An intentionally insecure webapp suitable for pentesting and security awareness trainings written in Node, Express and Angular.
Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "Javascript" was purely coincidental!
- Easy to install: Just requires node.js*
- Self contained: Additional dependencies will be resolved and downloaded automatically
- No external DB: A simple file based SQLite database is used which is wiped and regenerated on server startup
- Open source: No hidden costs or caveats
- Score Board: The application keeps track of known vulnerabilities the user has successfully exploited
Juice Shop is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.
Feel free to have a look at the latest version of Juice Shop: https://juice-shop.herokuapp.com
This is a "sneak-peek" instance only! You are not allowed to use this instance for your own hacking endeavors! Technically Heroku could view hacking activity on this instance as an attack on their infrastructure! You have been warned!
- Install node.js*
- Run
git clone https://github.com/bkimminich/juice-shop.git
(or clone your own fork of the repository) - Run
npm install
(only has to be done before first start or when you change the source code) - Run
npm start
- Browse to http://localhost:3000
- Install Docker
- Run
docker pull bkimminich/juice-shop
- Run
docker run -d -p 3000:3000 bkimminich/juice-shop
- Browse to http://localhost:3000
- Install and launch Docker Toolbox
- Search for
juice-shop
and click Create to download image and run container - Click on the Open icon next to Web Preview to browse to Juice Shop
- Install node.js 4.x for Windows x64
- Download
juice-shop-<version>_node4_x64.zip
attached to latest release - Unpack and run
npm start
in unzipped folder - Browse to http://localhost:3000
The packaged distribution will neither work on Linux nor on other node.js versions because SQLite is compiled from source for the OS and node.js version which
npm install
is executed on.
- Setup an Amazon Linux AMI instance
- Copy the script below into User Data:
- Use a Security Group that opens port 80
- Launch instance
- Browse to your instance's public DNS
#!/bin/bash
yum update -y
yum install -y docker
service docker start
docker pull bkimminich/juice-shop:latest
docker run -d -p 80:3000 bkimminich/juice-shop:latest
Technically Amazon could view hacking activity on any EC2 instance as an attack on their AWS infrastructure! I highly disrecommend aggressive scanning or automated brute force attacks! You have been warned!
Juice Shop has been successfully tested with the following versions of node.js:
- 0.10.x
- 0.11.x
- 0.12.x
- 4.x
If you need help with the application setup please check the Troubleshooting section below or post your specific problem or question in the official Gitter Chat.
- If you are experiencing Error 128 from some GitHub repos during
bower_install.js
execution, rungit config --global url."https://".insteadOf git://
and trynpm install
again - If using Boot2Docker (Docker inside VirtualBox on Windows) make sure that you also enable port forwarding from Host
127.0.0.1:3000
to0.0.0.0:3000
for TCP - If
npm install
fails after an update of your local copy duringbower_install.js
complaining about version issues, delete/app/bower_components
and try again to remove outdated versions that cause conflicts - You may find it easier to find vulnerabilities using a pen test tool. I strongly recommend Zed Attack Proxy which is open source and very powerful, yet beginner friendly.
Found a bug? Crashed the app? Broken challenge? Found a vulnerability that is not on the Score Board?
Feel free to create an issue or post your ideas in the chat! Pull requests are also highly welcome as long as the tests still pass!
There is a full suite containing independent unit tests for the client- and server-side code. These tests verify if the normal use cases of the application should work. All server-side vulnerabilities are also tested.
npm test
The e2e test suite verifies if all client- and server-side vulnerabilities are exploitable. It passes only when all challenges are solvable on the score board.
npm run protractor
The e2e tests require a working internet connection in order to verify the redirect challenges!
- Guest post on The official Sauce Labs Blog: Proving that an application is as broken as intended
- Teaser post on Björn Kimminich's Blog': Juice Shop
- Hacking the Juice Shop ("So ein Saftladen!"), JavaLand 2016, 08.03.2016
- Hacking the JuiceShop! ("Hackt den Saftladen!"), node.HH Meetup: Security!, 03.02.2016
- Lightning Talk: Hacking the Juice Shop ("So ein Saftladen!"), German OWASP Day 2015, 01.12.2015
- Juice Shop - Hacking an intentionally insecure Javascript Web Application, JS Unconf 2015, 25.04.2015
- So ein Saftladen! - Hacking Session für Developer (und Pentester), 17. OWASP Stammtisch Hamburg, 27.01.2015
Inspired by the "classic" BodgeIt Store by @psiinon.
Copyright (c) 2014-2016 Bjoern Kimminich Licensed under the MIT license.