OWASP Juice Shop Tutorial: Complete Guide to Free Web Security Vulnerability Practice

TL;DR

• OWASP Juice Shop is a free web security practice platform
• Includes over 100 vulnerability challenges, from 1 to 6 stars difficulty
• Supports Docker one-click deployment, start practicing in minutes
• Covers all OWASP Top 10 vulnerability types
• Suitable for security beginners, developers, and CTF enthusiasts

---

What is OWASP Juice Shop?

OWASP Juice Shop is the world's most popular web security practice platform. It's an intentionally vulnerable online juice store website.

Juice Shop features:

• Completely free and open source: Anyone can use it
• Real modern tech stack: Uses Angular + Node.js + SQLite
• Over 100 challenges: Covers various vulnerability types
• Gamified design: Unlock achievements, scoreboard, progress tracking
• Continuously updated: Keeps up with latest security trends

Unlike CTF (Capture The Flag) competitions, Juice Shop focuses more on learning. Each vulnerability corresponds to real-world security issues.

To learn about the OWASP organization and other security projects, refer to the OWASP Complete Guide.

What Vulnerability Types Are Included?

Juice Shop covers vulnerability types that fully correspond to OWASP Top 10:

Vulnerability Type	Challenge Count	Difficulty Range
Injection	15+	1-6 stars
Broken Authentication	10+	1-5 stars
Sensitive Data Exposure	12+	1-4 stars
XSS (Cross-Site Scripting)	8+	1-4 stars
Broken Access Control	15+	1-5 stars
Security Misconfiguration	8+	1-3 stars
Cryptographic Failures	6+	2-5 stars
Others (SSRF, XXE, Deserialization, etc.)	20+	2-6 stars

Difficulty Rating Explanation

Juice Shop uses a 1-6 star rating system:

Stars	Difficulty	Suitable For	Required Skills
⭐	Very Easy	Complete beginners	Just know how to use a browser
⭐⭐	Easy	Beginners	Basic web knowledge
⭐⭐⭐	Medium	Those with basics	Understand HTTP, can use dev tools
⭐⭐⭐⭐	Hard	Advanced	Familiar with attack techniques
⭐⭐⭐⭐⭐	Very Hard	Experts	Requires creativity and deep technical skills
⭐⭐⭐⭐⭐⭐	Extremely Hard	Masters	Requires combining multiple techniques

Recommended to start from 1 star and progress gradually.

---

Environment Setup

There are multiple ways to run Juice Shop. Choose the method that suits you best.

Method 1: Docker Installation (Recommended)

The simplest method. Just need Docker.

# Pull the image
docker pull bkimminich/juice-shop

# Run
docker run -d -p 3000:3000 bkimminich/juice-shop

# Open browser
# http://localhost:3000

Done! Start practicing in minutes.

Docker Compose Version (easier management):

# docker-compose.yml
version: '3'
services:
  juice-shop:
    image: bkimminich/juice-shop
    ports:
      - "3000:3000"
    restart: unless-stopped

docker-compose up -d

Method 2: Node.js Installation

If you want to see source code or modify settings, use this method.

System Requirements:

• Node.js 18 or newer
• npm or yarn

# Download source code
git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop

# Install dependencies
npm install

# Start
npm start

# Open http://localhost:3000

Method 3: Cloud Deployment

For practicing anytime, anywhere, deploy to the cloud.

Heroku Deployment:

# Requires Heroku CLI
heroku login
heroku create my-juice-shop
git push heroku main

Other Options:

• Google Cloud Run
• AWS Elastic Beanstalk
• Azure App Service

Note: Don't deploy Juice Shop publicly accessible without protection. It's intentionally designed to be vulnerable.

---

Challenge Walkthrough

Here are representative challenges and solution approaches for each difficulty level.

Important Reminder: Looking at solutions directly loses the learning effect. Try yourself first, then refer to hints when stuck.

1-2 Star Challenges: Getting Started

These challenges help you familiarize with the environment and basic techniques.

Challenge: Score Board (Find the Scoreboard)

Difficulty: ⭐

Goal: Find the hidden scoreboard page

Hints:

• The scoreboard tracks your progress
• It's "hidden" but not really hidden

Solution Approach:

1. Open browser developer tools (F12)
2. Check JavaScript files
3. Search for "score" related routes
4. Or just guess /score-board

Challenge: DOM XSS

Difficulty: ⭐

Goal: Execute a DOM-based XSS attack

Hints:

• Search function might have issues
• Try entering special characters in search bar

Solution Approach:

1. Enter in search bar: <iframe src="javascript:alert('xss')">
2. Observe page reaction

Challenge: Confidential Document

Difficulty: ⭐

Goal: Find confidential documents

Hints:

• Website might have files that shouldn't be public
• Try exploring directory structure

Solution Approach:

1. Browse website, find "About Us" and similar pages
2. Check for links pointing to documents
3. Try accessing /ftp directory
4. Download confidential documents

3-4 Star Challenges: Advanced

Requires more technical knowledge and creativity.

Challenge: Login Admin

Difficulty: ⭐⭐

Goal: Login as administrator

Hints:

• SQL Injection is an old friend
• Login form might not handle input properly

Solution Approach:

1. In login page email field, enter: ' OR 1=1--
2. Enter anything for password
3. Click login

This is classic SQL Injection. The query becomes:

SELECT * FROM Users WHERE email='' OR 1=1--' AND password='xxx'

OR 1=1 is always true, -- comments out the password check.

Challenge: Forged Feedback

Difficulty: ⭐⭐⭐

Goal: Submit feedback as another user

Hints:

• Feedback form has hidden fields
• Can modify with developer tools or Proxy

Solution Approach:

1. Open feedback page
2. Use developer tools to find userId hidden field
3. Change to another user's ID
4. Submit form

This demonstrates the importance of "don't trust the client."

Challenge: Basket Access

Difficulty: ⭐⭐⭐

Goal: View other users' shopping cart contents

Hints:

• API might have access control issues
• Try modifying ID in requests

Solution Approach:

1. Login to your account, go to shopping cart
2. Observe API requests, find /rest/basket/X
3. Change X to other numbers (like 1, 2)
4. Check response

This is BOLA (Broken Object Level Authorization), ranked #1 in OWASP API Top 10.

5-6 Star Challenges: Expert Level

Requires deep technical knowledge and creative thinking.

Challenge: NoSQL Injection

Difficulty: ⭐⭐⭐⭐

Goal: Exploit NoSQL Injection vulnerability

Hints:

• Product review feature uses MongoDB
• NoSQL injection differs from SQL

Solution Approach: Requires understanding MongoDB query syntax, using operators like $ne, $gt for injection.

Challenge: Forged Signed JWT

Difficulty: ⭐⭐⭐⭐⭐

Goal: Forge a valid JWT Token

Hints:

• JWT security relies on signatures
• In some cases signatures can be bypassed

Solution Approach:

1. Get existing JWT Token
2. Decode to view structure
3. Research common JWT attacks (like alg: none)
4. Attempt to forge Token

Challenge: RCE (Remote Code Execution)

Difficulty: ⭐⭐⭐⭐⭐⭐

Goal: Execute arbitrary code on the server

Hints:

• This is the most severe vulnerability type
• Need to find entry points for code execution

Solution Approach: Requires combining multiple vulnerabilities to find places where code can be injected and executed. These challenges require deep expertise.

---

Learning Path Recommendations

Choose an appropriate learning path based on your background.

Beginner Path (Zero Foundation)

Goal: Build basic concepts, complete 1-2 star challenges

Learning Steps:

1. First learn basic web knowledge (HTML, HTTP, Cookie)
2. Learn to use browser developer tools
3. Complete all 1 star challenges
4. Read explanations for each vulnerability
5. Challenge 2 star problems

Estimated Time: 2-4 weeks

Recommended Resources:

• MDN Web Docs
• OWASP Top 10 documentation
• YouTube tutorials

Advanced Path (Has Development Experience)

Goal: Understand common vulnerability principles, complete 3-4 star challenges

Learning Steps:

1. Quickly complete 1-2 star warmup
2. Learn to use Burp Suite or OWASP ZAP
3. Systematically learn each vulnerability type
4. Complete 3-4 star challenges
5. Study principles behind challenges

Estimated Time: 4-8 weeks

Recommended Resources:

• PortSwigger Web Security Academy
• OWASP Testing Guide
• HackTheBox

Expert Path (Security Professional)

Goal: Master various attack techniques, complete 5-6 star challenges

Learning Steps:

1. Quickly clear 1-4 stars
2. Deep dive into high-difficulty vulnerabilities
3. Try solving without hints
4. Study source code to understand vulnerability causes
5. Challenge time-limited completion

Estimated Time: Continuous improvement

Recommended Resources:

• Real Bug Bounty programs
• CTF competitions
• Security conferences

---

Other OWASP Practice Platforms

Besides Juice Shop, OWASP provides other practice platforms.

OWASP WebGoat

WebGoat is OWASP's earliest practice platform. More "educational" than Juice Shop.

Features:

• Detailed teaching explanations for each vulnerability
• Step-by-step guidance through attacks
• Suitable for systematic learning
• Developed in Java

Installation:

docker pull webgoat/webgoat
docker run -p 8080:8080 -p 9090:9090 webgoat/webgoat

Comparison:

Aspect	Juice Shop	WebGoat
Style	Gamified, free exploration	Educational, step-by-step
Difficulty	1-6 stars broad range	More basic
Tech Stack	Node.js + Angular	Java
Suitable For	CTF enthusiasts	Systematic learners

OWASP BWA (Broken Web Applications)

BWA is a virtual machine containing multiple vulnerable applications.

Included Applications:

• DVWA (Damn Vulnerable Web App)
• Mutillidae
• WebGoat
• And dozens more

Features:

• Multiple practice environments at once
• Requires more system resources
• Some applications are outdated

Suitable For: People who want to compare different practice platforms

Platform Selection Recommendations

Your Need	Recommended Platform
Quick start, fun	Juice Shop
Systematic learning, need tutorials	WebGoat
Multiple environments, deep practice	BWA
Realism, advanced challenges	HackTheBox, TryHackMe

---

Practicing with OWASP ZAP

Juice Shop and OWASP ZAP are a perfect match. One provides the vulnerable environment, the other provides testing tools.

Setting Up ZAP Proxy

1. Start ZAP
2. Configure browser Proxy to point to localhost:8080
3. Browse Juice Shop website
4. ZAP automatically records all traffic

Using ZAP to Find Vulnerabilities

Passive Scanning: Browse Juice Shop normally, ZAP automatically analyzes responses, finding obvious issues (like missing security headers).

Active Scanning: Run active scan against Juice Shop, letting ZAP automatically test various attack vectors.

Right-click Juice Shop in Sites
→ Attack → Active Scan
→ Wait for scan completion
→ Check Alerts tab

Manual Testing: Use ZAP's "Manual Request Editor" to modify requests, testing API vulnerabilities.

For detailed ZAP usage tutorial, refer to OWASP ZAP Complete Tutorial.

Practice Recommendations

1. Try manually first: Build intuition
2. Then verify with tools: Learn what tools can find
3. Compare differences: Understand automated tool limitations
4. Study principles: Know why attacks succeed

---

FAQ

Q1: Can Juice Shop Be Used for Interview Preparation?

Yes, very helpful.

What Juice Shop helps you prepare for:

Technical Interviews:

• Can describe specific vulnerability exploitation experiences
• Demonstrate understanding of OWASP Top 10
• Have actual practice records to share

Practical Tests: Some companies give CTF-style tests. Juice Shop practice makes you more familiar with these problems.

Preparation Recommendations:

1. Complete at least 50% of challenges
2. Can clearly explain principles and defenses for each vulnerability
3. Prepare a few impressive challenges as stories
4. Understand real-world impact of vulnerabilities

Q2: How Long to Complete All Challenges?

Depends on experience, from weeks to months.

Reference Time:

Background	Estimated Time
Complete beginner	3-6 months
Has development experience	1-3 months
Has security basics	2-4 weeks
Security expert	Few days to 1 week

Influencing Factors:

• Daily time investment
• Whether looking at hints/solutions
• Previous technical background
• Depth of learning (just solving vs understanding principles)

Recommendation: Don't chase speed, focus on truly understanding each vulnerability.

Q3: Are There Official Solutions?

Yes, but use cautiously.

Official Resources:

• Pwning OWASP Juice Shop: Official walkthrough book
• GitHub Wiki: Partial hints and solutions
• YouTube: Community-made walkthrough videos

Usage Recommendations:

1. Try yourself for at least 30 minutes
2. When stuck, look at "hints" not "solutions"
3. After seeing solutions, understand "why"
4. Try different methods for same challenge
5. After completing, study defense methods

Learning Effectiveness Comparison:

• Solving yourself → Deepest impression, highest satisfaction
• Solving after hints → Still good
• Directly reading solutions → Limited effect, easily forgotten

Real learning happens in the process of being stuck and thinking.

---

Conclusion

OWASP Juice Shop is the best starting point for learning web security. Free, fun, content-rich.

Why Practice with Juice Shop:

• Practical orientation, not theoretical
• Covers real-world vulnerability types
• Clear progress tracking
• Active community, rich resources

Learning Recommendations:

1. Set up environment first, start immediately
2. Begin with 1 star challenges, build confidence
3. Combine with ZAP for tool learning
4. Understand vulnerability principles, not just solving
5. Try other platforms after completion

Next Steps:

• Deploy Juice Shop and start practicing
• Join OWASP community for discussion
• Challenge Bug Bounty programs
• Pursue security certifications

If you develop Mobile Apps or IoT products, don't forget to learn OWASP Mobile and IoT Security specific risks.

Security learning is a long road. Juice Shop is a great first step. Have fun!