OWASP Juice Shop v17.0 releases: intentionally insecure webapp for security trainings
OWASP Juice Shop
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!
For a detailed introduction, full list of features and architecture overview please visit the official project page here.
Setup
Deploy on Heroku (free ($0/month) dyno)
- Click the button below and follow the instructions
This is the quickest way to get a running instance of Juice Shop! If you have forked this repository, the deploy button will automatically pick up your fork for deployment! As long as you do not perform any DDoS attacks you are free to use any tools or scripts to hack your Juice Shop instance on Heroku!
From Sources
- Install node.js
- Run git clone https://github.com/juice-shop/juice-shop.git (or clone your own fork of the repository)
- Go into the cloned folder with cd juice-shop
- Run npm install (only has to be done before the first start or when you change the source code)
- Run npm start
- Browse to http://localhost:3000
Docker Container
- Install Docker
- Run docker pull bkimminich/juice-shop
- Run docker run –rm -p 3000:3000 bkimminich/juice-shop
- Browse to http://localhost:3000 (on macOS and Windows browse to http://192.168.99.100:3000 if you are using docker-machine instead of the native docker installation )
Even easier: Run Docker Container from Docker Toolbox (Kitematic)
- Install and launch Docker Toolbox
- Search for juice-shop and click Create to download image and run the container
- Click on the Open icon next to Web Preview to browse to Juice Shop
Changelog v17.0
🎯 Challenges
- #2198: Added new Security Advisory ⭐⭐⭐-challenge
🎨 UI
- Removed legacy Score Board and all related settings and services (⚠️)
- Removed re-routing of legacy
challenge=<name>parameter obsoleted by OWASP/OpenCRE#467 (⚠️)
🧹 Housekeeping
- Changed back to
libxmljsbecauselibxmljs2is no longer maintained- Installation from source on Node.js 18-20 will download pre-built binaries for the underlying C++ library as in
libxmljs2 - Installation from source code on Node.js >20 currently requires C++ binaries to be built during installation (⚠️)
- Installation from source on Node.js 18-20 will download pre-built binaries for the underlying C++ library as in
💾 Local Backup
- Removed
scoreBoardsubsection from backup format along with removal of legacy Score Board (compatible with theversion: 1backup format as the subsection from older exports would now simply be ignored during import)
🕵️ Cheat Detection
- Further pre-solve interactions after the first with the same expected URL will no longer be counted
- Cheat score is increased by half the percentage of missing expected pre-solve interactions with the server
🎭 Custom Theming
- Adjusted image URLs in
7mstheme and extended with photo wall entries and new products
🐳 Docker
- #2447: Significantly reduce Docker image size by omitting unneeded dependencies
Download
Copyright (c) 2014-2022 Bjoern Kimminich & the OWASP Juice Shop contributors
