OWASP Juice Shop v16.0 releases: intentionally insecure webapp for security trainings

OWASP Juice Shop

OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security training, awareness demos, CTFs, and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!

For a detailed introduction, full list of features and architecture overview please visit the official project page here.

Setup

Deploy on Heroku (free ($0/month) dyno)

1. Click the button below and follow the instructions

This is the quickest way to get a running instance of Juice Shop! If you have forked this repository, the deploy button will automatically pick up your fork for deployment! As long as you do not perform any DDoS attacks you are free to use any tools or scripts to hack your Juice Shop instance on Heroku!

From Sources

1. Install node.js
2. Run git clone https://github.com/juice-shop/juice-shop.git (or clone your own fork of the repository)
3. Go into the cloned folder with cd juice-shop
4. Run npm install (only has to be done before the first start or when you change the source code)
5. Run npm start
6. Browse to http://localhost:3000

Docker Container

1. Install Docker
2. Run docker pull bkimminich/juice-shop
3. Run docker run –rm -p 3000:3000 bkimminich/juice-shop
4. Browse to http://localhost:3000 (on macOS and Windows browse to http://192.168.99.100:3000 if you are using docker-machine instead of the native docker installation )

Even easier: Run Docker Container from Docker Toolbox (Kitematic)

1. Install and launch Docker Toolbox
2. Search for juice-shop and click Create to download image and run the container
3. Click on the Open icon next to Web Preview to browse to Juice Shop

Changelog v16.0

👟 Runtime

• Added support for Node.js 21.x
• Removed support for Node.js 16.x and no longer provide packaged distributions for this version (⚠️)
• Removed inofficial support for Node.js 17.x

🎨 UI

• 1946f2e: The new Score Board introduced with v15.1.0 is now the default
• Inverted banners and option to switch layouts to allow setting the legacy Score Board as default
• #2152: Enchanced scrolling behavior in Coding Challenge modal to keep buttons always visible (kudos to @bogminic)

🕵️ Cheat Detection

• #2150: Switched to median instead of average to calculate total cheat score
• Monitor and report on expected URL interactions to happen before related challenges are solved (no score impact yet)

🔙 Backward compatibility

• #2149: Links to /#/score-board?challenge=<name> will now be rewritten into /#/score-board?searchQuery= to keep existing OpenCRE links working

⚙️ DevOps Automation

• Update default Node.js version for non-matrix build jobs to 20.x
• Update Node.js version in base Docker images to 20.x

Download

Copyright (c) 2014-2022 Bjoern Kimminich & the OWASP Juice Shop contributors