OWASP Juice Shop

An intentionally insecure Javascript Web Application
The most trustworthy online shop out there (@dschadow)


Presentation by Björn Kimminich / @bkimminich

Why the name "Juice Shop"?!?

Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name.
That the initials "JS" match with those of "Javascript" was purely coincidental!

Why another broken webapp?!?

OWASP Juice Shop is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

Technology Stack

Javascript all the way from UI to REST API

Simple Installation

Comes with cloud, local and containerized run options

Live Demo Environment

Unsuspectingly browse the Juice Shop like Average Joe!

Over 30 Challenges

Covering various vulnerabilities and serious design flaws

OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.

Challenge Difficulty

Contains low-hanging fruits & hard-to-crack nuts

Score Board

Challenge progress is tracked on server-side

Immediate Feedback

Solved challenges are announced as push notifications

Sorry, this is a Lightning Talk

I will  not live-hack  even a single challenge  for you!

E2E Hacking Testsuite Video

I will instead show you a prerecorded execution of the testsuite  automatically hacking  all 27 challenges !

For details on the testsuite implementation and CI-integration check out my Guest Post: Proving that an application is as broken as intended on The SauceLabs Blog.

Do you accept the challenge?

 Breakers  Try to hack all the challenges! 

 Defenders  Let loose all your fancy tools! 

 Builders  Learn from my silly mistakes! 

Bonus challenge: Contribute to OWASP Juice Shop with a chance for free stickers and other swag!

Copyright (c) 2014-2016 Björn Kimminich

Licensed under the MIT license.

Created with reveal.js - The HTML Presentation Framework

Fork reveal.js on GitHub