-
Notifications
You must be signed in to change notification settings - Fork 1
Lab Juice Shop
CommonHuman-Lab edited this page Apr 29, 2026
·
1 revision
| ID | 1 |
| Image | bkimminich/juice-shop:latest |
| URL | http://127.0.0.1:3000 |
| Admin credentials |
admin@juice-sh.op / admin123
|
| Container name | octorig-juiceshop |
./octorig.sh start 1
./octorig.sh stop 1Juice Shop is a modern Node.js web application covering all OWASP Top 10 categories with an integrated challenge tracker (82 challenges total).
| Category | Examples |
|---|---|
| Injection | SQL injection, NoSQL injection, log injection |
| Broken Authentication | Password reset flaws, JWT forgery |
| XSS | Reflected, stored, DOM-based |
| IDOR | Access other users' data via predictable IDs |
| Security Misconfiguration | Exposed admin interface, debug endpoints |
| Insecure Deserialization | Tamper with serialized objects |
| Sensitive Data Exposure | Exposed API keys, unmasked PII |
| CSRF | State-changing requests without token validation |
The built-in scoreboard is at:
http://127.0.0.1:3000/#/score-board
Challenges are rated 1–6 stars. Filter by category from the scoreboard.
- The admin panel is at
/administration— finding it is itself a challenge - Many challenges require reading the JS source in browser devtools
- The REST API (
/api/) is worth exploring — most challenges have an API surface - Use Burp Suite to intercept and replay requests
- Start with 1-star challenges to understand the app structure
- Work through SQL injection challenges (
/rest/user/login) - Attempt JWT forgery (alg:none attack)
- Explore the file upload endpoint for stored XSS