Björn Kimminich | @bkimminich | infosec.exchange/@bkimminich
Covering various vulnerabilities and serious design flaws
OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.
There's something to do for beginners and veterans alike
Challenge progress is tracked on server-side
Gradually unlocking tutorials and the entire Score Board
Solved challenges are rated based on cheating probability
Find code flaw and select appropriate fix for several challenges
Flag codes can optionally be displayed for solved challenges
All participants use individual Juice Shop instances anywhere, sharing only the flag code-ctfKey
and a central score server.
Utility project to help you host a hacking event on CTFd, FBCTF or RootTheBox
Run juice-shop-ctf
on the command line and let a wizard create a data-dump to conveniently import into CTFd, FBCTF or RootTheBox
Your CTF score server instance will be ready-to-play in <5min
3rd party project to run separate Juice Shop instances for training or CTF participants on a central Kubernetes cluster
Restricts number of users to team members and protects against illicit cross-team instance access
Trivial registration, transparent instance stickiness, CTF-friendly score board out-of-the-box, automatic light/dark mode
Fully customizable business context and look & feel
Customize the application via a simple YAML
file
application:
domain: juice-sh.op
name: 'OWASP Juice Shop'
logo: JuiceShop_Logo.png
favicon: favicon_js.ico
theme: bluegrey-lightgreen
showVersionNumber: true
showGitHubLinks: true
numberOfRandomFakeUsers: 0
altcoinName: Juicycoin
privacyContactEmail: donotreply@owasp-juice.shop
customMetricsPrefix: juiceshop
social:
twitterUrl: 'https://twitter.com/owasp_juiceshop'
facebookUrl: 'https://www.facebook.com/owasp.juiceshop'
[...]
[...]
The YAML
configuration allows you to override all products
products:
-
name: 'Product Name'
price: 100
description: 'Product Description'
image: '(https://somewhe.re/)image.png'
useForProductTamperingChallenge: false
useForChristmasChallenge: false
fileForRetrieveBlueprintChallenge: ~
reviews:
- { text: 'Customer review', author: jim }
-
name: 'Product with Lorem Ipsum description, filler image and random price'
Your config is validated on server startup to prevent broken or unsolvable challenges!
JavaScript/TypeScript all the way from UI to REST API
Comes with cloud, local and containerized run options
Crowd-sourced UI translations for 40+ languages
Some amazing facts & stats about the project
Of course! Visit our backlog on GitHub & translations on Crowdin
Issues labelled with good first issue and/or help wanted are the best starting point!
Check the Codebase 101 and Contribute to development chapters in the free official companion guide on Leanpub
The eBook can also be read online. You can always ask for help in the community chat or on Slack as well!
For your 1st merged pull request you'll get some stickers from us
Serial contributors might even get t-shirts, mugs and other glorious merchandise for free!
You can bet your wallet's passphrase that we do!
50x
|
50x
|
25x
|
25x
|
Copyright (c) 2014-2023 Björn Kimminich / @bkimminich
Licensed under the MIT license.
Created with (an ancient and insecure version of) reveal.js - The HTML Presentation Framework