This project is a professional-style API security assessment of the OWASP Juice Shop application.
The focus was on identifying vulnerabilities in REST API endpoints and providing remediation guidance.
- Perform security testing against API endpoints used by the Juice Shop web and mobile apps.
- Identify vulnerabilities using the OWASP API Security Top 10 methodology.
- Produce a client-ready report and proof-of-concept exploit demonstrations.
- Postman β API testing
- OWASP ZAP β Automated scanning
- Burp Suite (Community Edition) β Intercepting proxy
- jq β JSON response parsing
- API Reconnaissance
- Automated Vulnerability Scanning
- Manual Exploitation
- Documentation of Proof-of-Concept Exploits
- Remediation Recommendations
- Broken Authentication (Critical) β Session fixation via stolen cookies.
- Excessive Data Exposure (High) β Leakage of sensitive fields in API responses.
- BOLA / IDOR (High) β Unauthorized access to other users' resources.
- Missing Rate Limiting (Medium) β Brute force protection absent.
- JuiceShop_API_Security_Audit.pdf β Full consulting-style report.
- /screenshots/ β API exploitation proof.
- /tools_used.md β List of tools & commands.
β Disclaimer: This project was conducted in a local lab environment on an intentionally vulnerable application.
Do not attempt these techniques on systems without explicit authorization.