How To Hunt for Web App Vulnerabilities Hands-on!

I’ve said it again and again, and I think most members of the technical community would agree that the fastest, most effective, most fun way to build any new IT skill is to dive in and “do IT yourself”!

As mentioned in our Introduction to Application Security course, for those beginning in their development or AppSec careers, understanding the OWASP Top 10 is an important building block in your foundation of skills. Not only does this list of Top 10 Web Application Vulnerabilities serve as the inspiration for much of our current and upcoming content and courses, OWASP Top 10 resources provide basic techniques to protect against these high-risk attacks and give guidance about what to do next. In addition, OWASP provides you with a safe place to do some hands-on hunting for these high-risk web application vulnerabilities in a legal manner by using the OWASP Juice Shop!

We want you to be aware of these resources, the value they provide, and where and how to access them to start building your web application security skills. Here’s a quick run-down!

What is OWASP?

OWASP is an organization, a foundation that works to improve the security of software through its community-led open source software projects, chapters and members.  OWASP exists to raise awareness and understanding of software security. They are a global non-profit with chapters all over the world and a plethora of projects and documents to help developers, DevOps, and security people up their web application security game.

What is the OWASP Top 10?

Owasp Top 10 is an Open Web Application Security Project. The primary goal of this project [and its associated resources] is to educate developers, architects, managers, organizations, and designers about the consequences of the most common and most important web application security weakness.  It is important because it helps organisations prioritize risks, which risks to focus on first and helps them understand, identify, mitigate, and fix vulnerabilities in their web application environments. Each identified risk is prioritised according to prevalence, detectability, impact and exploitability.

What is the OWASP Juice Shop?

The OWASP Juice Shop is an open-sourced, intentionally insecure javascript web application that can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! 

Juice Shop has built a wide range of security vulnerabilities into the application from the OWASP Top Ten and many other security flaws found in real-world applications. Your goal is to hunt for [and find] those security vulnerabilities and mark complete on the scoreboard. Being a web application with a vast number of intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The OWASP Juice Shop is an open-source project hosted by the non-profit Open Web Application Security Project® (OWASP) and is developed and maintained by volunteers.

The application environment includes numerous hacking challenges [at varying levels of difficulty] where the user is challenged to identify and exploit a set of underlying vulnerabilities. The vulnerabilities found in the OWASP Juice Shop are categorized into several different classes. Right now, the application includes 95 individual vulnerabilities for you to find. Your success / progress is tracked on a scoreboard, and finding the score board is actually one of your first [and easiest] challenges!

Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a “guinea pig” application to check how well their tools cope with JavaScript-heavy application front ends and REST APIs. Equally as awesome as the skills it allows you to build through experience, it is FREE! So, you can redistribute it and/or modify it under the terms of the MIT License to build your own custom interactive learning activities and capture the flag challenges.

Check out this awesome OWASP Juice Shop Demo by the CREATOR of the Juice Shop…BJorn Kimminich. [25 Minutes]

Why is it called “Juice Shop”?

Per Bjorn’s explanation in his online guide, in German there is a dedicated word for dump, i.e. a store that sells lousy wares and does not exactly have customer satisfaction as a priority: Saftladen. Reverse-translating this separately as Saft and Laden yields juice and shop in English. That is where the project name comes from. The fact that the initials JS match with those commonly used for JavaScript was purely coincidental and not related to the choice of implementation technology.

What do learners like best about the OWASP Juice Shop?

Apparently it’s main selling poitns are as follows:

  • Free and Open source: Licensed under the MIT license with no hidden costs or caveats
  • Easy-to-install: Choose between node.jsDocker and Vagrant to run on Windows/Mac/Linux
  • Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
  • Beginner-friendly: Hacking Instructor tutorial scripts guide users through several of the easier challenges while explaining the underlying vulnerabilities
  • Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board
  • Self-healing: The simple SQLite and MarsDB databases are wiped and repopulated from scratch on every server startup
  • Re-branding: Fully customizable in business context and look & feel to your own corporate or customer requirements
  • CTF-support: Challenge notifications optionally contain a flag code for your own Capture-The-Flag events
Architecture diagram
OWASP Juice Shop Web Architecture

What sort of hands-on learning challenges are available right now in the OWASP Juice Shop?

The vulnerabilities found in the OWASP Juice Shop are categorized into several different classes. There are currently 95 individual vulnerabilities available for you to identify, exploit and address in a hand-on fashion – across 15 different vulnerability categories – all available to you for FREE within the Juice Shop environment. How cool is that? Pretty awesome, right!

Most of them cover different risk or vulnerability types from well-known lists or documents, such as OWASP Top 10OWASP ASVSOWASP Automated Threat Handbook and OWASP API Security Top 10 or MITRE’s Common Weakness Enumeration.

Broken Access Control10Admin Section, CSRF, Easter Egg, Five-Star Feedback, Forged Feedback, Forged Review, Manipulate Basket, Product Tampering, SSRF, View Basket
Broken Anti Automation4CAPTCHA Bypass, Extra Language, Multiple Likes, Reset Morty’s Password
Broken Authentication10Bjoern’s Favorite Pet, Change Bender’s Password, GDPR Data Erasure, Login Bjoern, Login CISO, Password Strength, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password, Two Factor Authentication
Cryptographic Issues5Forged Coupon, Imaginary Challenge, Nested Easter Egg, Premium Paywall, Weird Crypto
Improper Input Validation9Admin Registration, Deluxe Fraud, Expired Coupon, Missing Encoding, Payback Time, Repetitive Registration, Upload Size, Upload Type, Zero Stars
Injection11Christmas Special, Database Schema, Ephemeral Accountant, Login Admin, Login Bender, Login Jim, NoSQL DoS, NoSQL Exfiltration, NoSQL Manipulation, SSTi, User Credentials
Insecure Deserialization2Blocked RCE DoS, Successful RCE DoS
Miscellaneous3Privacy Policy, Score Board, Security Policy
Security Misconfiguration4Cross-Site Imaging, Deprecated Interface, Error Handling, Login Support Team
Security through Obscurity3Blockchain Hype, Privacy Policy Inspection, Steganography
Sensitive Data Exposure14Access Log, Confidential Document, Email Leak, Exposed Metrics, Forgotten Developer Backup, Forgotten Sales Backup, GDPR Data Theft, Leaked Access Logs, Leaked Unsafe Product, Login Amy, Login MC SafeSearch, Misplaced Signature File, Reset Uvogin’s Password, Retrieve Blueprint
Unvalidated Redirects2Outdated Whitelist, Whitelist Bypass
Vulnerable Components7Arbitrary File Write, Forged Signed JWT, Frontend Typosquatting, Legacy Typosquatting, Supply Chain Attack, Unsigned JWT, Vulnerable Library
XSS9API-only XSS, Bonus Payload, CSP Bypass, Client-side XSS Protection, DOM XSS, HTTP-Header XSS, Reflected XSS, Server-side XSS Protection, Video XSS
XXE2XXE Data Access, XXE DoS
Total 95

And that’s not all…

A lot of people who want to practice hacking are beginners. So, OWASP’s Juice Shop offers a resource called the Hacking Instructor. This is an interactive tutor that’ll help you figure out what to do by walking you through what to do in each challenge using step-by-step tutorials. If you are entirely new to the Juice Shop, we recommend doing them in the order they are listed! 

To get started, just click on a link in the table below to launch a step-by-step tutorial for that particular challenge in the public instance of the Juice Shop.  With their (optional) Tutorial Mode you can even enforce that the 10 tutorial challenges have to be performed gradually in order to unlock the other 85 challenges. This is a pretty cool teaching feature for instructors looking to structure the concepts they are teaching to their students and want to issue associated challenges!

Score BoardMiscellaneous
Bonus PayloadXSS
Privacy PolicyMiscellaneous
Login AdminInjection⭐⭐
Password StrengthBroken Authentication⭐⭐
View BasketBroken Access Control⭐⭐
Forged FeedbackBroken Access Control⭐⭐⭐
Login JimInjection⭐⭐⭐
Login BenderInjection⭐⭐⭐

OWASP Juice Shop Hacking Handbook

The OWASP Juice Shop creator also created what appears to be one of the best guides I have ever seen to help you get maximum value from his creation! It’s called Pwning OWASP Juice Shop [written by Bjorn Kimminish].

Front Cover

It is the official companion guide to the OWASP Juice Shop application. Being a web application with a vast number of intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The OWASP Juice Shop is an open-source project hosted by the non-profit Open Web Application Security Project® (OWASP) and is developed and maintained by volunteers. The content of this book was written for v11.1.1 of OWASP Juice Shop.

The book is divided into three parts:

  • Part I – Hacking preparations – Part one helps you to get the application running and to set up optional hacking tools.
  • Part II – Challenge hunting – Part two gives an overview of the vulnerabilities found in the OWASP Juice Shop including hints how to find and exploit them in the application.
  • Part III – Getting involved

Capture The Flag Resources

In the cybersecurity arena, a CTF consists of gamified challenges where you uncover “flags” that represent different vulnerabilities. You get points for finding them and teams compete against each other by earning more points / finding flags first / etc. 

The Node package juice-shop-ctf-cli helps you to prepare Capture the Flag events with the OWASP Juice Shop challenges for different popular CTF frameworks. This interactive utility allows you to populate a CTF game server in a matter of minutes.

The following open source CTF frameworks are supported by juice-shop-ctf-cli:

    The Facebook CTF is a platform to host Jeopardy and “King of the Hill” style Capture the Flag competitions.
  • RootTheBox
    Root the Box is a real-time capture the flag (CTF) scoring engine for computer wargames where hackers can practice and learn. The application can be easily configured and modified for any CTF style game. The platform allows you to engage novice and experienced players alike by combining a fun game-like environment with realistic challenges that convey knowledge applicable to the real-world, such as penetration testing, incident response, digital forensics and threat hunting.

    Like traditional CTF games, each team or player can target challenges of varying difficulty and sophistication, attempting to collect flags. But Root the Box brings additional options to the game. It has built-in support for “botnets”, allowing players to upload a small bot program to target machines that grant periodic rewards for each bot in the botnet. You have the option to use a banking system, where (in-game) money can be used instead of points to unlock new levels, buy hints to flags, download a target’s source code, or even “SWAT” other players. Password hashes for player bank accounts can also be publicly displayed, allowing competitors to crack them and steal each other’s money.
  • TryHackMe also has some OWASP Juice Shop “hacktivities” designed for beginners that can be found here.

Other Resources



Social Media

Tell us about your Juice Shop experience and what you found most useful!

Related Articles


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.