SOLUTIONS.md

Solutions

Did you write a guide specifically on hacking OWASP Juice Shop or record a hacking session of your own? Add it to this file and open a PR! The same goes for any scripts or automated tools you made for making Juice Shop easier to hack!

Everything mentioned on this specific page is considered to contain spoilers for entire challenge solutions so the entries themselves are not individually tagged! You might not want to view anything from this page before tackling the related challenges yourself!

🧃 is followed by the last known major release of OWASP Juice Shop that a solution/script/tool is supposedly working with or that a video guide/solution was recorded for.

Hacking Videos

• Hack OWASP Juice Shop playlist of Hacksplained (🧃v10.x - v11.x)
  • ★ Zero Stars
  • ★ Confidential Document
  • ★ DOM XSS
  • ★ Error Handling
  • ★ Missing Encoding
  • ★ Outdated Allowlist
  • ★ Privacy Policy
  • ★ Repetitive Registration
  • ★★ Login Admin
  • ★★ Admin Section
  • ★★ Classic Stored XSS
  • ★★ Deprecated Interface
  • ★★ Five Star Feedback
  • ★★ Login MC SafeSearch
  • ★★ Password Strength
  • ★★ Security Policy
  • ★★ View Basket
  • ★★ Weird Crypto
  • ★★★ API-Only XSS
  • ★★★ Admin Registration
  • ★★★ Björn's Favorite Pet
  • ★★★ Captcha Bypass
  • ★★★ Client-side XSS Protection
  • ★★★ Database Schema
  • ★★★ Forged Feedback
  • ★★★ Forged Review
  • ★★★ GDPR Data Erasure
  • ★★★ Login Amy
  • ★★★ Login Bender
  • ★★★ Login Jim
  • ★★★ Manipluate Basket
  • ★★★ Payback Time
  • ★★★ Privacy Policy Inspection
  • ★★★ Product Tampering
  • ★★★ Reset Jim's Password
  • ★★★ Upload Size
  • ★★★ Upload Type
  • ★★★★ Access Log (Sensitive Data Exposure)
  • ★★★★ Ephemeral Accountant (SQL-Injection)
  • ★★★★ Expired Coupon (Improper Input Validation)
  • ★★★★ Forgotten Developer Backup (Sensitive Data Exposure)
  • ★★★★ Forgotten Sales Backup (Sensitive Data Exposure)
  • ★★★★ GDPR Data Theft (Sensitive Data Exposure)
  • ★★★★ Legacy Typosquatting (Vulnerable Components)
  • ★★★★ Login Bjoern (Broken Authentication)
  • ★★★★ Misplaced Signature File (Sensitive Data Exposure)
• Broken Authentication and SQL Injection - OWASP Juice Shop TryHackMe by Motasem Hamdan - CyberSecurity Trainer
• Live Hacking von Online-Shop „Juice Shop” (:de:) Twitch live stream recordings by Gregor Biswanger (🧃v11.x)
  • Level 1
  • Level 2
  • Level 3
• HackerOne #h1-2004 Community Day: Intro to Web Hacking - OWASP Juice Shop by Nahamsec including the creation of a (fake) bugbounty report for all findings (🧃v10.x)
• TryHackme - JuiceShop Walkthrough by Profesor Parno (🧃v8.x, 🇮🇩)
• OWASP Juice Shop All Challenges Solved || ETHIKERS full-spoiler, time-lapsed, no-commentary hacking trip (🧃v8.x)
• Hacking JavaScript - Intro to Hacking Web Apps (Episode 3) by Arthur Kay (🧃v8.x)
• HackerSploit Youtube channel (🧃v7.x)
  • OWASP Juice Shop - SQL Injection
  • Web App Penetration Testing - #15 - HTTP Attributes (Cookie Stealing)
  • Web App Penetration Testing - #14 - Cookie Collection & Reverse Engineering
  • Web App Penetration Testing - #13 - CSRF (Cross Site Request Forgery)
  • How To Install OWASP Juice Shop
• 7 Minute Security Podcast (🧃v2.x)
  • Episode #234: 7MS #234: Pentesting OWASP Juice Shop - Part 5 (Youtube)
  • Episode #233: 7MS #233: Pentesting OWASP Juice Shop - Part 4 (Youtube)
  • Episode #232: 7MS #232: Pentesting OWASP Juice Shop - Part 3 (Youtube)
  • Episode #231: 7MS #231: Pentesting OWASP Juice Shop - Part 2 (Youtube)
  • Episode #230: 7MS #230: Pentesting OWASP Juice Shop - Part 1 (Youtube)
  • Episode #229: 7MS #229: Intro to Docker for Pentesters (Youtube)

Walkthroughs

• Blog post (:myanmar:) on LOL Security: Juice Shop Walkthrough (🧃v2.x)
• Blog post on IncognitJoe: Hacking(and automating!) the OWASP Juice Shop (🧃v2.x)

Scripts & Tools

• Session management script for OWASP Juice Shop distributed as a scripting template with OWASP ZAP since version 2.9.0 (🧃v10.x)
• Automated solving script for the OWASP Juice Shop written in Python by @incognitjoe (🧃v2.x)