OWASP Juice Shop

We&#x27;ve been working on an example vulnerable app to showcase vulnerable dependencies in web apps. (Think a CVE in an NPM package.)<p>I&#x27;ve been wanting that so that I can test out different security scanning and patching tools, but also actually build a test playground to exploit vulnerable dependencies. (I want to accelerate exploit development for CVEs by making it more standardized.)<p>If you have a CVE that you&#x27;d like to write a POC exploit scenario for, you can add it to this project quickly and easily with pre-built templates[1]! (Wasp[2] is an awesome project that simplifies web dev tooling complexity.)<p>Are there any other projects with similar goals that anybody is aware of? Asking because I couldn&#x27;t find any, but I&#x27;d love to merge efforts if somebody is already doing this!<p>0: <a href="https:&#x2F;&#x2F;github.com&#x2F;lunasec-io&#x2F;damn-vulnerable-js-sca">https:&#x2F;&#x2F;github.com&#x2F;lunasec-io&#x2F;damn-vulnerable-js-sca</a><p>1: <a href="https:&#x2F;&#x2F;github.com&#x2F;lunasec-io&#x2F;damn-vulnerable-js-sca&#x2F;tree&#x2F;master&#x2F;wasp&#x2F;template">https:&#x2F;&#x2F;github.com&#x2F;lunasec-io&#x2F;damn-vulnerable-js-sca&#x2F;tree&#x2F;ma...</a><p>2: <a href="https:&#x2F;&#x2F;wasp-lang.dev&#x2F;">https:&#x2F;&#x2F;wasp-lang.dev&#x2F;</a>

From the TFA -<p>OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!<p>Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory.

This is awesome! Convenient for folks who use the Express&#x2F;Angular stack but conceptual stuff should be pretty universal regardless.<p>Wasn&#x27;t aware of this project at all but found the following links useful for context:<p>The actual Juice Shop website can be found at <a href="https:&#x2F;&#x2F;juice-shop.herokuapp.com&#x2F;#&#x2F;" rel="nofollow">https:&#x2F;&#x2F;juice-shop.herokuapp.com&#x2F;#&#x2F;</a><p>and the github link for viewing code is <a href="https:&#x2F;&#x2F;github.com&#x2F;juice-shop&#x2F;juice-shop&#x2F;releases&#x2F;">https:&#x2F;&#x2F;github.com&#x2F;juice-shop&#x2F;juice-shop&#x2F;releases&#x2F;</a>

This been around a while, but I used it with success teaching students all about pesky web app vulns. There&#x27;s one thing reading about them in a book, it&#x27;s a whole other level getting students to find them.

Are there any similar CTF projects that you can download and run offline?

At a job I had, we had a big CTF event where people broke into groups and attempted to capture flags in the Juice Shop. I thought it was a lot of fun.

On mobile, I only see an &quot;Accept&quot; button for the cookie banner. How can I dismiss it?

Can you edit prices client side? If not, I’ve seen worse in the wild.

I hope OWASP can fix their janky toaster&#x2F;banner when I open the site.