SOLUTIONS.md

Solutions

Did you write a guide specifically on hacking OWASP Juice Shop or record a hacking session of your own? Add it to this file and open a PR! The same goes for any scripts or automated tools you made for making Juice Shop easier to hack!

Everything mentioned on this specific page is considered to contain spoilers for entire challenge solutions so the entries themselves are not individually tagged! You might not want to view anything from this page before tackling the related challenges yourself! 💔 marks resources which rely on some form of cheating to solve a challenge.

🧃 is followed by the last known major release of OWASP Juice Shop that a solution/script/tool is supposedly working with or that a video guide/solution was recorded for.

Table of contents

• Hacking Videos
• Walkthroughs
• Scripts & Tools

Hacking Videos

• 7 Minute Security Podcast (🧃v16.x)
  • Episode #606: 7MS #606: Hacking OWASP Juice Shop (2024 edition) (YouTube)
  • Legacy Episodes (🧃v2.x)
    • Episode #234: 7MS #234: Pentesting OWASP Juice Shop - Part 5 (YouTube)
    • Episode #233: 7MS #233: Pentesting OWASP Juice Shop - Part 4 (YouTube)
    • Episode #232: 7MS #232: Pentesting OWASP Juice Shop - Part 3 (YouTube)
    • Episode #231: 7MS #231: Pentesting OWASP Juice Shop - Part 2 (YouTube)
    • Episode #230: 7MS #230: Pentesting OWASP Juice Shop - Part 1 (YouTube)
    • Episode #229: 7MS #229: Intro to Docker for Pentesters (YouTube)
• How to Solve Juiceshop Challenges - Intern Talks by Indian Servers University (🧃v11.x)
• Hacking the OWASP Juice Shop Series playlist of Compass IT Compliance (🧃v12.x)
  • Hacking the OWASP Juice Shop Series - Deploying the Juice Shop
  • Hacking the OWASP Juice Shop Series - Challenge #1 (Score Board)
  • Hacking the OWASP Juice Shop Series - Challenge #2 (DOM XSS)
  • Hacking the OWASP Juice Shop Series - Challenge #3 (Bonus Payload)
  • Hacking the OWASP Juice Shop Series - Challenge #4 (Repetitive Registration)
  • Hacking the OWASP Juice Shop Series - Challenge #5 (Bully Chatbot)
  • Hacking the OWASP Juice Shop Series - Challenge #6 (Confidential Document)
  • Hacking the OWASP Juice Shop Series - Challenge #7 (Error Handling)
  • Hacking the OWASP Juice Shop Series - Challenge #8 (Exposed Metrics)
  • Hacking the OWASP Juice Shop Series - Challenge #9 (Missing Encoding)
  • Hacking the OWASP Juice Shop Series - Challenge #10 (Outdated Allowlist)
  • Hacking the OWASP Juice Shop Series - Challenge #11 (Privacy Policy)
  • Hacking the OWASP Juice Shop Series - Challenge #12 (Zero Stars)
  • Hacking the OWASP Juice Shop Series - Manage Heroku and Juice Shop
• OWASP Juice Shop | TryHackMe Burp Suite Fundamentals by CyberInsight
• Wie werden APIs "gehackt" - API Sicherheit am Beispiel (:de:) by predic8 (🧃v12.x)
• Hack OWASP Juice Shop playlist of Hacksplained (🧃v10.x - v11.x)
  • ★ Zero Stars
  • ★ Confidential Document
  • ★ DOM XSS
  • ★ Error Handling
  • ★ Missing Encoding
  • ★ Outdated Allowlist
  • ★ Privacy Policy
  • ★ Repetitive Registration
  • ★★ Login Admin
  • ★★ Admin Section
  • ★★ Classic Stored XSS
  • ★★ Deprecated Interface
  • ★★ Five Star Feedback
  • ★★ Login MC SafeSearch
  • ★★ Password Strength
  • ★★ Security Policy
  • ★★ View Basket
  • ★★ Weird Crypto
  • ★★★ API-Only XSS
  • ★★★ Admin Registration
  • ★★★ Björn's Favorite Pet
  • ★★★ Captcha Bypass
  • ★★★ Client-side XSS Protection
  • ★★★ Database Schema
  • ★★★ Forged Feedback
  • ★★★ Forged Review
  • ★★★ GDPR Data Erasure
  • ★★★ Login Amy
  • ★★★ Login Bender
  • ★★★ Login Jim
  • ★★★ Manipluate Basket
  • ★★★ Payback Time
  • ★★★ Privacy Policy Inspection
  • ★★★ Product Tampering
  • ★★★ Reset Jim's Password
  • ★★★ Upload Size
  • ★★★ Upload Type
  • ★★★★ Access Log (Sensitive Data Exposure)
  • ★★★★ Ephemeral Accountant (SQL-Injection)
  • ★★★★ Expired Coupon (Improper Input Validation)
  • ★★★★ Forgotten Developer Backup (Sensitive Data Exposure)
  • ★★★★ Forgotten Sales Backup (Sensitive Data Exposure)
  • ★★★★ GDPR Data Theft (Sensitive Data Exposure)
  • ★★★★ Legacy Typosquatting (Vulnerable Components)
  • ★★★★ Login Bjoern (Broken Authentication)
  • ★★★★ Misplaced Signature File (Sensitive Data Exposure)
  • ★★★★ Nested Easter Egg (Cryptographic Issues)
  • ★★★★ NoSql Manipulation (Injection) 💔
  • ★★★★★ Change Benders Password (Broken Authentication)
  • ★★★★★ Extra Language (Broken Anti Automation)
• Broken Authentication and SQL Injection - OWASP Juice Shop TryHackMe by Motasem Hamdan - CyberSecurity Trainer
• Live Hacking von Online-Shop „Juice Shop” (:de:) Twitch live stream recordings by Gregor Biswanger (🧃v11.x)
  • Level 1
  • Level 2
  • Level 3
  • Level 4
• HackerOne #h1-2004 Community Day: Intro to Web Hacking - OWASP Juice Shop by Nahamsec including the creation of a (fake) bugbounty report for all findings (🧃v10.x)
• TryHackme - JuiceShop Walkthrough by Profesor Parno (🧃v8.x, 🇮🇩)
• OWASP Juice Shop All Challenges Solved || ETHIKERS full-spoiler, time-lapsed, no-commentary hacking trip (🧃v8.x)
• Hacking JavaScript - Intro to Hacking Web Apps (Episode 3) by Arthur Kay (🧃v8.x)
• HackerSploit YouTube channel (🧃v7.x)
  • OWASP Juice Shop - SQL Injection
  • Web App Penetration Testing - #15 - HTTP Attributes (Cookie Stealing)
  • Web App Penetration Testing - #14 - Cookie Collection & Reverse Engineering
  • Web App Penetration Testing - #13 - CSRF (Cross Site Request Forgery)
  • How To Install OWASP Juice Shop

Walkthroughs

• Blog post (:myanmar:) on LOL Security: Juice Shop Walkthrough (🧃v2.x)
• Blog post on IncognitJoe: Hacking(and automating!) the OWASP Juice Shop (🧃v2.x)

Scripts & Tools

• Session management script for OWASP Juice Shop distributed as a scripting template with OWASP ZAP since version 2.9.0 (🧃v10.x)
• Automated solving script for the OWASP Juice Shop written in Python by @incognitjoe (🧃v2.x)