Cette page est affichée en anglais. Une traduction française est en cours.
ConfigsJul 1, 2026·3 min de lecture

OWASP Juice Shop — Intentionally Vulnerable Web Application for Security Training

Modern insecure web application for security awareness training, CTF challenges, and penetration testing practice.

Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
OWASP Juice Shop
Commande d'installation directe
npx -y tokrepo@latest install c5510ae7-754b-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

Introduction

OWASP Juice Shop is an intentionally insecure web application written in Node.js, Express, and Angular. It contains over 100 hacking challenges covering the entire OWASP Top 10 and beyond, making it a practical training ground for developers learning about web application security.

What OWASP Juice Shop Does

  • Provides 100+ hacking challenges across difficulty levels from trivial to expert
  • Covers all OWASP Top 10 vulnerability categories with real exploitable flaws
  • Includes a built-in score board that tracks challenge completion progress
  • Supports CTF (Capture the Flag) mode with flag codes for competitions
  • Offers coding challenges where users fix vulnerable code snippets

Architecture Overview

Juice Shop is a single-page application with an Angular frontend and a Node.js/Express backend using Sequelize ORM with SQLite. Every vulnerability is a real, exploitable flaw in the application code rather than a simulated scenario. The challenge tracking system uses encrypted flags stored server-side.

Self-Hosting & Configuration

  • Deploy via Docker, Node.js directly, or to cloud platforms like Heroku
  • Configure CTF mode by setting environment variables for flag keys
  • Customize the product catalog and challenge set via YAML configuration files
  • Run behind a reverse proxy for classroom or workshop deployments
  • Supports multi-instance deployments for large training events

Key Features

  • Real-world vulnerabilities including SQL injection, XSS, CSRF, and broken auth
  • Gamified experience with a score board, notifications, and progressive hints
  • CTF mode generates unique flag codes compatible with CTFd and FBCTF
  • Companion guide (Pwning OWASP Juice Shop) provides detailed walkthroughs
  • Regularly updated to include new vulnerability types and modern attack vectors

Comparison with Similar Tools

  • DVWA — PHP-based vulnerable app; Juice Shop uses a modern JS stack with more challenges
  • WebGoat — Java-based OWASP trainer with guided lessons; Juice Shop is more gamified
  • HackTheBox — Online platform with various VMs; Juice Shop is self-hosted and web-focused
  • bWAPP — PHP vulnerable app; fewer challenges and less actively maintained
  • TryHackMe — Guided learning platform (SaaS); Juice Shop runs fully offline

FAQ

Q: Is Juice Shop safe to run on my network? A: It is intentionally vulnerable. Run it in an isolated environment and never expose it to the public internet.

Q: Can I use Juice Shop for team training events? A: Yes. CTF mode with tools like CTFd turns it into a competitive team event with scoring.

Q: How many challenges does Juice Shop have? A: Over 100 challenges covering security topics from basic to advanced, with new ones added in each release.

Q: Does Juice Shop require any database setup? A: No. It uses an embedded SQLite database that resets on restart, requiring zero configuration.

Sources

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires