Did you write a guide specifically on hacking OWASP Juice Shop or record a hacking session of your own? Add it to this file and open a PR! The same goes for any scripts or automated tools you made for making Juice Shop easier to hack!
Everything mentioned on this specific page is considered to contain spoilers for entire challenge solutions so the entries themselves are not individually tagged! You might not want to view anything from this page before tackling the related challenges yourself!
🧃 is followed by the last known major release of OWASP Juice Shop that a solution/script/tool is supposedly working with or that a video guide/solution was recorded for.
- Hack OWASP Juice Shop
playlist of
Hacksplained
(🧃
v10.x
-v11.x
)- ★ Zero Stars
- ★ Confidential Document
- ★ DOM XSS
- ★ Error Handling
- ★ Missing Encoding
- ★ Outdated Allowlist
- ★ Privacy Policy
- ★ Repetitive Registration
- ★★ Login Admin
- ★★ Admin Section
- ★★ Classic Stored XSS
- ★★ Deprecated Interface
- ★★ Five Star Feedback
- ★★ Login MC SafeSearch
- ★★ Password Strength
- ★★ Security Policy
- ★★ View Basket
- ★★ Weird Crypto
- ★★★ API-Only XSS
- ★★★ Admin Registration
- ★★★ Björn's Favorite Pet
- ★★★ Captcha Bypass
- ★★★ Client-side XSS Protection
- ★★★ Database Schema
- ★★★ Forged Feedback
- ★★★ Forged Review
- ★★★ GDPR Data Erasure
- ★★★ Login Amy
- ★★★ Login Bender
- ★★★ Login Jim
- ★★★ Manipluate Basket
- ★★★ Payback Time
- ★★★ Privacy Policy Inspection
- ★★★ Product Tampering
- ★★★ Reset Jim's Password
- ★★★ Upload Size
- ★★★ Upload Type
- ★★★★ Access Log (Sensitive Data Exposure)
- ★★★★ Ephemeral Accountant (SQL-Injection)
- ★★★★ Expired Coupon (Improper Input Validation)
- ★★★★ Forgotten Developer Backup (Sensitive Data Exposure)
- ★★★★ Forgotten Sales Backup (Sensitive Data Exposure)
- ★★★★ GDPR Data Theft (Sensitive Data Exposure)
- ★★★★ Legacy Typosquatting (Vulnerable Components)
- ★★★★ Login Bjoern (Broken Authentication)
- ★★★★ Misplaced Signature File (Sensitive Data Exposure)
- Live Hacking von Online-Shop „Juice Shop” (:de:)
Twitch live stream recordings
by
Gregor Biswanger
(🧃
v11.x
) - HackerOne #h1-2004 Community Day: Intro to Web Hacking - OWASP Juice Shop
by Nahamsec including the creation of a
(fake) bugbounty report for all findings (🧃
v10.x
) - TryHackme - JuiceShop Walkthrough by
Profesor Parno
(🧃
v8.x
, 🇮🇩) - OWASP Juice Shop All Challenges Solved || ETHIKERS
full-spoiler, time-lapsed, no-commentary hacking trip (🧃
v8.x
) - Hacking JavaScript - Intro to Hacking Web Apps (Episode 3)
by Arthur Kay (🧃
v8.x
) - HackerSploit
Youtube channel (🧃
v7.x
) - 7 Minute Security Podcast (🧃
v2.x
)- Episode #234: 7MS #234: Pentesting OWASP Juice Shop - Part 5 (Youtube)
- Episode #233: 7MS #233: Pentesting OWASP Juice Shop - Part 4 (Youtube)
- Episode #232: 7MS #232: Pentesting OWASP Juice Shop - Part 3 (Youtube)
- Episode #231: 7MS #231: Pentesting OWASP Juice Shop - Part 2 (Youtube)
- Episode #230: 7MS #230: Pentesting OWASP Juice Shop - Part 1 (Youtube)
- Episode #229: 7MS #229: Intro to Docker for Pentesters (Youtube)
- Blog post (:myanmar:) on LOL Security:
Juice Shop Walkthrough
(🧃
v2.x
) - Blog post on IncognitJoe:
Hacking(and automating!) the OWASP Juice Shop
(🧃
v2.x
)
- Session management script for OWASP Juice Shop
distributed as a scripting template with
OWASP ZAP since version 2.9.0
(🧃
v10.x
) - Automated solving script for the OWASP Juice Shop
written in Python by @incognitjoe
(🧃
v2.x
)