OWASP Juice Shop

The most modern and sophisticated insecure web application for security training. It covers vulnerabilities from the entire OWASP Top 10, along with many other real-world security flaws.

Use Cases

• Security Training - Practice identifying and exploiting web vulnerabilities in a safe, legal environment
• CTF Challenges - Over 100 hacking challenges of varying difficulty, tracked on a built-in scoreboard
• Awareness Demos - Show stakeholders how common vulnerabilities work in a realistic e-commerce app
• DevSecOps Pipelines - Integrate as a target app for automated security scanning tools (DAST/SAST)

Getting Started

1. Open your assigned domain in a browser
2. Browse the shop like a regular user first
3. Open the built-in score board at /#/score-board to see all challenges
4. Use browser DevTools, Burp Suite, or OWASP ZAP to start hacking

Default Configuration

• Port: 3000 (HTTP)
• Database: Embedded SQLite (resets on container restart)
• Admin credentials: Discoverable as part of the challenges

Resources

• Official Companion Guide
• GitHub Repository
• OWASP Project Page