Challenge Categories
The vulnerabilities found in the OWASP Juice Shop are categorized into several different classes. Most of them cover different risk or vulnerability types from well-known lists or documents, such as OWASP Top 10, OWASP ASVS, OWASP Automated Threat Handbook and OWASP API Security Top 10 or MITRE’s Common Weakness Enumeration.
| Category | # | Challenges |
|---|---|---|
| Broken Access Control | 11 | Admin Section, CSRF, Easter Egg, Five-Star Feedback, Forged Feedback, Forged Review, Manipulate Basket, Product Tampering, SSRF, View Basket, Web3 Sandbox |
| Broken Anti Automation | 4 | CAPTCHA Bypass, Extra Language, Multiple Likes, Reset Morty's Password |
| Broken Authentication | 9 | Bjoern's Favorite Pet, Change Bender's Password, GDPR Data Erasure, Login Bjoern, Password Strength, Reset Bender's Password, Reset Bjoern's Password, Reset Jim's Password, Two Factor Authentication |
| Cryptographic Issues | 5 | Forged Coupon, Imaginary Challenge, Nested Easter Egg, Premium Paywall, Weird Crypto |
| Improper Input Validation | 12 | Admin Registration, Deluxe Fraud, Empty User Registration, Expired Coupon, Mint the Honey Pot, Missing Encoding, Payback Time, Poison Null Byte, Repetitive Registration, Upload Size, Upload Type, Zero Stars |
| Injection | 11 | Christmas Special, Database Schema, Ephemeral Accountant, Login Admin, Login Bender, Login Jim, NoSQL DoS, NoSQL Exfiltration, NoSQL Manipulation, SSTi, User Credentials |
| Insecure Deserialization | 3 | Blocked RCE DoS, Memory Bomb, Successful RCE DoS |
| Miscellaneous | 7 | Bully Chatbot, Mass Dispel, Privacy Policy, Score Board, Security Advisory, Security Policy, Wallet Depletion |
| Observability Failures | 4 | Access Log, Exposed Metrics, Leaked Access Logs, Misplaced Signature File |
| Security Misconfiguration | 4 | Cross-Site Imaging, Deprecated Interface, Error Handling, Login Support Team |
| Security through Obscurity | 3 | Blockchain Hype, Privacy Policy Inspection, Steganography |
| Sensitive Data Exposure | 16 | Confidential Document, Email Leak, Exposed credentials, Forgotten Developer Backup, Forgotten Sales Backup, GDPR Data Theft, Leaked API Key, Leaked Unsafe Product, Login Amy, Login MC SafeSearch, Meta Geo Stalking, NFT Takeover, Password Hash Leak, Reset Uvogin's Password, Retrieve Blueprint, Visual Geo Stalking |
| Unvalidated Redirects | 2 | Allowlist Bypass, Outdated Allowlist |
| Vulnerable Components | 9 | Arbitrary File Write, Forged Signed JWT, Frontend Typosquatting, Kill Chatbot, Legacy Typosquatting, Local File Read, Supply Chain Attack, Unsigned JWT, Vulnerable Library |
| XSS | 9 | API-only XSS, Bonus Payload, CSP Bypass, Client-side XSS Protection, DOM XSS, HTTP-Header XSS, Reflected XSS, Server-side XSS Protection, Video XSS |
| XXE | 2 | XXE Data Access, XXE DoS |
| Total Σ | 111 | |
Challenge Tags
Tags do not represent vulnerability categories but serve as additional meta information for challenges. They mark certain commonalities or special types of challenges - like those lacking seriousness or ones that probably need some scripting/automation etc.
| Tag | # | Challenges |
|---|---|---|
| Brute Force | 6 | Bully Chatbot, CAPTCHA Bypass, Extra Language, Login Support Team, Password Strength, Reset Morty's Password |
| Code Analysis | 10 | Blockchain Hype, Forged Coupon, Imaginary Challenge, Kill Chatbot, Login Bjoern, Login Support Team, Outdated Allowlist, SSRF, SSTi, Score Board |
| Contraption | 9 | Blockchain Hype, Cross-Site Imaging, Deprecated Interface, Easter Egg, Forgotten Developer Backup, Forgotten Sales Backup, Misplaced Signature File, NFT Takeover, SSTi |
| Danger Zone | 17 | API-only XSS, Arbitrary File Write, Blocked RCE DoS, CSP Bypass, Client-side XSS Protection, HTTP-Header XSS, Local File Read, Memory Bomb, NoSQL DoS, NoSQL Exfiltration, Reflected XSS, SSTi, Server-side XSS Protection, Successful RCE DoS, Video XSS, XXE Data Access, XXE DoS |
| Good Practice | 4 | Exposed Metrics, Misplaced Signature File, Privacy Policy, Security Policy |
| Good for Demos | 13 | Admin Section, Confidential Document, DOM XSS, Easter Egg, Forged Coupon, Forgotten Developer Backup, Login Admin, NFT Takeover, Nested Easter Egg, Privacy Policy, Privacy Policy Inspection, Reflected XSS, View Basket |
| Internet Traffic | 2 | Mint the Honey Pot, Wallet Depletion |
| OSINT | 15 | Bjoern's Favorite Pet, Leaked Access Logs, Leaked Unsafe Product, Local File Read, Login Amy, Login MC SafeSearch, Meta Geo Stalking, Reset Bender's Password, Reset Bjoern's Password, Reset Jim's Password, Reset Morty's Password, Reset Uvogin's Password, Supply Chain Attack, Visual Geo Stalking, Vulnerable Library |
| Prerequisite | 6 | Allowlist Bypass, Arbitrary File Write, Deprecated Interface, Error Handling, Forgotten Developer Backup, Poison Null Byte |
| Shenanigans | 11 | Bonus Payload, Bully Chatbot, Easter Egg, Imaginary Challenge, Leaked Unsafe Product, Login MC SafeSearch, Missing Encoding, Nested Easter Egg, Premium Paywall, Privacy Policy Inspection, Steganography |
| Tutorial | 11 | Bonus Payload, DOM XSS, Forged Feedback, Login Admin, Login Bender, Login Jim, Password Strength, Privacy Policy, Reflected XSS, Score Board, View Basket |
| Web3 | 5 | Blockchain Hype, Mint the Honey Pot, NFT Takeover, Wallet Depletion, Web3 Sandbox |