Hack Tools

OWASP Juice Shop v9.3 releases: intentionally insecure webapp for security trainings

OWASP Juice Shop

OWASP Juice Shop is an intentionally insecure web app for security training written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.

For a detailed introduction, full list of features and architecture overview please visit the official project page here.


Deploy on Heroku (free ($0/month) dyno)

  1. Click the button below and follow the instructions

This is the quickest way to get a running instance of Juice Shop! If you have forked this repository, the deploy button will automatically pick up your fork for deployment! As long as you do not perform any DDoS attacks you are free to use any tools or scripts to hack your Juice Shop instance on Heroku!

From Sources

  1. Install node.js
  2. Run git clone https://github.com/bkimminich/juice-shop.git (or clone your own fork of the repository)
  3. Go into the cloned folder with cd juice-shop
  4. Run npm install (only has to be done before the first start or when you change the source code)
  5. Run npm start
  6. Browse to http://localhost:3000

Docker Container

  1. Install Docker
  2. Run docker pull bkimminich/juice-shop
  3. Run docker run -d -p 3000:3000 bkimminich/juice-shop
  4. Browse to http://localhost:3000 (on macOS and Windows browse to if you are using docker-machine instead of the native docker installation )

Even easier: Run Docker Container from Docker Toolbox (Kitematic)

  1. Install and launch Docker Toolbox
  2. Search for juice-shop and click Create to download image and run the container
  3. Click on the Open icon next to Web Preview to browse to OWASP Juice Shop

Changelog v9.3

? Challenges

  • Added Cross-Site Imaging challenge which is all about ?es and ?s

? Features

? Customization

  • Added distinct section hackingInstructor with properties
    • isEnabled to turn it on/off (true by default)
    • avatarImage to configure the avatar presenting the speech bubbles (juicyBot.png by default)
  • Deprecated application.showHackingInstructor in favor of abovementioned hackingInstructor.isEnabled
  • Removed deluxePage section as Deluxe Membership now reuses the configured application.logo
  • Fixed static “OWASP Juice Shop” showing on Deluxe Membership page regardless of application.name

? Bugfixes

  • Recycling requests are now associated to their user’s address via DB relationship properly
  • #1217: Switched to bkimminich/i18n-node to prevent regression until mashpie/i18n-node#420 is merged

? I18N

  • Completed ?? translation for frontend and backend texts
  • Extended translations for ??, ??, ?? and ??
  • Added ?? as new language

? Miscellaneous

  • Cookie for dismissing welcome banner is now stored for 1 year (instead of using session-scope)


Copyright (c) 2014-2018 Bjoern Kimminich

The post OWASP Juice Shop v9.3 releases: intentionally insecure webapp for security trainings appeared first on Penetration Testing.

Click to comment

You must be logged in to post a comment Login

Leave a Reply

To Top

Pin It on Pinterest

Share This