Merge pull request #9 from aws-samples/add-juice-book

Add extension activities

docs/step-1.md

@@ -22,6 +22,9 @@ Access the `site-url` endpoint and include bad signatures to the requests. You c
 * SQL Injection: `<your-endpoint>/?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1'`
 * XSS: `<your-endpoint>/?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>`
 
+Optional Extension - Try and find an input form on the juice site to perform a XSS attack. See if your WAF blocks the malicious request.
+If you bypass the WAF by accessing the EC2 instance directly, you will see the a successfull attack.
+
 ## 1.3 HTTP Flood (AWS Lambda log parser)
 
 To test HTTP Flood, you can simulate an WAF log file deliver event. For that:

docs/step-3.md

@@ -1,4 +1,11 @@
-# Step 3 - Optional Challenge - Integrate AWS WAF datapoints to AWS Security Hub
+# Step 3 - Optional Extensions
+
+## 3.1 Challenge - Integrate AWS WAF datapoints to AWS Security Hub
 
 * [Enable AWS Security hub](https://console.aws.amazon.com/securityhub/home?region=us-east-1#/onboard)
 * Create an automation ([like this one](https://www.imperva.com/blog/imperva-integration-with-aws-security-hub-expanding-customer-security-visibility/)) to ingest AWS WAF Alert to AWS Security Hub. More info about AWS Security Hub custom providers [here](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-custom-providers.html)
+
+
+## 3.2 Play with the OWASP Juice Shop. 
+
+* The sample application you deployed is the OWASP Juice Shop. It intentionally contains common web vulnerabilities. WAF automatically protects against some of these vulnerabilities, such as SQL Injection and Cross Site Scriptting. There is an [accompanying book by Ben Kimminitch](https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/) that explains further. Try exploring the site to test out some other vulnerabilities. Access your EC2 resource directly (bypassing the ALB) to test your attacks without the WAF protection.