. **Verify the template is applied**
+3. In the PR description, include:
 
-   * The PR description should auto-fill with your sections & checklist.
-   * Fill in **Goal / Changes / Testing / Artifacts & Screenshots** and tick the checkboxes.
-   * Ensure your screenshots and API snippet are embedded or referenced in `labs/submission1.md`.
-
-### Acceptance Criteria
+   ```text
+   - [x] Task 1 done — OWASP Juice Shop deployment + triage report
+   - [x] Task 2 done — PR template setup + verification
+   ```
 
-* ✅ `labs/submission1.md` exists and includes: image `bkimminich/juice-shop:19.0.0` with release link/date; environment; deployment details; access URL; working health check evidence (screenshot or API snippet); surface snapshot; top 3 risks.
-* ✅ 3–5 **Issues** exist in the repo labeled `backlog` (derived from your triage next actions) and linked from `labs/submission1.md`.
-* ✅ `.github/pull_request_template.md` exists on **`main`**.
-* ✅ A PR from `feature/lab1` → `main` is open and **auto-filled** with the template, including **Goal / Changes / Testing / Artifacts & Screenshots** (boxes ticked).
-* ✅ **No Juice Shop source code** is copied into the repo—only lab artifacts.
+4. **Copy the PR URL** and submit it via **Moodle before the deadline**.
 
 ---
 
-## How to Submit
-
-1. Complete all tasks.
-2. Push `feature/lab1` to your fork.
-3. Open a PR from `feature/lab1` → `main` in **your fork**.
-4. In the PR description, include:
+## Acceptance Criteria
 
-   ```text
-   - [x] Task 1 done
-   - [x] Task 2 done
-   - [x] Screenshots attached
-   ```
+- ✅ Branch `feature/lab1` exists with commits for each task
+- ✅ File `labs/submission1.md` contains required triage report for Tasks 1-2
+- ✅ OWASP Juice Shop successfully deployed and documented
+- ✅ File `.github/pull_request_template.md` exists on **main** branch
+- ✅ PR from `feature/lab1` → **course repo main branch** is open
+- ✅ PR link submitted via Moodle before the deadline
+- ✅ **No Juice Shop source code** copied into repo—only lab artifacts
 
 ---
 
 ## Rubric (10 pts)
 
-| Criterion                                                 | Points |
-| --------------------------------------------------------- | -----: |
-| Task 1 — Triage in `labs/submission1.md` + image running |  **6** |
-| Task 2 — PR template in effect + PR opened                |  **4** |
-| **Total**                                                 | **10** |
+| Criterion                                                | Points |
+| -------------------------------------------------------- | -----: |
+| Task 1 — OWASP Juice Shop deployment + triage report    |  **6** |
+| Task 2 — PR template setup + verification               |  **4** |
+| **Total**                                                | **10** |
 
 ---
 
-## Hints
+## Guidelines
 
-> 📌 **Why pin the version?** Juice Shop changes challenges between releases; pinning (e.g., `:19.0.0`) keeps labs reproducible for everyone. Check the **GitHub Releases** page for the date and notes. ([GitHub][2])\
-> 🧪 **Health check tip:** The official guide uses `-p 127.0.0.1:3000:3000`; always include `127.0.0.1` to avoid exposing the app beyond localhost by accident. ([pwning.owasp-juice.shop][1])\
-> 🚫 **Don’t add app code:** All labs use the official Docker image from Docker Hub—your repo holds configs, reports, and CI only. ([Docker Hub][3])
+- Use clear Markdown headers to organize sections in `submission1.md`
+- Include both command outputs and written analysis for each task
+- Document deployment process and security observations
+- Ensure screenshots and evidence demonstrate working setup
 
----
+<details>
+<summary>Security Notes</summary>
+
+- Always bind to `127.0.0.1` to avoid exposing the app beyond localhost
+- Pin specific Docker image versions for reproducibility
+- Never commit application source code—only lab artifacts and reports
+
+</details>
+
+<details>
+<summary>Deployment Tips</summary>
+
+- Check GitHub Releases page for specific version dates and notes
+- Verify API endpoints respond before completing triage report
+- Document all observed security issues in the triage template
+- Keep deployment commands simple and well-documented
 
-[1]: https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html?utm_source=chatgpt.com "Running OWASP Juice Shop"
-[2]: https://github.com/juice-shop/juice-shop/releases/?utm_source=chatgpt.com "Releases · juice-shop/juice-shop - GitHub"
-[3]: https://hub.docker.com/r/bkimminich/juice-shop/?utm_source=chatgpt.com "bkimminich/juice-shop - Docker Image | Docker Hub"
+</details>