Juice Shop


OWASP Juice Shop Project is an intentionally insecure webapp for security training written entirely in JavaScript and which encompasses the entire OWASP Top Ten and other severe security flaws. Juice Shop is written in Node.js, Express, and AngularJS. The application contains more than 30 challenges of varying difficulty where the user should exploit the underlying vulnerabilities. Apart from being useful for hacker and awareness training, pentesting proxies or security scanners can also use Juice Shop as a “guinea pig” application to check how well their tools cope with JavaScript-heavy application frontends and REST APIs.


Ideas for potential new hacking challenges are currently collected in the Challenge Pack 2017 milestone on GitHub. In this working session we will gather, design and implement many of the existing, and hopefully several entirely new, challenges that we will bundle in the OWASP Summit Challenge Pack 2017 for production release on the final day of the summit.

Juice Shop logo

We will also consider planned functional enhancements of the Juice Shop CTF-extension and its improved integration with CTFd. Ideas for the CTF-extension are currently gathered as enhancement-issues on GitHub.

Juice Shop CTF logo

Potential outcomes

  • Several new challenges for OWASP Juice Shop
  • Functional enhancements to place the challenges in, e.g. the Order Dashboard and Pomace Recycling user stories
  • Hint and solution sections for each new challenge are added to the “Pwning OWASP Juice Shop” e-book
  • Functional and convenience improvements to the Juice Shop CTF-extension
  • Updated project roadmap for OWASP Juice Shop and its CTF-extension

To keep the high release stability and overall quality of OWASP Juice Shop the contribution rules of the project apply for the summit results as well:

  • Code follows existing style guides and passes all existing quality gates regarding code smells, test coverage etc.
  • Each challenge comes with fully functional unit and integration tests
  • Each challenge is verified to be exploitable by corresponding end-to-end tests


The target audience for this Working Session is:

  • Javascript developers (Knowledge of Node.js would be great but is not mandatory)
  • Web developers (Knowledge of Angular 1.x would be great but is not mandatory)
  • Web designers (the vulnerable features will at least look good)
  • CTFd project team and contributors
  • Security professionals

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here