OWASP Juice Shop

Björn Kimminich | @bkimminich | infosec.exchange/@bkimminich


$ zip -r -q -9 postcard intro


Happy path shopping tour!

Hacking Challenges

Covering various vulnerabilities and serious design flaws

OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.

Challenge Difficulty

There's something to do for beginners and veterans alike

Score Board

Challenge progress is tracked on server-side


Find the Score Board!

Tutorial Mode

Gradually unlocking tutorials and the entire Score Board

Cheat Detection

Solved challenges are rated based on cheating probability

Coding Challenges

Find code flaw and select appropriate fix for several challenges


Doing a Coding Challenge!

Juice Shop is CTF-ready

Flag codes can optionally be displayed for solved challenges

Frictionless CTF-Events

All participants use individual Juice Shop instances anywhere, sharing only the flag code-ctfKey and a central score server.

CTF Extension

Utility project to help you host a hacking event on CTFd, FBCTF or RootTheBox

Setup Wizard

Run juice-shop-ctf on the command line and let a wizard create a data-dump to conveniently import into CTFd, FBCTF or RootTheBox

Screenshots from CTF games

Your CTF score server instance will be ready-to-play in <5min

MultiJuicer Platform

3rd party project to run separate Juice Shop instances for training or CTF participants on a central Kubernetes cluster

Custom JuiceBalancer

Restricts number of users to team members and protects against illicit cross-team instance access

Simplicity & convenience

Trivial registration, transparent instance stickiness, CTF-friendly score board out-of-the-box, automatic light/dark mode


Fully customizable business context and look & feel

Configurative Customization

Customize the application via a simple YAML file

  domain: juice-sh.op
  name: 'OWASP Juice Shop'
  logo: JuiceShop_Logo.png
  favicon: favicon_js.ico
  theme: bluegrey-lightgreen
  showVersionNumber: true
  showGitHubLinks: true
  numberOfRandomFakeUsers: 0
  altcoinName: Juicycoin
  privacyContactEmail: donotreply@owasp-juice.shop
  customMetricsPrefix: juiceshop
    twitterUrl: 'https://twitter.com/owasp_juiceshop'
    facebookUrl: 'https://www.facebook.com/owasp.juiceshop'

Choose your own inventory

The YAML configuration allows you to override all products

    name: 'Product Name'
    price: 100
    description: 'Product Description'
    image: '(https://somewhe.re/)image.png'
    useForProductTamperingChallenge: false
    useForChristmasChallenge: false
    fileForRetrieveBlueprintChallenge: ~
      - { text: 'Customer review', author: jim }
    name: 'Product with Lorem Ipsum description, filler image and random price'

Your config is validated on server startup to prevent broken or unsolvable challenges!

Modern Web-Architecture

JavaScript/TypeScript all the way from UI to REST API

Simple Installation

Comes with cloud, local and containerized run options

Multi-language support

Crowd-sourced UI translations for 40+ languages

Juice Shop Success Pyramid™

Some amazing facts & stats about the project

Can I contribute to the project?

Of course! Visit our backlog on GitHub & translations on Crowdin

Issues labelled with  good first issue  and/or  help wanted  are the best starting point!

How do I get started?

Check the Codebase 101 and Contribute to development chapters in the free official companion guide on Leanpub

The eBook can also be read online. You can always ask for help in the community chat or on Slack as well!

Is there a contribution reward?

For your 1st merged pull request you'll get some stickers from us

Serial contributors might even get t-shirts, mugs and other glorious merchandise for free!

Project Roadmap

Juice Shop has an NFT collection...?

You can bet your wallet's passphrase that we do!

50x 50x
25x 25x

Additional Information

Official Site


Sourcecode https://github.com/juice-shop/juice-shop (MIT)
https://github.com/juice-shop/juice-shop-ctf (MIT)
https://github.com/juice-shop/pwning-juice-shop (CC-BY-NC-ND)
Artwork https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop (CC-BY)

Copyright (c) 2014-2023 Björn Kimminich / @bkimminich

Licensed under the MIT license.

Created with (an ancient and insecure version of) reveal.js - The HTML Presentation Framework

Fork reveal.js on GitHub