OWASP Juice Shop Tutorial: Complete Guide to Free Web Security Vulnerability Practice
- TL;DR
- What is OWASP Juice Shop?
- What Vulnerability Types Are Included?
- Difficulty Rating Explanation
- Environment Setup
- Method 1: Docker Installation (Recommended)
- Method 2: Node.js Installation
- Method 3: Cloud Deployment
- Challenge Walkthrough
- 1-2 Star Challenges: Getting Started
- 3-4 Star Challenges: Advanced
- 5-6 Star Challenges: Expert Level
- Learning Path Recommendations
- Beginner Path (Zero Foundation)
- Advanced Path (Has Development Experience)
- Expert Path (Security Professional)
- Other OWASP Practice Platforms
- OWASP WebGoat
- OWASP BWA (Broken Web Applications)
- Platform Selection Recommendations
- Practicing with OWASP ZAP
- Setting Up ZAP Proxy
- Using ZAP to Find Vulnerabilities
- Practice Recommendations
- FAQ
- Q1: Can Juice Shop Be Used for Interview Preparation?
- Q2: How Long to Complete All Challenges?
- Q3: Are There Official Solutions?
- Conclusion
- Need Professional Cloud Advice?
OWASP Juice Shop Tutorial: Complete Guide to Free Web Security Vulnerability Practice
TL;DR
π‘ Key Takeaway: - OWASP Juice Shop is a free web security practice platform
- Includes over 100 vulnerability challenges, from 1 to 6 stars difficulty
- Supports Docker one-click deployment, start practicing in minutes
- Covers all OWASP Top 10 vulnerability types
- Suitable for security beginners, developers, and CTF enthusiasts
What is OWASP Juice Shop?
OWASP Juice Shop is the world's most popular web security practice platform. It's an intentionally vulnerable online juice store website.
Juice Shop features:
- Completely free and open source: Anyone can use it
- Real modern tech stack: Uses Angular + Node.js + SQLite
- Over 100 challenges: Covers various vulnerability types
- Gamified design: Unlock achievements, scoreboard, progress tracking
- Continuously updated: Keeps up with latest security trends
Unlike CTF (Capture The Flag) competitions, Juice Shop focuses more on learning. Each vulnerability corresponds to real-world security issues.
To learn about the OWASP organization and other security projects, refer to the OWASP Complete Guide.
What Vulnerability Types Are Included?
Juice Shop covers vulnerability types that fully correspond to OWASP Top 10:
| Vulnerability Type | Challenge Count | Difficulty Range |
|---|---|---|
| Injection | 15+ | 1-6 stars |
| Broken Authentication | 10+ | 1-5 stars |
| Sensitive Data Exposure | 12+ | 1-4 stars |
| XSS (Cross-Site Scripting) | 8+ | 1-4 stars |
| Broken Access Control | 15+ | 1-5 stars |
| Security Misconfiguration | 8+ | 1-3 stars |
| Cryptographic Failures | 6+ | 2-5 stars |
| Others (SSRF, XXE, Deserialization, etc.) | 20+ | 2-6 stars |
Difficulty Rating Explanation
Juice Shop uses a 1-6 star rating system:
| Stars | Difficulty | Suitable For | Required Skills |
|---|---|---|---|
| β | Very Easy | Complete beginners | Just know how to use a browser |
| ββ | Easy | Beginners | Basic web knowledge |
| βββ | Medium | Those with basics | Understand HTTP, can use dev tools |
| ββββ | Hard | Advanced | Familiar with attack techniques |
| βββββ | Very Hard | Experts | Requires creativity and deep technical skills |
| ββββββ | Extremely Hard | Masters | Requires combining multiple techniques |
Recommended to start from 1 star and progress gradually.
Environment Setup
There are multiple ways to run Juice Shop. Choose the method that suits you best.
Method 1: Docker Installation (Recommended)
The simplest method. Just need Docker.
# Pull the image
docker pull bkimminich/juice-shop
# Run
docker run -d -p 3000:3000 bkimminich/juice-shop
# Open browser
# http://localhost:3000
Done! Start practicing in minutes.
Docker Compose Version (easier management):
# docker-compose.yml
version: '3'
services:
juice-shop:
image: bkimminich/juice-shop
ports:
- "3000:3000"
restart: unless-stopped
docker-compose up -d
Method 2: Node.js Installation
If you want to see source code or modify settings, use this method.
System Requirements:
- Node.js 18 or newer
- npm or yarn
# Download source code
git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop
# Install dependencies
npm install
# Start
npm start
# Open http://localhost:3000
Method 3: Cloud Deployment
For practicing anytime, anywhere, deploy to the cloud.
Heroku Deployment:
# Requires Heroku CLI
heroku login
heroku create my-juice-shop
git push heroku main
Other Options:
- Google Cloud Run
- AWS Elastic Beanstalk
- Azure App Service
Note: Don't deploy Juice Shop publicly accessible without protection. It's intentionally designed to be vulnerable.
Challenge Walkthrough
Here are representative challenges and solution approaches for each difficulty level.
Important Reminder: Looking at solutions directly loses the learning effect. Try yourself first, then refer to hints when stuck.
1-2 Star Challenges: Getting Started
These challenges help you familiarize with the environment and basic techniques.
Challenge: Score Board (Find the Scoreboard)
Difficulty: β
Goal: Find the hidden scoreboard page
Hints:
- The scoreboard tracks your progress
- It's "hidden" but not really hidden
Solution Approach:
- Open browser developer tools (F12)
- Check JavaScript files
- Search for "score" related routes
- Or just guess
/score-board
Challenge: DOM XSS
Difficulty: β
Goal: Execute a DOM-based XSS attack
Hints:
- Search function might have issues
- Try entering special characters in search bar
Solution Approach:
- Enter in search bar:
<iframe src="javascript:alert('xss')"> - Observe page reaction
Challenge: Confidential Document
Difficulty: β
Goal: Find confidential documents
Hints:
- Website might have files that shouldn't be public
- Try exploring directory structure
Solution Approach:
- Browse website, find "About Us" and similar pages
- Check for links pointing to documents
- Try accessing
/ftpdirectory - Download confidential documents
3-4 Star Challenges: Advanced
Requires more technical knowledge and creativity.
Challenge: Login Admin
Difficulty: ββ
Goal: Login as administrator
Hints:
- SQL Injection is an old friend
- Login form might not handle input properly
Solution Approach:
- In login page email field, enter:
' OR 1=1-- - Enter anything for password
- Click login
This is classic SQL Injection. The query becomes:
SELECT * FROM Users WHERE email='' OR 1=1--' AND password='xxx'
OR 1=1 is always true, -- comments out the password check.
Challenge: Forged Feedback
Difficulty: βββ
Goal: Submit feedback as another user
Hints:
- Feedback form has hidden fields
- Can modify with developer tools or Proxy
Solution Approach:
- Open feedback page
- Use developer tools to find
userIdhidden field - Change to another user's ID
- Submit form
This demonstrates the importance of "don't trust the client."
Challenge: Basket Access
Difficulty: βββ
Goal: View other users' shopping cart contents
Hints:
- API might have access control issues
- Try modifying ID in requests
Solution Approach:
- Login to your account, go to shopping cart
- Observe API requests, find
/rest/basket/X - Change X to other numbers (like 1, 2)
- Check response
This is BOLA (Broken Object Level Authorization), ranked #1 in OWASP API Top 10.
5-6 Star Challenges: Expert Level
Requires deep technical knowledge and creative thinking.
Challenge: NoSQL Injection
Difficulty: ββββ
Goal: Exploit NoSQL Injection vulnerability
Hints:
- Product review feature uses MongoDB
- NoSQL injection differs from SQL
Solution Approach: Requires understanding MongoDB query syntax, using operators like $ne, $gt for injection.
Challenge: Forged Signed JWT
Difficulty: βββββ
Goal: Forge a valid JWT Token
Hints:
- JWT security relies on signatures
- In some cases signatures can be bypassed
Solution Approach:
- Get existing JWT Token
- Decode to view structure
- Research common JWT attacks (like
alg: none) - Attempt to forge Token
Challenge: RCE (Remote Code Execution)
Difficulty: ββββββ
Goal: Execute arbitrary code on the server
Hints:
- This is the most severe vulnerability type
- Need to find entry points for code execution
Solution Approach: Requires combining multiple vulnerabilities to find places where code can be injected and executed. These challenges require deep expertise.
Learning Path Recommendations
Choose an appropriate learning path based on your background.
Beginner Path (Zero Foundation)
Goal: Build basic concepts, complete 1-2 star challenges
Learning Steps:
- First learn basic web knowledge (HTML, HTTP, Cookie)
- Learn to use browser developer tools
- Complete all 1 star challenges
- Read explanations for each vulnerability
- Challenge 2 star problems
Estimated Time: 2-4 weeks
Recommended Resources:
- MDN Web Docs
- OWASP Top 10 documentation
- YouTube tutorials
Advanced Path (Has Development Experience)
Goal: Understand common vulnerability principles, complete 3-4 star challenges
Learning Steps:
- Quickly complete 1-2 star warmup
- Learn to use Burp Suite or OWASP ZAP
- Systematically learn each vulnerability type
- Complete 3-4 star challenges
- Study principles behind challenges
Estimated Time: 4-8 weeks
Recommended Resources:
- PortSwigger Web Security Academy
- OWASP Testing Guide
- HackTheBox
Expert Path (Security Professional)
Goal: Master various attack techniques, complete 5-6 star challenges
Learning Steps:
- Quickly clear 1-4 stars
- Deep dive into high-difficulty vulnerabilities
- Try solving without hints
- Study source code to understand vulnerability causes
- Challenge time-limited completion
Estimated Time: Continuous improvement
Recommended Resources:
- Real Bug Bounty programs
- CTF competitions
- Security conferences
Other OWASP Practice Platforms
Besides Juice Shop, OWASP provides other practice platforms.
OWASP WebGoat
WebGoat is OWASP's earliest practice platform. More "educational" than Juice Shop.
Features:
- Detailed teaching explanations for each vulnerability
- Step-by-step guidance through attacks
- Suitable for systematic learning
- Developed in Java
Installation:
docker pull webgoat/webgoat
docker run -p 8080:8080 -p 9090:9090 webgoat/webgoat
Comparison:
| Aspect | Juice Shop | WebGoat |
|---|---|---|
| Style | Gamified, free exploration | Educational, step-by-step |
| Difficulty | 1-6 stars broad range | More basic |
| Tech Stack | Node.js + Angular | Java |
| Suitable For | CTF enthusiasts | Systematic learners |
OWASP BWA (Broken Web Applications)
BWA is a virtual machine containing multiple vulnerable applications.
Included Applications:
- DVWA (Damn Vulnerable Web App)
- Mutillidae
- WebGoat
- And dozens more
Features:
- Multiple practice environments at once
- Requires more system resources
- Some applications are outdated
Suitable For: People who want to compare different practice platforms
Platform Selection Recommendations
| Your Need | Recommended Platform |
|---|---|
| Quick start, fun | Juice Shop |
| Systematic learning, need tutorials | WebGoat |
| Multiple environments, deep practice | BWA |
| Realism, advanced challenges | HackTheBox, TryHackMe |
Practicing with OWASP ZAP
Juice Shop and OWASP ZAP are a perfect match. One provides the vulnerable environment, the other provides testing tools.
Setting Up ZAP Proxy
- Start ZAP
- Configure browser Proxy to point to localhost:8080
- Browse Juice Shop website
- ZAP automatically records all traffic
Using ZAP to Find Vulnerabilities
Passive Scanning: Browse Juice Shop normally, ZAP automatically analyzes responses, finding obvious issues (like missing security headers).
Active Scanning: Run active scan against Juice Shop, letting ZAP automatically test various attack vectors.
Right-click Juice Shop in Sites
β Attack β Active Scan
β Wait for scan completion
β Check Alerts tab
Manual Testing: Use ZAP's "Manual Request Editor" to modify requests, testing API vulnerabilities.
For detailed ZAP usage tutorial, refer to OWASP ZAP Complete Tutorial.
Practice Recommendations
- Try manually first: Build intuition
- Then verify with tools: Learn what tools can find
- Compare differences: Understand automated tool limitations
- Study principles: Know why attacks succeed
FAQ
Q1: Can Juice Shop Be Used for Interview Preparation?
Yes, very helpful.
What Juice Shop helps you prepare for:
Technical Interviews:
- Can describe specific vulnerability exploitation experiences
- Demonstrate understanding of OWASP Top 10
- Have actual practice records to share
Practical Tests: Some companies give CTF-style tests. Juice Shop practice makes you more familiar with these problems.
Preparation Recommendations:
- Complete at least 50% of challenges
- Can clearly explain principles and defenses for each vulnerability
- Prepare a few impressive challenges as stories
- Understand real-world impact of vulnerabilities
Q2: How Long to Complete All Challenges?
Depends on experience, from weeks to months.
Reference Time:
| Background | Estimated Time |
|---|---|
| Complete beginner | 3-6 months |
| Has development experience | 1-3 months |
| Has security basics | 2-4 weeks |
| Security expert | Few days to 1 week |
Influencing Factors:
- Daily time investment
- Whether looking at hints/solutions
- Previous technical background
- Depth of learning (just solving vs understanding principles)
Recommendation: Don't chase speed, focus on truly understanding each vulnerability.
Q3: Are There Official Solutions?
Yes, but use cautiously.
Official Resources:
- Pwning OWASP Juice Shop: Official walkthrough book
- GitHub Wiki: Partial hints and solutions
- YouTube: Community-made walkthrough videos
Usage Recommendations:
- Try yourself for at least 30 minutes
- When stuck, look at "hints" not "solutions"
- After seeing solutions, understand "why"
- Try different methods for same challenge
- After completing, study defense methods
Learning Effectiveness Comparison:
- Solving yourself β Deepest impression, highest satisfaction
- Solving after hints β Still good
- Directly reading solutions β Limited effect, easily forgotten
Real learning happens in the process of being stuck and thinking.
Conclusion
OWASP Juice Shop is the best starting point for learning web security. Free, fun, content-rich.
Why Practice with Juice Shop:
- Practical orientation, not theoretical
- Covers real-world vulnerability types
- Clear progress tracking
- Active community, rich resources
Learning Recommendations:
- Set up environment first, start immediately
- Begin with 1 star challenges, build confidence
- Combine with ZAP for tool learning
- Understand vulnerability principles, not just solving
- Try other platforms after completion
Next Steps:
- Deploy Juice Shop and start practicing
- Join OWASP community for discussion
- Challenge Bug Bounty programs
- Pursue security certifications
If you develop Mobile Apps or IoT products, don't forget to learn OWASP Mobile and IoT Security specific risks.
Security learning is a long road. Juice Shop is a great first step. Have fun!
Need Professional Cloud Advice?
Whether you're evaluating cloud platforms, optimizing existing architecture, or looking for cost-saving solutions, we can help