OWASP Juice Shop
Björn Kimminich | @bkimminich | infosec.exchange/@bkimminich
https://owasp-juice.shop
$ zip -r -q -9 postcard intro
Demo
Happy path shopping tour!
Hacking Challenges
Covering various vulnerabilities and serious design flaws
OWASP Juice Shop covers all vulnerabilities from the latest OWASP Top 10 and more.
Challenge Difficulty
There's something to do for beginners and veterans alike
Score Board
Challenge progress is tracked on server-side
Demo
Find the Score Board!
Tutorial Mode
Gradually unlocking tutorials and the entire Score Board
Cheat Detection
Solved challenges are rated based on cheating probability
Coding Challenges
Find code flaw and select appropriate fix for several challenges
Demo
Doing a Coding Challenge!
Juice Shop is CTF-ready
Flag codes can optionally be displayed for solved challenges
Frictionless CTF-Events
All participants use individual Juice Shop instances anywhere, sharing only the flag code-ctfKey and a central score server.
CTF Extension
Utility project to help you host a hacking event on CTFd, FBCTF or RootTheBox
Setup Wizard
Run juice-shop-ctf on the command line and let a wizard create a data-dump to conveniently import into CTFd, FBCTF or RootTheBox
Screenshots from CTF games
Your CTF score server instance will be ready-to-play in <5min
MultiJuicer Platform
3rd party project to run separate Juice Shop instances for training or CTF participants on a central Kubernetes cluster
Custom JuiceBalancer
Restricts number of users to team members and protects against illicit cross-team instance access
Simplicity & convenience
Trivial registration, transparent instance stickiness, CTF-friendly score board out-of-the-box, automatic light/dark mode
Re-branding
Fully customizable business context and look & feel
Configurative Customization
Customize the application via a simple YAML file
application:
domain: juice-sh.op
name: 'OWASP Juice Shop'
logo: JuiceShop_Logo.png
favicon: favicon_js.ico
theme: bluegrey-lightgreen
showVersionNumber: true
showGitHubLinks: true
numberOfRandomFakeUsers: 0
altcoinName: Juicycoin
privacyContactEmail: donotreply@owasp-juice.shop
customMetricsPrefix: juiceshop
social:
twitterUrl: 'https://twitter.com/owasp_juiceshop'
facebookUrl: 'https://www.facebook.com/owasp.juiceshop'
[...]
[...]
Choose your own inventory
The YAML configuration allows you to override all products
products:
-
name: 'Product Name'
price: 100
description: 'Product Description'
image: '(https://somewhe.re/)image.png'
useForProductTamperingChallenge: false
useForChristmasChallenge: false
fileForRetrieveBlueprintChallenge: ~
reviews:
- { text: 'Customer review', author: jim }
-
name: 'Product with Lorem Ipsum description, filler image and random price'
Your config is validated on server startup to prevent broken or unsolvable challenges!
Modern Web-Architecture
JavaScript/TypeScript all the way from UI to REST API
Simple Installation
Comes with cloud, local and containerized run options
Multi-language support
Crowd-sourced UI translations for 40+ languages
Juice Shop Success Pyramid™
Some amazing facts & stats about the project
Can I contribute to the project?
Of course! Visit our backlog on GitHub & translations on Crowdin
Issues labelled with good first issue and/or help wanted are the best starting point!
How do I get started?
Check the Codebase 101 and Contribute to development chapters in the free official companion guide on Leanpub
The eBook can also be read online. You can always ask for help in the community chat or on Slack as well!
Is there a contribution reward?
For your 1st merged pull request you'll get some stickers from us
Serial contributors might even get t-shirts, mugs and other glorious merchandise for free!
Project Roadmap
Juice Shop has an NFT collection...?
You can bet your wallet's passphrase that we do!
| 50x
|
50x
|
| 25x
|
25x
|
Additional Information
Copyright (c) 2014-2023 Björn Kimminich / @bkimminich
Licensed under the MIT license.
Created with (an ancient and insecure version of) reveal.js - The HTML Presentation Framework
