Hands on Threat Modeling Juice Shop (Attacking 2)

Get together to continue to use the models of Juice Shop to find problems with it, learn threat modelling, and deliver examples.


Dinis proposed a set of evening sessions to create threat model artefacts & examples for the Juice Shop vulnerable app.


Using the diagrams that show various aspects of Juice Shop (model 1: What’s the app? model 2: How does it get deployed? Model 3: How is it “developed and maintained”? etc.), apply various techniques to answer the question “what can go wrong?”
Techniques might include brainstorming, STRIDE, top-10, PASTA, CAPEC, attack trees, or your favourite.


  • Lists of attacks checked in
  • Possibly sets of requirements or assumptions


The target audience for this Working Session is:

  • Participants in the threat modeling track
  • Participants interested in Juice Shop
  • Those who want to learn to threat model

Working materials



Much of the output is in https://owaspsummit.org/Working-Sessions/Threat-Model/Threat-Modeling-by-Feature-and-Layer.html

Related Working Session(s)

Back to list of all Working Sessions and Tracks

Edit this page here