ConfigsJul 1, 2026·3 min read

OWASP Juice Shop — Intentionally Vulnerable Web Application for Security Training

Modern insecure web application for security awareness training, CTF challenges, and penetration testing practice.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
OWASP Juice Shop
Direct install command
npx -y tokrepo@latest install c5510ae7-754b-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

OWASP Juice Shop is an intentionally insecure web application written in Node.js, Express, and Angular. It contains over 100 hacking challenges covering the entire OWASP Top 10 and beyond, making it a practical training ground for developers learning about web application security.

What OWASP Juice Shop Does

  • Provides 100+ hacking challenges across difficulty levels from trivial to expert
  • Covers all OWASP Top 10 vulnerability categories with real exploitable flaws
  • Includes a built-in score board that tracks challenge completion progress
  • Supports CTF (Capture the Flag) mode with flag codes for competitions
  • Offers coding challenges where users fix vulnerable code snippets

Architecture Overview

Juice Shop is a single-page application with an Angular frontend and a Node.js/Express backend using Sequelize ORM with SQLite. Every vulnerability is a real, exploitable flaw in the application code rather than a simulated scenario. The challenge tracking system uses encrypted flags stored server-side.

Self-Hosting & Configuration

  • Deploy via Docker, Node.js directly, or to cloud platforms like Heroku
  • Configure CTF mode by setting environment variables for flag keys
  • Customize the product catalog and challenge set via YAML configuration files
  • Run behind a reverse proxy for classroom or workshop deployments
  • Supports multi-instance deployments for large training events

Key Features

  • Real-world vulnerabilities including SQL injection, XSS, CSRF, and broken auth
  • Gamified experience with a score board, notifications, and progressive hints
  • CTF mode generates unique flag codes compatible with CTFd and FBCTF
  • Companion guide (Pwning OWASP Juice Shop) provides detailed walkthroughs
  • Regularly updated to include new vulnerability types and modern attack vectors

Comparison with Similar Tools

  • DVWA — PHP-based vulnerable app; Juice Shop uses a modern JS stack with more challenges
  • WebGoat — Java-based OWASP trainer with guided lessons; Juice Shop is more gamified
  • HackTheBox — Online platform with various VMs; Juice Shop is self-hosted and web-focused
  • bWAPP — PHP vulnerable app; fewer challenges and less actively maintained
  • TryHackMe — Guided learning platform (SaaS); Juice Shop runs fully offline

FAQ

Q: Is Juice Shop safe to run on my network? A: It is intentionally vulnerable. Run it in an isolated environment and never expose it to the public internet.

Q: Can I use Juice Shop for team training events? A: Yes. CTF mode with tools like CTFd turns it into a competitive team event with scoring.

Q: How many challenges does Juice Shop have? A: Over 100 challenges covering security topics from basic to advanced, with new ones added in each release.

Q: Does Juice Shop require any database setup? A: No. It uses an embedded SQLite database that resets on restart, requiring zero configuration.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets