OWASP Juice Shop: The Most Broken Secure App You’ll Ever Love

Welcome to OWASP Juice Shop: The Buggiest Secure App Around

Meet OWASP Juice Shop – the most modern and sophisticated intentionally insecure web application ever made. Designed for training, awareness, CTFs, and tool testing, Juice Shop is a security testing playground disguised as an online store. With vulnerabilities from the entire OWASP Top Ten and more, this app is your one-stop-shop for learning about web application security by doing.

Why Juice Shop Is a Must-Have for Security Learners

Whether you’re a student, ethical hacker, developer, or trainer, Juice Shop offers realistic hacking scenarios that mirror issues in real-world applications. You can:

• Practice exploiting XSS, SQLi, CSRF, and many more vulnerabilities
• Host Capture the Flag events with built-in scoring and challenges
• Use it to test security scanners and automation tools
• Teach secure coding through interactive, hands-on examples

Installation & Setup

Juice Shop runs virtually anywhere! Choose the method that fits your workflow best:

1. From Source

• Install Node.js (v18.x to v22.x recommended)
• Clone the repo: git clone https://github.com/juice-shop/juice-shop.git --depth 1
• cd juice-shop
• npm install
• npm start

2. Packaged Distributions

• Download the latest release for your platform
• Unzip and run npm start

3. Docker

• Install Docker
• docker pull bkimminich/juice-shop
• docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop

4. Vagrant

• Install Vagrant and VirtualBox
• git clone https://github.com/juice-shop/juice-shop.git
• cd vagrant && vagrant up

Core Features

• OWASP Top 10 Coverage: Every major web vulnerability is here
• Gamified Learning: Complete challenges and track your score
• CTF-Ready: Easily host security competitions with built-in support
• Multiple Deployments: Supports Docker, Node.js, Vagrant, and cloud platforms
• Custom Branding: Make it your own with rebranding support

Security Concepts in Action

OWASP Juice Shop isn’t just about theory. You’ll get to practice:

• Injection attacks (SQL, NoSQL)
• Cross-Site Scripting (XSS)
• Broken authentication and access control
• Security misconfigurations and more

Each vulnerability is paired with a challenge – many with hints and full walkthroughs in the official companion guide.

Support & Community

Stuck? Check out the troubleshooting guide or hop on the Gitter Chat. Contributions, translations, and improvements are always welcome.

Security Considerations

Juice Shop is intentionally vulnerable. Do not deploy it on the public internet without proper containment (e.g., firewalls or VMs). Use it responsibly for ethical hacking and educational purposes only.

Final Thoughts

OWASP Juice Shop transforms the process of learning application security from boring lectures into an exciting, hands-on experience. With broad vulnerability coverage, multiple deployment options, and strong community support, it’s the ideal sandbox for anyone serious about web security.

Ready to challenge yourself? Then Juice Shop is waiting.