Introduction
OWASP Juice Shop is an intentionally insecure web application written in Node.js, Express, and Angular. It contains over 100 hacking challenges covering the entire OWASP Top 10 and beyond, making it a practical training ground for developers learning about web application security.
What OWASP Juice Shop Does
- Provides 100+ hacking challenges across difficulty levels from trivial to expert
- Covers all OWASP Top 10 vulnerability categories with real exploitable flaws
- Includes a built-in score board that tracks challenge completion progress
- Supports CTF (Capture the Flag) mode with flag codes for competitions
- Offers coding challenges where users fix vulnerable code snippets
Architecture Overview
Juice Shop is a single-page application with an Angular frontend and a Node.js/Express backend using Sequelize ORM with SQLite. Every vulnerability is a real, exploitable flaw in the application code rather than a simulated scenario. The challenge tracking system uses encrypted flags stored server-side.
Self-Hosting & Configuration
- Deploy via Docker, Node.js directly, or to cloud platforms like Heroku
- Configure CTF mode by setting environment variables for flag keys
- Customize the product catalog and challenge set via YAML configuration files
- Run behind a reverse proxy for classroom or workshop deployments
- Supports multi-instance deployments for large training events
Key Features
- Real-world vulnerabilities including SQL injection, XSS, CSRF, and broken auth
- Gamified experience with a score board, notifications, and progressive hints
- CTF mode generates unique flag codes compatible with CTFd and FBCTF
- Companion guide (Pwning OWASP Juice Shop) provides detailed walkthroughs
- Regularly updated to include new vulnerability types and modern attack vectors
Comparison with Similar Tools
- DVWA — PHP-based vulnerable app; Juice Shop uses a modern JS stack with more challenges
- WebGoat — Java-based OWASP trainer with guided lessons; Juice Shop is more gamified
- HackTheBox — Online platform with various VMs; Juice Shop is self-hosted and web-focused
- bWAPP — PHP vulnerable app; fewer challenges and less actively maintained
- TryHackMe — Guided learning platform (SaaS); Juice Shop runs fully offline
FAQ
Q: Is Juice Shop safe to run on my network? A: It is intentionally vulnerable. Run it in an isolated environment and never expose it to the public internet.
Q: Can I use Juice Shop for team training events? A: Yes. CTF mode with tools like CTFd turns it into a competitive team event with scoring.
Q: How many challenges does Juice Shop have? A: Over 100 challenges covering security topics from basic to advanced, with new ones added in each release.
Q: Does Juice Shop require any database setup? A: No. It uses an embedded SQLite database that resets on restart, requiring zero configuration.