OWASP Juice Store | OWASP Basis
OWASP Juice Store might be essentially the most fashionable and complex insecure
net software! It may be utilized in safety trainings, consciousness demos,
CTFs and as a guinea pig for safety instruments! Juice Store encompasses
vulnerabilities from your complete
OWASP Top Ten together with many different safety
flaws present in real-world purposes!
Description
Juice Store is written in Node.js, Specific and Angular. It was the primary
software written completely in JavaScript listed within the
OWASP VWA Directory.
The appliance comprises an enormous variety of hacking challenges of various
issue the place the person is meant to take advantage of the underlying
vulnerabilities. The hacking progress is tracked on a rating board.
Discovering this rating board is definitely one of many (straightforward) challenges!
Aside from the hacker and consciousness coaching use case, pentesting
proxies or safety scanners can use Juice Store as a “guinea
pig”-application to verify how properly their instruments address
JavaScript-heavy software frontends and REST APIs.
Translating “dump” or “ineffective outfit” into German yields “Saftladen”
which might be reverse-translated phrase by phrase into “juice store”. Therefore
the mission title. That the initials “JS” match with these of
“JavaScript” was purely coincidental!
Testimonials
The most trustworthy online shop out there.
(
@dschadow) —
The best juice shop on the whole internet!
(
@shehackspurple) —
Actually the most bug-free vulnerable application in existence!
(
@vanderaj) —
First you ????????then you ????
(
@kramse) —
But this doesn’t have anything to do with juice.
(
@coderPatros’ wife)
Contributors
The OWASP Juice Store has been created by
Björn Kimminich and is developed,
maintained and translated by a
team of volunteers.
A
live update of the project contributors
is discovered right here.
Licensing
This program is free software program: You possibly can redistribute it and/or modify it
underneath the phrases of the
MIT License.
OWASP Juice Store and any contributions are Copyright © by Bjoern
Kimminich & the OWASP Juice Store contributors 2014-2023.
Principal Promoting Factors
Screenshots
Software Structure
Newest Releases
- 2023-01-04T05:43:07Z: juice-shop
v14.4.0
- 2022-11-12T10:07:13Z: juice-shop
v14.3.1
- 2022-09-24T13:49:03Z: juice-shop
v14.3.0
- 2022-09-07T18:25:04Z: juice-shop
v14.2.1
- 2022-08-24T08:42:14Z: juice-shop
v14.2.0
- 2022-07-04T16:02:07Z: juice-shop
v14.1.1
- 2022-07-03T20:56:12Z: juice-shop
v14.1.0
- 2022-05-22T12:59:21Z: juice-shop
v14.0.1
- 2022-05-07T15:50:38Z: juice-shop
v14.0.0
- 2022-03-29T17:02:44Z: juice-shop
v13.3.0
- 2022-02-08T22:42:32Z: juice-shop
v13.2.2
- 2022-01-31T21:39:31Z: juice-shop
v13.2.1
CTF Extension
- 2022-08-23T16:13:55Z: juice-shop-ctf
v9.1.2
- 2022-08-03T04:31:18Z: juice-shop-ctf
v9.1.1
- 2022-07-31T20:52:39Z: juice-shop-ctf
v9.1.0
- 2022-01-16T20:18:28Z: juice-shop-ctf
v9.0.0
- 2021-09-26T18:28:42Z: juice-shop-ctf
v8.2.3
- 2021-06-08T14:05:51Z: juice-shop-ctf
v8.2.2
- 2021-05-03T15:24:19Z: juice-shop-ctf
v8.2.1
- 2021-04-12T21:28:53Z: juice-shop-ctf
v8.2.0
- 2020-12-14T19:43:09Z: juice-shop-ctf
v8.1.3
Roadmap
Problem Classes
The vulnerabilities discovered within the OWASP Juice Store are categorized into
a number of completely different lessons. Most of them cowl completely different threat or
vulnerability sorts from well-known lists or paperwork, corresponding to
OWASP Top 10,
OWASP ASVS,
OWASP Automated Threat Handbook
and
OWASP API Security Top 10
or MITRE’s
Common Weakness Enumeration.
Class | # | Challenges |
---|---|---|
Damaged Entry Management | 10 | Admin Part, CSRF, Easter Egg, 5-Star Suggestions, Cast Suggestions, Cast Evaluate, Manipulate Basket, Product Tampering, SSRF, View Basket |
Damaged Anti Automation | 4 | CAPTCHA Bypass, Additional Language, A number of Likes, Reset Morty’s Password |
Damaged Authentication | 9 | Bjoern’s Favourite Pet, Change Bender’s Password, GDPR Information Erasure, Login Bjoern, Password Energy, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password, Two Issue Authentication |
Cryptographic Points | 5 | Cast Coupon, Imaginary Problem, Nested Easter Egg, Premium Paywall, Bizarre Crypto |
Improper Enter Validation | 10 | Admin Registration, Deluxe Fraud, Expired Coupon, Lacking Encoding, Payback Time, Poison Null Byte, Repetitive Registration, Add Measurement, Add Kind, Zero Stars |
Injection | 11 | Christmas Particular, Database Schema, Ephemeral Accountant, Login Admin, Login Bender, Login Jim, NoSQL DoS, NoSQL Exfiltration, NoSQL Manipulation, SSTi, Person Credentials |
Insecure Deserialization | 2 | Blocked RCE DoS, Profitable RCE DoS |
Miscellaneous | 5 | Bully Chatbot, Mass Dispel, Privateness Coverage, Rating Board, Safety Coverage |
Safety Misconfiguration | 4 | Cross-Web site Imaging, Deprecated Interface, Error Dealing with, Login Assist Workforce |
Safety by way of Obscurity | 3 | Blockchain Hype, Privateness Coverage Inspection, Steganography |
Delicate Information Publicity | 16 | Entry Log, Confidential Doc, E-mail Leak, Uncovered Metrics, Forgotten Developer Backup, Forgotten Gross sales Backup, GDPR Information Theft, Leaked Entry Logs, Leaked Unsafe Product, Login Amy, Login MC SafeSearch, Meta Geo Stalking, Misplaced Signature File, Reset Uvogin’s Password, Retrieve Blueprint, Visible Geo Stalking |
Unvalidated Redirects | 2 | Allowlist Bypass, Outdated Allowlist |
Weak Elements | 9 | Arbitrary File Write, Cast Signed JWT, Frontend Typosquatting, Kill Chatbot, Legacy Typosquatting, Native File Learn, Provide Chain Assault, Unsigned JWT, Weak Library |
XSS | 9 | API-only XSS, Bonus Payload, CSP Bypass, Shopper-side XSS Safety, DOM XSS, HTTP-Header XSS, Mirrored XSS, Server-side XSS Safety, Video XSS |
XXE | 2 | XXE Information Entry, XXE DoS |
Whole Σ | 101 |
Tags don’t characterize vulnerability classes however function further
meta info for challenges. They mark sure commonalities or
particular sorts of challenges – like these missing seriousness or ones
that in all probability want some scripting/automation and many others.
Tag | # | Challenges |
---|---|---|
Brute Drive | 6 | Bully Chatbot, CAPTCHA Bypass, Additional Language, Login Assist Workforce, Password Energy, Reset Morty’s Password |
Code Evaluation | 10 | Blockchain Hype, Cast Coupon, Imaginary Problem, Kill Chatbot, Login Bjoern, Login Assist Workforce, Outdated Allowlist, SSRF, SSTi, Rating Board |
Contraption | 8 | Blockchain Hype, Cross-Web site Imaging, Deprecated Interface, Easter Egg, Forgotten Developer Backup, Forgotten Gross sales Backup, Misplaced Signature File, SSTi |
Hazard Zone | 16 | API-only XSS, Arbitrary File Write, Blocked RCE DoS, CSP Bypass, Shopper-side XSS Safety, HTTP-Header XSS, Native File Learn, NoSQL DoS, NoSQL Exfiltration, Mirrored XSS, SSTi, Server-side XSS Safety, Profitable RCE DoS, Video XSS, XXE Information Entry, XXE DoS |
Good Follow | 4 | Uncovered Metrics, Misplaced Signature File, Privateness Coverage, Safety Coverage |
Good for Demos | 12 | Admin Part, Confidential Doc, DOM XSS, Easter Egg, Cast Coupon, Forgotten Developer Backup, Login Admin, Nested Easter Egg, Privateness Coverage, Privateness Coverage Inspection, Mirrored XSS, View Basket |
OSINT | 15 | Bjoern’s Favourite Pet, Leaked Entry Logs, Leaked Unsafe Product, Native File Learn, Login Amy, Login MC SafeSearch, Meta Geo Stalking, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password, Reset Morty’s Password, Reset Uvogin’s Password, Provide Chain Assault, Visible Geo Stalking, Weak Library |
Prerequisite | 6 | Allowlist Bypass, Arbitrary File Write, Deprecated Interface, Error Dealing with, Forgotten Developer Backup, Poison Null Byte |
Shenanigans | 11 | Bonus Payload, Bully Chatbot, Easter Egg, Imaginary Problem, Leaked Unsafe Product, Login MC SafeSearch, Lacking Encoding, Nested Easter Egg, Premium Paywall, Privateness Coverage Inspection, Steganography |
Tutorial | 10 | Bonus Payload, DOM XSS, Cast Suggestions, Login Admin, Login Bender, Login Jim, Password Energy, Privateness Coverage, Rating Board, View Basket |
Hacking Teacher Tutorials
Click on on a hyperlink within the desk beneath to launch a
step-by-step tutorial
for that specific problem on our public
https://demo.owasp-juice.shop occasion. If you’re completely new to the
Juice Store, we suggest doing them within the listed order. With the
(non-obligatory)
Tutorial Mode
you may even implement that the ten tutorial challenges
should be carried out progressively in an effort to unlock the opposite 91 challenges.
Coding Challenges
For 26 challenges an extra coding challenge is obtainable. Of their “Discover It” part they educate
recognizing vulnerabilities within the precise codebase of the Juice Store. Within the “Repair It” part the person then chooses essentially the most acceptable
repair from a listing. Remedy any of the hacking challenges beneath to allow a button on the Rating Board that launches the corresponding
coding problem:
Class | # | Challenges |
---|---|---|
Damaged Entry Management | 3 | Admin Part, Cast Evaluate, Product Tampering |
Damaged Anti Automation | 1 | Reset Morty’s Password |
Damaged Authentication | 4 | Bjoern’s Favourite Pet, Reset Bender’s Password, Reset Bjoern’s Password, Reset Jim’s Password |
Improper Enter Validation | 1 | Admin Registration |
Injection | 6 | Database Schema, Login Admin, Login Bender, Login Jim, NoSQL Manipulation, Person Credentials |
Miscellaneous | 1 | Rating Board |
Safety by way of Obscurity | 1 | Blockchain Hype |
Delicate Information Publicity | 4 | Entry Log, Confidential Doc, Uncovered Metrics, Reset Uvogin’s Password |
Unvalidated Redirects | 2 | Allowlist Bypass, Outdated Allowlist |
XSS | 3 | API-only XSS, Bonus Payload, DOM XSS |
Whole Σ | 26 |
Mitigation Hyperlinks
For a lot of solved challenges hyperlinks to mitigation methods are offered on the Rating Board by providing a hyperlink
to a corresponding OWASP Cheat Sheet explaining find out how to keep away from that sort of vulnerability within the first place. The
following cheat sheets are referred to by OWASP Juice Store as mitigation hyperlinks:
CTF Extension
The Node bundle
juice-shop-ctf-cli
lets you put together
Capture the Flag
occasions with the OWASP Juice Store challenges for various standard CTF
frameworks. This interactive utility means that you can populate a CTF recreation
server in a matter of minutes.
Supported CTF Frameworks
The next open supply CTF frameworks are supported by
juice-shop-ctf-cli
:
Official Companion Information
Pwning OWASP Juice Shop is the
official companion information for this mission. It gives you a whole
overview of the vulnerabilities discovered within the software together with hints
find out how to spot and exploit them. Within the appendix you’ll even discover
full step-by-step options to each problem.
The book is revealed underneath
CC BY-NC-ND 4.0
and is online-readable at no cost at
https://pwning.owasp-juice.shop. The newest formally launched
version can be obtainable at no cost at
https://leanpub.com/juice-shop in PDF, Kindle and ePub format.
Official Jingle
Official
OWASP Juice Shop Jingle
written and carried out by
Brian Johnson
Endorsed Open Supply Tasks
Undertaking | Description |
---|---|
Multi Person Juice Store Platform to run separate Juice Store situations for coaching or CTF members on a central Kubernetes cluster | |
https://github.com/wurstbrot/shake-logger | Demo to indicate the risks of XSS holes mixed with unhealthy Content material Safety Coverage utilizing Harlem Shake and a Keylogger towards the Juice Store (????YouTube) |
The instruments listed above are supplied by third events outdoors of the
OWASP Juice Store mission scope. For help or characteristic requests please
use the help channels or concern trackers talked about by these tasks.
Undertaking Supporters
You possibly can attribute your donation to the OWASP Juice Store mission by
utilizing
this link
or the inexperienced “Donate”-button whereas on any tab of the Juice Store
mission web page!
Prime Supporters
To be able to be acknowledged as a “Prime Supporter” an organization
should have donated $1000 or extra a) to OWASP whereas attributing it to
Juice Store or b) as a restricted reward to OWASP Juice Store within the final 12
months.
All Company Supporters
All Particular person Supporters
To be able to be acknowledged as a “Company-sponsored Code
Contribution” an offical written affirmation of waiving all IP to the
contributed code should be formally submitted to the OWASP
Basis.
LeanPub Royalties
$1,251.68 of royalties from
Björn Kimminich’s eBook have been donated to the
mission between 09/2017 and 07/2019.
The OWASP Basis may be very grateful for the help by the
people and organizations listed. Nonetheless please observe, the OWASP
Basis is strictly vendor impartial and doesn’t endorse any of its
supporters.