Juice Shop v4.0.0 Live Release

The Juice Shop track of the OWASP Summit 2017 was not only a very enjoyable experience but also produced some really tangible output!

In the final morning session on Friday, June 16th (in room Pedley) I will trigger the production release of the v4.0.0 version. It comes with a load of new business functionality, challenges, convenience feats and technical advancents!

While the (fully automated) release is underway, I am happy to give an overview of the newly added features and maybe some participants already want to try them out right on the spot to be the first to conquer them? 🥇

You can find the full list of changes in the release notes below:

Incompatible Changes

  • removed support for Node.js 7.x
  • Docker images node7-* consequently are not built any more
  • Snapshot Docker images named *-develop are not built any more. Please use *-snapshot images instead.

Platform Support

  • added support for Node.js 8.x (#332)


  • users can ask for pomace recycling pickup or delivery of a box to send pomace back in (#243)
  • during registration users now have to pick and answer a security question (#323)
  • users can now reset their password authenticating with the answer to their security question (#323)
  • hacking progress is not automatically saved and restored after a server restart (#309)
  • add awareness training example by @wurstbrot with huge visual and data pricacy impacts (#316, only available when running as Vagrant box. Also available on Youtube: 📺)

OWASP Summit 2017 Challenge Pack

  • added 3 challenges on security questions (#323)
  • @ViktorLindstrm added 1 challenge on the used JWT secret (#336)


  • disabled an invalid way to solve the Forged Feedback challenge
  • postpone websocket event registration until after data creator is finished (#345)


  • added Hebrew translation (by @avidouglen)


  • split server-side tests into isolated unit tests (for /routes) and frisby.js-based API tests


  • several smaller translation updates
  • provided config quiet.yml (muting most notifications & hiding hints and GitHub ribbon)
  • provided config juicebox.yml (for those who have a hard time pronouncing jo͞osSHäp)
  • streamlined README.md documentation (remove duplicate content w/ official owasp.org project page)
  • added section on Lectures and Trainings to RESOURCES.md
  • added several blog posts and other coverage

I would like to thank the following awesome summit participants 🏆 for their valuable contributions during or in between the various coding sessions:

Viktor Lindström Avi Douglen Timo Pagel

Kudos also go to

Enjoy hacking the hell out of OWASP Juice Shop v4.0.0! 😈