Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
Full UI translation available for 17+ languages
Covering various vulnerabilities and serious design flaws
OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.
Contains low-hanging fruits & hard-to-crack nuts
Some challenges can be immediately attacked head-on
Most challenges are easier to solve after some research
The toughest challenges require multiple preparation steps
Challenge progress is tracked on server-side
Solved challenges are announced as push notifications
Auto-saves your hacking progress and restores on server restart
Flag codes can optionally be displayed for solved challenges
All participants use individual Juice Shop instances anywhere, sharing only the flag code-
ctfKey and a central score server.
npm i -g juice-shop-ctf-cli
juice-shop-ctf on the command line and let a wizard create a data-backup
.zip-archive to conveniently import into CTFd
Your CTFd instance will be ready-to-hack in <5min
Hide ribbon & notifications for zero distraction in security awareness trainings
Simply start application with
NODE_ENV=quiet environment variable defined!
Noisy XSS demo with sneaky off-site credentials keylogger
You can experience & show this live only from within the Vagrant box run option!
Fully customizable business context and look & feel
Customize the application via a simple
Eat your own dog food: The Juice Shop default look & feel is declared in
server: port: 3000 application: domain: "juice-sh.op" name: "OWASP Juice Shop" logo: "JuiceShop_Logo.png" favicon: "favicon_v2.ico" numberOfRandomFakeUsers: 0 showChallengeSolvedNotifications: true showCtfFlagsInNotifications: false showChallengeHints: true theme: "slate" gitHubRibbon: "orange" twitterUrl: "https://twitter.com/owasp_juiceshop" facebookUrl: "https://www.facebook.com/owasp.juiceshop" recyclePage: topProductImage: "fruit_press.jpg" bottomProductImage: "apple_pressings.jpg" products: 
YAML configuration allows you to override all products
Too much effort? Just declare the
products: - name: "Product Name" price: 100 description: "Product Description" image: "(https://somewhe.re/)image.png" useForProductTamperingChallenge: false useForChristmasChallenge: false fileForRetrieveBlueprintChallenge: ~ reviews: - text: "Customer Review" author: "jim"
nameand the app will generate the rest randomly!
Maximizing Test Automation & Code Coverage
Yes, definitely! Use whatever pentesting tools you like the most!
Proxies like OWASP ZAP or BurpSuite Free Edition can definitely be useful. Automatic tools like Arachni or Nikto might find some vulnerabilities but will obviously not be able to get the Score Board to 100% for you.
No! The code from GitHub would spoiler all challenge solutions!
You can of course use everything - including sources - that application leaked to you directly!
Yes! Feel free to look for ideas, clues & hints everywhere!
Again: Except for the application's own GitHub repository & the logs of its Travis-CI build jobs!
Please carefully follow the instructions in the README
The application is cleanly reset on every startup
Your Score Board progress is saved automatically and will restore after server restart!
Find helpful hints in the free official companion guide on Leanpub
Please report untracked vulnerabilities by opening an issue
Stories or issues labelled with ready and good first issue / help wanted are the best starting point!
For your 1st merged pull request you'll get some stickers from us
Serial contributors might even get t-shirts, mugs and other glorious merchandise for free!
Timeline? When it's done!
|Web Application Security in a Nutshell||http://webappsec-nutshell.kimminich.de|
|Web Application Security in a Nutshell (for Managers)||http://webappsec-nutshell.kimminich.de/management-edition.html|
|Web Application Security Training Workshop||http://slideshare.net/BjrnKimminich/web-application-security-21684264|
Licensed under the MIT license.
Created with reveal.js - The HTML Presentation Framework