Learning

Official Companion Guide

Pwning OWASP Juice Shop is the official companion guide for this project. It will give you a complete overview of the vulnerabilities found in the application including hints how to spot and exploit them. In the appendix you will even find complete step-by-step solutions to every challenge.

The ebook is published under CC BY-NC-ND 4.0 and is online-readable for free at https://pwning.owasp-juice.shop. The latest officially released edition is also available for free at https://leanpub.com/juice-shop in PDF, Kindle and ePub format.

Hacking Instructor Tutorials

Click on a link in the table below to launch a step-by-step tutorial for that particular challenge on our public https://demo.owasp-juice.shop instance. If you are entirely new to the Juice Shop, we recommend doing them in the listed order. With the (optional) Tutorial Mode you can even enforce that the 13 tutorial challenges have to be performed gradually in order to unlock the other 98 challenges.

Challenge	Category	Difficulty
Score Board	Miscellaneous	⭐
DOM XSS	XSS	⭐
Bonus Payload	XSS	⭐
Privacy Policy	Miscellaneous	⭐
Reflected XSS	XSS	⭐⭐
Exposed credentials	Sensitive Data Exposure	⭐⭐
Login Admin	Injection	⭐⭐
Admin Section	Broken Access Control	⭐⭐
Password Strength	Broken Authentication	⭐⭐
View Basket	Broken Access Control	⭐⭐
Forged Feedback	Broken Access Control	⭐⭐⭐
Login Jim	Injection	⭐⭐⭐
Login Bender	Injection	⭐⭐⭐
Coding Challenges	n/a	n/a

Coding Challenges

For 31 challenges an additional coding challenge is available. In their “Find It” phase they teach spotting vulnerabilities in the actual codebase of the Juice Shop. In the “Fix It” phase the user then chooses the most appropriate fix from a list. Solve any of the hacking challenges below to enable a button on the Score Board that launches the corresponding coding challenge:

Category	#	Challenges
Broken Access Control	4	Admin Section, Forged Review, Product Tampering, Web3 Sandbox
Broken Anti Automation	1	Reset Morty's Password
Broken Authentication	5	Bjoern's Favorite Pet, Password Strength, Reset Bender's Password, Reset Bjoern's Password, Reset Jim's Password
Improper Input Validation	2	Admin Registration, Mint the Honey Pot
Injection	6	Database Schema, Login Admin, Login Bender, Login Jim, NoSQL Manipulation, User Credentials
Miscellaneous	2	Score Board, Wallet Depletion
Observability Failures	2	Access Log, Exposed Metrics
Security through Obscurity	1	Blockchain Hype
Sensitive Data Exposure	3	Confidential Document, NFT Takeover, Reset Uvogin's Password
Unvalidated Redirects	2	Allowlist Bypass, Outdated Allowlist
XSS	3	API-only XSS, Bonus Payload, DOM XSS
Total Σ	31

Mitigation Links

For many solved challenges links to mitigation techniques are presented on the Score Board by offering a link to a corresponding OWASP Cheat Sheet explaining how to avoid that kind of vulnerability in the first place. The following cheat sheets are referred to by OWASP Juice Shop as mitigation links: