OWASP Juice Shop

An intentionally insecure Javascript Web Application
The most trustworthy online shop out there (@dschadow)


Presentation by Björn Kimminich / @bkimminich

Why the name "Juice Shop"?!?

Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
That the initials "JS" match with those of "Javascript" was purely coincidental!

Why another broken webapp?!?

OWASP Juice Shop is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

Live Demo Environment

Unsuspectingly browse the Juice Shop like Average Joe!

Technology Stack

Javascript all the way from UI to REST API

Test Pyramid

Maximizing Test Automation & Code Coverage

Build Process

Automated Continuous Integration & Demo Deployment

Simple Installation

Comes with cloud, local and containerized run options

Multi-language support

Full UI translation available for 15+ languages

38+ Hacking Challenges

Covering various vulnerabilities and serious design flaws

OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.

Challenge Difficulty

Contains low-hanging fruits & hard-to-crack nuts

Direct Route to Victory

For some challenges it actually works like this

Information Gathering pays off

Most challenges are easier to solve after some research

Multi-stage Attack Challenges

The toughest challenges require multiple preparation steps

Score Board

Challenge progress is tracked on server-side

Immediate Feedback

Solved challenges are announced as push notifications

Your Hacking Session

Conveniently save your hacking progress to restore it later

CTF Extension

Use juice-shop-ctf-cli to host an event on CTFd


Fully customizable business context and look & feel

Configurative Customization

Customize the application via a simple YAML file

  port: 3000
  domain: juice-sh.op
  name: "OWASP Juice Shop"
  logoReplacementUrl: ~
  faviconReplacementUrl: ~
  numberOfRandomFakeUsers: 0
  showChallengeSolvedNotifications: true
  theme: "slate"
products: []
Eat your own dog food: The Juice Shop default look & feel is declared in default.yml

Choose your own inventory

The YAML configuration allows you to override all products

  - name: "Product Name"
    price: 100
    description: "Product Description"
    image: "image.png"
    imageUrl: "https://product/image.png"
    useForProductTamperingChallenge: false
    useForChristmasChallenge: false
Too much effort? Just declare the name and the app will generate the rest randomly!


If FAQ & README don't help, ask in the chat or open an issue

Can I use my Pentesting toys?

Yes, definitely! Use whatever tools you like the most!

Proxies like ZAP or Burp can be useful, but most automated scanners won't help much.

Can I do a white box pentest?

No! The code would spoiler all challenge solutions!

Can I look at the server log?

No! The console would reveal several challenge solutions!

Can I use the internet?

Yes! Feel free to look for ideas & hints everywhere...

...except in the GitHub repository and the logs of the Travis-CI build jobs!

Installation does not work!

Please carefully follow the instructions in the README

If Setup & Troubleshooting docs don't help, you should seek help in the community chat or open an issue.

What if I crash the server?

The application is cleanly reset on every startup

Your Score Board progress is reset as well! Save your hacking progress regularly!

I'm stuck with a challenge!

Find helpful hints in the official companion guide eBook

Alternatively feel free to ask for hints in the community chat.

I found another vulnerability!

Please report untracked vulnerabilities by opening an issue

Of course you can also contribute directly by opening a pull request. Just don't break any tests.

Are there other ways to contribute?

Glad that you're asking! You can help implementing new features or bugfixes*. You can also help translating the application into other languages!

*Especially those tagged with "help wanted"!

Is there a contribution reward?

For your first accepted pull request you will receive some official Juice Shop stickers for free!

For core project team members, there's even t-shirts, mugs and other glorious merchandise!


  • Release a Challenge Pack for even more variety
  • TechStack Update (Angular, Sequelize, Jasmine/Frisby)
  •  Lab  Project  status on OWASP (project review in progress)

Timeline? When it's done!

Additional Information

Official Site https://www.owasp.org/index.php/OWASP_Juice_Shop_Project
Sourcecode https://github.com/bkimminich/juice-shop

Bjoern's Material on Web Application Security

Web Application Security in a Nutshell http://webappsec-nutshell.kimminich.de
Web Application Security in a Nutshell (for Managers) http://webappsec-nutshell.kimminich.de/management-edition.html
Web Application Security Training Workshop http://slideshare.net/BjrnKimminich/web-application-security-21684264

Copyright (c) 2014-2017 Björn Kimminich

Licensed under the MIT license.

Created with reveal.js - The HTML Presentation Framework

Fork reveal.js on GitHub