OWASP Juice Shop 7.x

An intentionally insecure JavaScript Web Application
The most trustworthy online shop out there (@dschadow) — The best juice shop on the whole internet! (@shehackspurple)
Actually the most bug-free vulnerable application in existence! (@vanderaj)


Presentation by Björn Kimminich / @bkimminich

What is "OWASP"?!?

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.

Why "Juice Shop"?!?

Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
That the initials "JS" match with those of "JavaScript" was purely coincidental!

Click here for a live demo!

Unsuspectingly browse the Juice Shop like Average Joe!

Simple Installation

Comes with cloud, local and containerized run options

Multi-language support

Full UI translation available for

Partial translation available for

60+ Hacking Challenges

Covering various vulnerabilities and serious design flaws

OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.

Challenge Difficulty

Contains low-hanging fruits & hard-to-crack nuts

Direct Route to Victory

Some challenges can be immediately attacked head-on

Information Gathering pays off

Most challenges are easier to solve after some research

Multi-stage Attack Challenges

The toughest challenges require multiple preparation steps

Score Board

Challenge progress is tracked on server-side

Immediate Feedback

Solved challenges are announced as push notifications

Restore your Progress

Auto-saves your hacking progress and restores on server restart

Juice Shop is CTF-ready

Flag codes can optionally be displayed for solved challenges

Frictionless CTF-Events

All participants use individual Juice Shop instances anywhere, sharing only the flag code-ctfKey and a central score server.

CTF Extension 4.x

Utility project to help you host a hacking event on CTFd

Simple Installation

Locally via npm i -g juice-shop-ctf-cli or as Docker container

Setup Wizard

Run juice-shop-ctf on the command line and let a wizard create a data-backup .zip-archive to conveniently import into CTFd

Configuration File Option

Run juice-shop-ctf --config myconfig.yml to use non-interactive mode passing in configuration via YAML file

juiceShopUrl: https://juice-shop.herokuapp.com
ctfKey: https://raw.githubusercontent.com/bkimminich/juice-shop/master/ctf.key
insertHints: none | free | paid
insertHintUrls: none | free | paid

CTFd for OWASP Juice Shop

Your CTFd instance will be ready-to-hack in <5min

Quiet Mode

Hide ribbon & notifications for zero distraction in security awareness trainings

Simply start application with NODE_ENV=quiet environment variable defined!

Awareness Scare-Tactics

Noisy XSS demo with sneaky off-site credentials keylogger

You can experience & show this live only from within the Vagrant box run option!


Fully customizable business context and look & feel

Configurative Customization

Customize the application via a simple YAML file

  domain: juice-sh.op
  name: 'OWASP Juice Shop'
  logo: JuiceShop_Logo.png
  favicon: favicon_v2.ico
  numberOfRandomFakeUsers: 0
  showChallengeSolvedNotifications: true
  showCtfFlagsInNotifications: false
  showChallengeHints: true
  theme: slate
  gitHubRibbon: orange
  twitterUrl: 'https://twitter.com/owasp_juiceshop'
  facebookUrl: 'https://www.facebook.com/owasp.juiceshop'
  planetOverlayMap: orangemap2k.jpg
  planetName: Orangeuze
    topProductImage: fruit_press.jpg
    bottomProductImage: apple_pressings.jpg
  altcoinName: Juicycoin
  cookieConsent: ...

Choose your own inventory

The YAML configuration allows you to override all products

    name: 'Product Name'
    price: 100
    description: 'Product Description'
    image: '(https://somewhe.re/)image.png'
    useForProductTamperingChallenge: false
    useForChristmasChallenge: false
    fileForRetrieveBlueprintChallenge: ~
      - { text: 'Customer review', author: jim }
    name: 'Product with Lorem Ipsum description, filler image and random price'

Modern Web-Architecture

JavaScript all the way from UI to REST API

Test Pyramid

Maximizing Test Automation & Code Coverage


Build Process

Automated Continuous Integration & Demo Deployment


If FAQ & README don't help, ask in the chat or open an issue

Can I use my Pentesting toys?

Yes, definitely! Use whatever pentesting tools you like the most!

Proxies like OWASP ZAP or BurpSuite Free Edition can definitely be useful. Automatic tools like Arachni or Nikto might find some vulnerabilities but will obviously not be able to get the Score Board to 100% for you.

Can I do a white box pentest?

No! The code from GitHub would spoiler all challenge solutions!

You can of course use everything that the application leaked to you while hacking it - even source code!

Can I use the internet?

Yes! Feel free to look for ideas, clues & hints everywhere!

Again: Except for the application's own GitHub repository & the logs of its Travis-CI build jobs!

Installation does not work!

Please carefully follow the instructions in the README

If Setup & Troubleshooting docs don't help, you can always ask the community or open an issue!

What if I crash the server?

The application is cleanly reset on every startup

Your Score Board progress is saved automatically and will restore after server restart!

I'm stuck with a challenge!

Find helpful hints in the free official companion guide on Leanpub

The eBook can also be read online on GitBook. You can always ask for hints in the community chat as well!

I found another vulnerability!

Please report untracked vulnerabilities by opening an issue

Of course you can also contribute directly by opening a pull request. Just stick to the contribution guide!

Can I contribute to the project?

Of course! Visit our backlog on Waffle.io & translations on Crowdin

Stories or issues labelled with  ready  and  good first issue  /  help wanted  are the best starting point!

Is there a contribution reward?

For your 1st merged pull request you'll get some stickers from us

Serial contributors might even get t-shirts, mugs and other glorious merchandise for free!

Project Roadmap

  • 2 GSoC projects in 2018 (Angular5, ChallengePack)
  • Have a juicy CTFd Theme for extra immersion
  • Promotion to  Flagship  Project  maturity level

Timeline? When it's done!

Additional Information

Official Site http://owasp-juice.shop
Sourcecode https://github.com/bkimminich/juice-shop

Bjoern's Material on Web Application Security

Web Application Security in a Nutshell http://webappsec-nutshell.kimminich.de
Web Application Security Training https://www.slideshare.net/BjrnKimminich/web-application-security-training-v410

Copyright (c) 2014-2018 Björn Kimminich

Licensed under the MIT license.

Created with reveal.js - The HTML Presentation Framework

Fork reveal.js on GitHub