- name: 'API-only XSS' category: 'XSS' tags: - Danger Zone description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> without using the frontend application at all.' difficulty: 3 hint: 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_without_using_the_frontend_application_at_all' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: restfulXssChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Access Log' category: 'Sensitive Data Exposure' description: 'Gain access to any access log file of the server.' difficulty: 4 hint: 'Who would want a server access log to be accessible through a web application?' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_gain_access_to_any_access_log_file_of_the_server' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html' key: accessLogDisclosureChallenge - name: 'Admin Registration' category: 'Improper Input Validation' description: 'Register as a user with administrator privileges.' difficulty: 3 hint: 'You have to assign the unassignable.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_as_a_user_with_administrator_privileges' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html' key: registerAdminChallenge - name: 'Admin Section' category: 'Broken Access Control' tags: - Good for Demos description: 'Access the administration section of the store.' difficulty: 2 hint: 'It is just slightly harder to find than the score board link.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_access_the_administration_section_of_the_store' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html' key: adminSectionChallenge tutorial: order: 7 - name: 'Arbitrary File Write' category: 'Vulnerable Components' tags: - Danger Zone - Prerequisite description: 'Overwrite the Legal Information file.' difficulty: 6 hint: 'Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_overwrite_the_legal_information_file' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: fileWriteChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Bjoern''s Favorite Pet' category: 'Broken Authentication' tags: - OSINT description: 'Reset the password of Bjoern''s OWASP account via the Forgot Password mechanism with the original answer to his security question.' difficulty: 3 hint: 'He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_owasp_account_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordBjoernOwaspChallenge - name: 'Blockchain Hype' category: 'Security through Obscurity' tags: - Contraption - Code Analysis - Web3 description: 'Learn about the Token Sale before its official announcement.' difficulty: 5 hint: 'The developers truly believe in "Security through Obscurity" over actual access restrictions.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_learn_about_the_token_sale_before_its_official_announcement' mitigationUrl: ~ key: tokenSaleChallenge - name: 'NFT Takeover' category: 'Sensitive Data Exposure' tags: - Contraption - Good for Demos - Web3 description: 'Take over the wallet containing our official Soul Bound Token (NFT).' difficulty: 2 hint: 'Find the seed phrase posted accidentally.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_take_over_the_wallet_containing_our_official_soul_bound_token' mitigationUrl: ~ key: nftUnlockChallenge - name: 'Mint the Honey Pot' category: 'Improper Input Validation' tags: - Web3 - Internet Traffic description: 'Mint the Honey Pot NFT by gathering BEEs from the bee haven.' difficulty: 3 hint: 'Discover NFT wonders among the captivating visual memories.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_mint_the_honey_pot_nft_by_gathering_bees_from_the_bee_haven' mitigationUrl: ~ key: nftMintChallenge - name: 'Wallet Depletion' category: 'Miscellaneous' tags: - Web3 - Internet Traffic description: 'Withdraw more ETH from the new wallet than you deposited.' difficulty: 6 hint: 'Try to exploit the contract of the wallet.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_withdraw_more_eth_from_the_new_wallet_than_you_deposited' mitigationUrl: ~ key: web3WalletChallenge - name: 'Web3 Sandbox' category: 'Broken Access Control' tags: - Web3 description: 'Find an accidentally deployed code sandbox for writing smart contracts on the fly.' difficulty: 1 hint: 'It is just as easy as finding the Score Board.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_an_accidentally_deployed_code_sandbox' mitigationUrl: ~ key: web3SandboxChallenge - name: 'Blocked RCE DoS' category: 'Insecure Deserialization' tags: - Danger Zone description: 'Perform a Remote Code Execution that would keep a less hardened application busy forever.' difficulty: 5 hint: 'The feature you need to exploit for this challenge is not directly advertised anywhere.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_would_keep_a_less_hardened_application_busy_forever' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html' key: rceChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'CAPTCHA Bypass' category: 'Broken Anti Automation' tags: - Brute Force description: 'Submit 10 or more customer feedbacks within 20 seconds.' difficulty: 3 hint: 'After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_submit_10_or_more_customer_feedbacks_within_20_seconds' mitigationUrl: ~ key: captchaBypassChallenge - name: 'Change Bender''s Password' category: 'Broken Authentication' description: 'Change Bender''s password into slurmCl4ssic without using SQL Injection or Forgot Password.' difficulty: 5 hint: 'In previous releases this challenge was wrongly accused of being based on CSRF.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_change_benders_password_into_slurmcl4ssic_without_using_sql_injection_or_forgot_password' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: changePasswordBenderChallenge - name: 'Christmas Special' category: 'Injection' description: 'Order the Christmas special offer of 2014.' difficulty: 4 hint: 'Find out how the application handles unavailable products and try to find a loophole.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_order_the_christmas_special_offer_of_2014' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: christmasSpecialChallenge - name: 'CSP Bypass' category: 'XSS' tags: - Danger Zone description: 'Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script> on a legacy page within the application.' difficulty: 4 hint: 'What is even "better" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_bypass_the_content_security_policy_and_perform_an_xss_attack_on_a_legacy_page' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: usernameXssChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Client-side XSS Protection' category: 'XSS' tags: - Danger Zone description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a client-side security mechanism.' difficulty: 3 hint: 'Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_client_side_security_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: persistedXssUserChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Confidential Document' category: 'Sensitive Data Exposure' tags: - Good for Demos description: 'Access a confidential document.' difficulty: 1 hint: 'Analyze and tamper with links in the application that deliver a file directly.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_confidential_document' mitigationUrl: ~ key: directoryListingChallenge - name: 'DOM XSS' category: 'XSS' tags: - Tutorial - Good for Demos description: 'Perform a DOM XSS attack with <iframe src="javascript:alert(`xss`)">.' difficulty: 1 hint: 'Look for an input field where its content appears in the HTML when its form is submitted.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_dom_xss_attack' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html' key: localXssChallenge tutorial: order: 2 - name: 'Database Schema' category: 'Injection' description: 'Exfiltrate the entire DB schema definition via SQL Injection.' difficulty: 3 hint: 'Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_exfiltrate_the_entire_db_schema_definition_via_sql_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: dbSchemaChallenge - name: 'Deprecated Interface' category: 'Security Misconfiguration' tags: - Contraption - Prerequisite description: 'Use a deprecated B2B interface that was not properly shut down.' difficulty: 2 hint: 'The developers who disabled the interface think they could go invisible by just closing their eyes.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_use_a_deprecated_b2b_interface_that_was_not_properly_shut_down' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html' key: deprecatedInterfaceChallenge - name: 'Easter Egg' category: 'Broken Access Control' tags: - Shenanigans - Contraption - Good for Demos description: 'Find the hidden easter egg.' difficulty: 4 hint: 'If you solved one of the three file access challenges, you already know where to find the easter egg.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_the_hidden_easter_egg' mitigationUrl: ~ key: easterEggLevelOneChallenge - name: 'Email Leak' category: 'Sensitive Data Exposure' description: 'Perform an unwanted information disclosure by accessing data cross-domain.' difficulty: 5 hint: 'Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_perform_an_unwanted_information_disclosure_by_accessing_data_cross_domain' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html' key: emailLeakChallenge - name: 'Empty User Registration' category: 'Improper Input Validation' description: 'Register a user with an empty email and password.' difficulty: 2 hint: 'Consider intercepting and playing with the request payload.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_a_user_account_with_an_empty_email_and_password' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html' key: emptyUserRegistration - name: 'Ephemeral Accountant' category: 'Injection' description: 'Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.' difficulty: 4 hint: 'Try to create the needed user "out of thin air".' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_non_existing_accountant_without_ever_registering_that_user' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: ephemeralAccountantChallenge - name: 'Error Handling' category: 'Security Misconfiguration' tags: - Prerequisite description: 'Provoke an error that is neither very gracefully nor consistently handled.' difficulty: 1 hint: 'Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_provoke_an_error_that_is_neither_very_gracefully_nor_consistently_handled' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html' key: errorHandlingChallenge - name: 'Expired Coupon' category: 'Improper Input Validation' description: 'Successfully redeem an expired campaign coupon code.' difficulty: 4 hint: 'Try to identify past special event or holiday campaigns of the shop first.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_successfully_redeem_an_expired_campaign_coupon_code' mitigationUrl: ~ key: manipulateClockChallenge - name: 'Extra Language' category: 'Broken Anti Automation' tags: - Brute Force description: 'Retrieve the language file that never made it into production.' difficulty: 5 hint: 'Brute force is not the only option for this challenge, but a perfectly viable one.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_retrieve_the_language_file_that_never_made_it_into_production' mitigationUrl: ~ key: extraLanguageChallenge - name: 'Five-Star Feedback' category: 'Broken Access Control' description: 'Get rid of all 5-star customer feedback.' difficulty: 2 hint: 'Once you found admin section of the application, this challenge is almost trivial.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_get_rid_of_all_5_star_customer_feedback' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html' key: feedbackChallenge - name: 'Forged Coupon' category: 'Cryptographic Issues' tags: - Good for Demos - Code Analysis description: 'Forge a coupon code that gives you a discount of at least 80%.' difficulty: 6 hint: 'Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_forge_a_coupon_code_that_gives_you_a_discount_of_at_least_80' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html' key: forgedCouponChallenge - name: 'Forged Feedback' category: 'Broken Access Control' tags: - Tutorial description: "Post some feedback in another user's name." difficulty: 3 hint: 'You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_some_feedback_in_another_users_name' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html' key: forgedFeedbackChallenge tutorial: order: 10 - name: 'Forged Review' category: 'Broken Access Control' description: 'Post a product review as another user or edit any user''s existing review.' difficulty: 3 hint: 'Observe the flow of product review posting and editing and see if you can exploit it.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_a_product_review_as_another_user_or_edit_any_users_existing_review' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html' key: forgedReviewChallenge - name: 'Forged Signed JWT' category: 'Vulnerable Components' description: 'Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.' difficulty: 6 hint: 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_almost_properly_rsa_signed_jwt_token' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html' key: jwtForgedChallenge disabledEnv: - Windows - name: 'Forgotten Developer Backup' category: 'Sensitive Data Exposure' tags: - Contraption - Good for Demos - Prerequisite description: 'Access a developer''s forgotten backup file.' difficulty: 4 hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_developers_forgotten_backup_file' mitigationUrl: ~ key: forgottenDevBackupChallenge - name: 'Forgotten Sales Backup' category: 'Sensitive Data Exposure' tags: - Contraption description: 'Access a salesman''s forgotten backup file.' difficulty: 4 hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_salesmans_forgotten_backup_file' mitigationUrl: ~ key: forgottenBackupChallenge - name: 'Frontend Typosquatting' category: 'Vulnerable Components' description: 'Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)' difficulty: 5 hint: 'This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_imposter_that_dug_itself_deep_into_the_frontend' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: typosquattingAngularChallenge - name: 'GDPR Data Erasure' category: 'Broken Authentication' description: 'Log in with Chris'' erased user account.' difficulty: 3 hint: 'Turns out that something is technically and legally wrong with the implementation of the "right to be forgotten" for users.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_chris_erased_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html' key: ghostLoginChallenge - name: 'GDPR Data Theft' category: 'Sensitive Data Exposure' description: 'Steal someone else''s personal data without using Injection.' difficulty: 4 hint: 'Trick the regular Data Export to give you more than actually belongs to you.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_steal_someone_elses_personal_data_without_using_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html' key: dataExportChallenge - name: 'HTTP-Header XSS' category: 'XSS' tags: - Danger Zone description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> through an HTTP header.' difficulty: 4 hint: 'Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_through_an_http_header' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: httpHeaderXssChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Imaginary Challenge' category: 'Cryptographic Issues' tags: - Shenanigans - Code Analysis description: 'Solve challenge #999. Unfortunately, this challenge does not exist.' difficulty: 6 hint: 'You need to trick the hacking progress persistence feature into thinking you solved challenge #999.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_solve_challenge_999' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html' key: continueCodeChallenge - name: 'Leaked Access Logs' category: 'Sensitive Data Exposure' tags: - OSINT description: 'Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)' difficulty: 5 hint: 'Once you have it, a technique called "Password Spraying" might prove useful.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_dumpster_dive_the_internet_for_a_leaked_password_and_log_in_to_the_original_user_account_it_belongs_to' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html' key: dlpPasswordSprayingChallenge - name: 'Leaked Unsafe Product' category: 'Sensitive Data Exposure' tags: - Shenanigans - OSINT description: 'Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.' difficulty: 4 hint: 'Your own SQLi and someone else''s Ctrl-V will be your accomplices in this challenge!' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_identify_an_unsafe_product_that_was_removed_from_the_shop_and_inform_the_shop_which_ingredients_are_dangerous' mitigationUrl: ~ key: dlpPastebinDataLeakChallenge - name: 'Legacy Typosquatting' category: 'Vulnerable Components' description: 'Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)' difficulty: 4 hint: 'This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer''s backup file instead.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_trick_it_has_been_a_victim_of' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: typosquattingNpmChallenge - name: 'Login Admin' category: 'Injection' tags: - Tutorial - Good for Demos description: 'Log in with the administrator''s user account.' difficulty: 2 hint: 'Try different SQL Injection attack patterns depending whether you know the admin''s email address or not.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_administrators_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: loginAdminChallenge tutorial: order: 6 - name: 'Login Amy' category: 'Sensitive Data Exposure' tags: - OSINT description: 'Log in with Amy''s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")' difficulty: 3 hint: 'This challenge will make you go after a needle in a haystack.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_amys_original_user_credentials' mitigationUrl: ~ key: loginAmyChallenge - name: 'Login Bender' category: 'Injection' tags: - Tutorial description: 'Log in with Bender''s user account.' difficulty: 3 hint: 'If you know Bender''s email address, try SQL Injection. Bender''s password hash might not help you very much.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_benders_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: loginBenderChallenge tutorial: order: 12 - name: 'Login Bjoern' category: 'Broken Authentication' tags: - Code Analysis description: 'Log in with Bjoern''s Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.' difficulty: 4 hint: 'The security flaw behind this challenge is 100% OWASP Juice Shop''s fault and 0% Google''s.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_bjoerns_gmail_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: oauthUserPasswordChallenge - name: 'Login Jim' category: 'Injection' tags: - Tutorial description: 'Log in with Jim''s user account.' difficulty: 3 hint: 'Try cracking Jim''s password hash if you harvested it already. Alternatively, if you know Jim''s email address, try SQL Injection.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_jims_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: loginJimChallenge tutorial: order: 11 - name: 'Login MC SafeSearch' category: 'Sensitive Data Exposure' tags: - Shenanigans - OSINT description: 'Log in with MC SafeSearch''s original user credentials without applying SQL Injection or any other bypass.' difficulty: 2 hint: 'You should listen to MC''s hit song "Protect Ya Passwordz".' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_mc_safesearchs_original_user_credentials' mitigationUrl: ~ key: loginRapperChallenge - name: 'Login Support Team' category: 'Security Misconfiguration' tags: - Brute Force - Code Analysis description: 'Log in with the support team''s original user credentials without applying SQL Injection or any other bypass.' difficulty: 6 hint: 'The underlying flaw of this challenge is a lot more human error than technical weakness.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_log_in_with_the_support_teams_original_user_credentials' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: loginSupportChallenge - name: 'Manipulate Basket' category: 'Broken Access Control' description: 'Put an additional product into another user''s shopping basket.' difficulty: 3 hint: 'Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn''t count.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_put_an_additional_product_into_another_users_shopping_basket' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html' key: basketManipulateChallenge - name: 'Misplaced Signature File' category: 'Sensitive Data Exposure' tags: - Good Practice - Contraption description: 'Access a misplaced SIEM signature file.' difficulty: 4 hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_misplaced_siem_signature_file' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html' key: misplacedSignatureFileChallenge - name: 'Multiple Likes' category: 'Broken Anti Automation' description: 'Like any review at least three times as the same user.' difficulty: 6 hint: 'Punctuality is the politeness of kings.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_like_any_review_at_least_three_times_as_the_same_user' mitigationUrl: ~ key: timingAttackChallenge - name: 'Nested Easter Egg' category: 'Cryptographic Issues' tags: - Shenanigans - Good for Demos description: 'Apply some advanced cryptanalysis to find the real easter egg.' difficulty: 4 hint: 'You might have to peel through several layers of tough-as-nails encryption for this challenge.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_apply_some_advanced_cryptanalysis_to_find_the_real_easter_egg' mitigationUrl: ~ key: easterEggLevelTwoChallenge - name: 'NoSQL DoS' category: 'Injection' tags: - Danger Zone description: 'Let the server sleep for some time. (It has done more than enough hard work for you)' difficulty: 4 hint: 'This challenge is essentially a stripped-down Denial of Service (DoS) attack.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_let_the_server_sleep_for_some_time' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html' key: noSqlCommandChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'NoSQL Exfiltration' category: 'Injection' tags: - Danger Zone description: 'All your orders are belong to us! Even the ones which don''t.' difficulty: 5 hint: 'Take a close look on how the $where query operator works in MongoDB.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_all_your_orders_are_belong_to_us' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html' key: noSqlOrdersChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'NoSQL Manipulation' category: 'Injection' description: 'Update multiple product reviews at the same time.' difficulty: 4 hint: 'Take a close look on how the equivalent of UPDATE-statements in MongoDB work.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_update_multiple_product_reviews_at_the_same_time' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html' key: noSqlReviewsChallenge - name: 'Outdated Allowlist' category: 'Unvalidated Redirects' tags: - Code Analysis description: 'Let us redirect you to one of our crypto currency addresses which are not promoted any longer.' difficulty: 1 hint: 'We might have failed to take this out of our code properly.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_let_us_redirect_you_to_one_of_our_crypto_currency_addresses' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html' key: redirectCryptoCurrencyChallenge - name: 'Password Strength' category: 'Broken Authentication' tags: - Brute Force - Tutorial description: 'Log in with the administrator''s user credentials without previously changing them or applying SQL Injection.' difficulty: 2 hint: 'This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_the_administrators_user_credentials_without_previously_changing_them_or_applying_sql_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: weakPasswordChallenge tutorial: order: 8 - name: 'Payback Time' category: 'Improper Input Validation' description: 'Place an order that makes you rich.' difficulty: 3 hint: 'You literally need to make the shop owe you any amount of money.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_place_an_order_that_makes_you_rich' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html' key: negativeOrderChallenge - name: 'Premium Paywall' category: 'Cryptographic Issues' tags: - Shenanigans description: ' Unlock Premium Challenge to access exclusive content.' difficulty: 6 hint: 'You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_unlock_premium_challenge_to_access_exclusive_content' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html' key: premiumPaywallChallenge - name: 'Privacy Policy' category: 'Miscellaneous' tags: - Good Practice - Tutorial - Good for Demos description: 'Read our privacy policy.' difficulty: 1 hint: 'We won''t even ask you to confirm that you did. Just read it. Please. Pretty please.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_read_our_privacy_policy' mitigationUrl: ~ key: privacyPolicyChallenge tutorial: order: 4 - name: 'Privacy Policy Inspection' category: 'Security through Obscurity' tags: - Shenanigans - Good for Demos description: 'Prove that you actually read our privacy policy.' difficulty: 3 hint: 'Only by visiting a special URL you can confirm that you read it carefully.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_prove_that_you_actually_read_our_privacy_policy' mitigationUrl: ~ key: privacyPolicyProofChallenge - name: 'Product Tampering' category: 'Broken Access Control' description: 'Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.' difficulty: 3 hint: 'Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_href_of_the_link_within_the_o_saft_product_description' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html' key: changeProductChallenge - name: 'Reflected XSS' category: 'XSS' tags: - Tutorial - Danger Zone - Good for Demos description: 'Perform a reflected XSS attack with <iframe src="javascript:alert(`xss`)">.' difficulty: 2 hint: 'Look for a url parameter where its value appears in the page it is leading to.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_reflected_xss_attack' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: reflectedXssChallenge tutorial: order: 5 disabledEnv: - Docker - Heroku - Gitpod - name: 'Repetitive Registration' category: 'Improper Input Validation' description: 'Follow the DRY principle while registering a user.' difficulty: 1 hint: 'You can solve this by cleverly interacting with the UI or bypassing it altogether.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_follow_the_dry_principle_while_registering_a_user' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html' key: passwordRepeatChallenge - name: 'Reset Bender''s Password' category: 'Broken Authentication' tags: - OSINT description: 'Reset Bender''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 4 hint: 'Not as trivial as Jim''s but still not too difficult with some "Futurama" background knowledge.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_benders_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordBenderChallenge - name: 'Reset Bjoern''s Password' category: 'Broken Authentication' tags: - OSINT description: 'Reset the password of Bjoern''s internal account via the Forgot Password mechanism with the original answer to his security question.' difficulty: 5 hint: 'Nothing a little bit of Facebook stalking couldn''t reveal. Might involve a historical twist.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_internal_account_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordBjoernChallenge - name: 'Reset Jim''s Password' category: 'Broken Authentication' tags: - OSINT description: 'Reset Jim''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 3 hint: 'It''s hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_jims_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordJimChallenge - name: 'Reset Morty''s Password' category: 'Broken Anti Automation' tags: - OSINT - Brute Force description: 'Reset Morty''s password via the Forgot Password mechanism with his obfuscated answer to his security question.' difficulty: 5 hint: 'Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty''s security question.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_reset_mortys_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html' key: resetPasswordMortyChallenge - name: 'Retrieve Blueprint' category: 'Sensitive Data Exposure' description: 'Deprive the shop of earnings by downloading the blueprint for one of its products.' difficulty: 5 hint: 'The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_deprive_the_shop_of_earnings_by_downloading_the_blueprint_for_one_of_its_products' mitigationUrl: ~ key: retrieveBlueprintChallenge - name: 'SSRF' category: 'Broken Access Control' tags: - Code Analysis description: 'Request a hidden resource on server through server.' difficulty: 6 hint: 'Reverse engineering something bad can make good things happen.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_request_a_hidden_resource_on_server_through_server' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html' key: ssrfChallenge - name: 'SSTi' category: 'Injection' tags: - Contraption - Danger Zone - Code Analysis description: 'Infect the server with juicy malware by abusing arbitrary command execution.' difficulty: 6 hint: '"SSTi" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_infect_the_server_with_juicy_malware_by_abusing_arbitrary_command_execution' mitigationUrl: ~ key: sstiChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Score Board' category: 'Miscellaneous' tags: - Tutorial - Code Analysis description: 'Find the carefully hidden ''Score Board'' page.' difficulty: 1 hint: 'Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_find_the_carefully_hidden_score_board_page' mitigationUrl: ~ key: scoreBoardChallenge tutorial: order: 1 - name: 'Security Policy' category: 'Miscellaneous' tags: - Good Practice description: 'Behave like any "white-hat" should before getting into the action.' difficulty: 2 hint: 'Undoubtedly you want to read our security policy before conducting any research on our application.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_behave_like_any_white_hat_should_before_getting_into_the_action' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html' key: securityPolicyChallenge - name: 'Server-side XSS Protection' category: 'XSS' tags: - Danger Zone description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a server-side security mechanism.' difficulty: 4 hint: 'The "Comment" field in the "Customer Feedback" screen is where you want to put your focus on.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_server_side_security_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: persistedXssFeedbackChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Steganography' category: 'Security through Obscurity' tags: - Shenanigans description: 'Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)' difficulty: 4 hint: 'No matter how good your eyes are, you will need tool assistance for this challenge.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_rat_out_a_notorious_character_hiding_in_plain_sight_in_the_shop' mitigationUrl: ~ key: hiddenImageChallenge - name: 'Successful RCE DoS' category: 'Insecure Deserialization' tags: - Danger Zone description: 'Perform a Remote Code Execution that occupies the server for a while without using infinite loops.' difficulty: 6 hint: 'Your attack payload must not trigger the protection against too many iterations.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_occupies_the_server_for_a_while_without_using_infinite_loops' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html' key: rceOccupyChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Supply Chain Attack' category: 'Vulnerable Components' tags: - OSINT description: 'Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)' difficulty: 5 hint: 'This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_development_team_about_a_danger_to_some_of_their_credentials' mitigationUrl: ~ key: supplyChainAttackChallenge - name: 'Two Factor Authentication' category: 'Broken Authentication' description: 'Solve the 2FA challenge for user "wurstbrot". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)' difficulty: 5 hint: 'The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_solve_the_2fa_challenge_for_user_wurstbrot' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html' key: twoFactorAuthUnsafeSecretStorageChallenge - name: 'Unsigned JWT' category: 'Vulnerable Components' description: 'Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.' difficulty: 5 hint: 'This challenge exploits a weird option that is supported when signing tokens with JWT.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_essentially_unsigned_jwt_token' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html' key: jwtUnsignedChallenge - name: 'Upload Size' category: 'Improper Input Validation' description: 'Upload a file larger than 100 kB.' difficulty: 3 hint: 'You can attach a small file to the "Complaint" form. Investigate how this upload actually works.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_larger_than_100_kb' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html' key: uploadSizeChallenge - name: 'Upload Type' category: 'Improper Input Validation' description: 'Upload a file that has no .pdf or .zip extension.' difficulty: 3 hint: 'You can attach a PDF or ZIP file to the "Complaint" form. Investigate how this upload actually works.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_that_has_no_pdf_or_zip_extension' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html' key: uploadTypeChallenge - name: 'User Credentials' category: 'Injection' description: 'Retrieve a list of all user credentials via SQL Injection.' difficulty: 4 hint: 'Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_retrieve_a_list_of_all_user_credentials_via_sql_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: unionSqlInjectionChallenge - name: 'Video XSS' category: 'XSS' tags: - Danger Zone description: 'Embed an XSS payload </script><script>alert(`xss`)</script> into our promo video.' difficulty: 6 hint: 'You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_embed_an_xss_payload_into_our_promo_video' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: videoXssChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'View Basket' category: 'Broken Access Control' tags: - Tutorial - Good for Demos description: 'View another user''s shopping basket.' difficulty: 2 hint: 'Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_view_another_users_shopping_basket' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html' key: basketAccessChallenge tutorial: order: 9 - name: 'Vulnerable Library' category: 'Vulnerable Components' tags: - OSINT description: 'Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)' difficulty: 4 hint: 'Report one of two possible answers via the "Customer Feedback" form. Do not forget to submit the library''s version as well.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_vulnerable_library_it_is_using' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html' key: knownVulnerableComponentChallenge - name: 'Weird Crypto' category: 'Cryptographic Issues' description: 'Inform the shop about an algorithm or library it should definitely not use the way it does.' difficulty: 2 hint: 'Report one of four possible answers via the "Customer Feedback" form.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_inform_the_shop_about_an_algorithm_or_library_it_should_definitely_not_use_the_way_it_does' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html' key: weirdCryptoChallenge - name: 'Allowlist Bypass' category: 'Unvalidated Redirects' tags: - Prerequisite description: 'Enforce a redirect to a page you are not supposed to redirect to.' difficulty: 4 hint: 'You have to find a way to beat the allowlist of allowed redirect URLs.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_enforce_a_redirect_to_a_page_you_are_not_supposed_to_redirect_to' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html' key: redirectChallenge - name: 'XXE Data Access' category: 'XXE' tags: - Danger Zone description: 'Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.' difficulty: 3 hint: 'The leverage point for this challenge is the deprecated B2B interface.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_retrieve_the_content_of_cwindowssystemini_or_etcpasswd_from_the_server' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html' key: xxeFileDisclosureChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'XXE DoS' category: 'XXE' tags: - Danger Zone description: 'Give the server something to chew on for quite a while.' difficulty: 5 hint: 'It is not as easy as sending a large amount of data directly to the deprecated B2B interface.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_give_the_server_something_to_chew_on_for_quite_a_while' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html' key: xxeDosChallenge disabledEnv: - Docker - Heroku - Gitpod - name: 'Zero Stars' category: 'Improper Input Validation' description: 'Give a devastating zero-star feedback to the store.' difficulty: 1 hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_give_a_devastating_zero_star_feedback_to_the_store' mitigationUrl: ~ key: zeroStarsChallenge - name: 'Missing Encoding' category: 'Improper Input Validation' tags: - Shenanigans description: 'Retrieve the photo of Bjoern''s cat in "melee combat-mode".' difficulty: 1 hint: 'Check the Photo Wall for an image that could not be loaded correctly.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_retrieve_the_photo_of_bjoerns_cat_in_melee_combat_mode' mitigationUrl: ~ key: missingEncodingChallenge - name: 'Cross-Site Imaging' category: 'Security Misconfiguration' tags: - Contraption description: 'Stick cute cross-domain kittens all over our delivery boxes.' difficulty: 5 hint: 'This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_stick_cute_cross_domain_kittens_all_over_our_delivery_boxes' mitigationUrl: ~ key: svgInjectionChallenge - name: 'Exposed Metrics' category: 'Sensitive Data Exposure' tags: - Good Practice description: 'Find the endpoint that serves usage data to be scraped by a popular monitoring system.' difficulty: 1 hint: 'Try to guess what URL the endpoint might have.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_find_the_endpoint_that_serves_usage_data_to_be_scraped_by_a_popular_monitoring_system' mitigationUrl: ~ key: exposedMetricsChallenge - name: 'Deluxe Fraud' category: 'Improper Input Validation' description: 'Obtain a Deluxe Membership without paying for it.' difficulty: 3 hint: 'Look closely at what happens when you attempt to upgrade your account.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_obtain_a_deluxe_membership_without_paying_for_it' mitigationUrl: ~ key: freeDeluxeChallenge - name: 'CSRF' # FIXME No e2e test automation! No longer works in Chrome >=80 and Firefox >=100 or other latest browsers! category: 'Broken Access Control' description: 'Change the name of a user by performing Cross-Site Request Forgery from another origin.' difficulty: 3 hint: 'Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_name_of_a_user_by_performing_cross_site_request_forgery_from_another_origin' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html' key: csrfChallenge - name: 'Bonus Payload' category: 'XSS' tags: - Shenanigans - Tutorial description: 'Use the bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> in the DOM XSS challenge.' difficulty: 1 hint: 'Copy + Paste = Solved!' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_use_the_bonus_payload_in_the_dom_xss_challenge' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html' key: xssBonusChallenge tutorial: order: 3 - name: 'Reset Uvogin''s Password' category: 'Sensitive Data Exposure' tags: - OSINT description: 'Reset Uvogin''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 4 hint: 'You might have to do some OSINT on his social media personas to find out his honest answer to the security question.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_reset_uvogins_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordUvoginChallenge - name: 'Meta Geo Stalking' category: 'Sensitive Data Exposure' tags: - OSINT description: 'Determine the answer to John''s security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.' difficulty: 2 hint: 'Take a look at the meta data of the corresponding photo.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_johns_security_question' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: geoStalkingMetaChallenge - name: 'Visual Geo Stalking' category: 'Sensitive Data Exposure' tags: - OSINT description: 'Determine the answer to Emma''s security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.' difficulty: 2 hint: 'Take a look at the details in the photo to determine the location of where it was taken.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_emmas_security_question' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: geoStalkingVisualChallenge - name: 'Kill Chatbot' category: 'Vulnerable Components' tags: - Code Analysis description: 'Permanently disable the support chatbot so that it can no longer answer customer queries.' difficulty: 5 hint: 'Think of a way to get a hold of the internal workings on the chatbot API.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_permanently_disable_the_support_chatbot' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: killChatbotChallenge - name: 'Poison Null Byte' category: 'Improper Input Validation' tags: - Prerequisite description: 'Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.' difficulty: 4 hint: 'Take a look at the details in the photo to determine the location of where it was taken.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_bypass_a_security_control_with_a_poison_null_byte' mitigationUrl: ~ key: nullByteChallenge - name: 'Bully Chatbot' category: 'Miscellaneous' tags: - Shenanigans - Brute Force description: 'Receive a coupon code from the support chatbot.' difficulty: 1 hint: 'Just keep asking.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_receive_a_coupon_code_from_the_support_chatbot' mitigationUrl: ~ key: bullyChatbotChallenge - name: 'Local File Read' category: 'Vulnerable Components' tags: - OSINT - Danger Zone difficulty: 5 hint: 'You should read up on vulnerabilities in popular NodeJs template engines.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_gain_read_access_to_an_arbitrary_local_file_on_the_web_server' description: 'Gain read access to an arbitrary local file on the web server.' key: 'lfrChallenge' disabledEnv: - Docker - Heroku - Gitpod - name: 'Mass Dispel' category: 'Miscellaneous' description: 'Close multiple "Challenge solved"-notifications in one go.' difficulty: 1 hint: 'Either check the official documentation or inspect a notification UI element directly.' hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_close_multiple_challenge_solved_notifications_in_one_go' mitigationUrl: ~ key: closeNotificationsChallenge - name: 'Security Advisory' category: 'Miscellaneous' description: ' The Juice Shop is susceptible to a known vulnerability in a library, for which an advisory has already been issued, marking the Juice Shop as known affected. A fix is still pending. Inform the shop about a suitable checksum as proof that you did your due diligence.' difficulty: 3 hint: 'Security Advisories are often listed in the security.txt' hintUrl: '' mitigationUrl: ~ key: csafChallenge