๐ง OWASP Juice Shop โ Web and API Lab
Intro: OWASP Juice Shop is still one of the fastest ways to build real AppSec intuition. It is ideal for newcomers because it is easy to run, but it stays useful for senior engineers because it covers modern web, API, frontend, session, and business-logic issues.
What this page includes
- why Juice Shop is worth keeping in a Product Security training track;
- multiple setup options;
- how to use it for AppSec and API review practice;
- how to avoid turning it into a pure CTF exercise.
What it is
OWASP Juice Shop is a deliberately insecure web application used for:
- security training;
- awareness demos;
- CTF-style learning;
- testing proxies and security tools.
It covers vulnerabilities from the OWASP Top 10 and many other real-world flaw categories. It is especially good because it includes:
- web issues;
- frontend and browser issues;
- REST/API issues;
- coding challenges;
- a scoreboard and guided hints for beginners.
Why it is valuable
Juice Shop is one of the best โfirst serious labsโ because it is:
- easy to install;
- self-contained;
- beginner-friendly;
- broad enough to stay relevant after the beginner stage.
It is also useful for Product Security because you can use it to practice:
- security review notes;
- release-gate ideas;
- API and frontend hardening recommendations;
- scanner validation and false-positive reasoning.
Best fit
| Persona | Fit | Why |
|---|---|---|
| Newcomer | Very high | Fast setup and clear challenge structure |
| AppSec engineer | Very high | Broad vulnerability coverage |
| API reviewer | High | Useful for API abuse, auth, and object access lessons |
| Product Security engineer | High | Good for review checklists and teaching developers |
Run models
Docker container
docker pull bkimminich/juice-shop
docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop
Then open http://localhost:3000.
From source
git clone https://github.com/juice-shop/juice-shop.git --depth 1
cd juice-shop
npm install
npm start
Vagrant
git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop/vagrant
vagrant up
Why Docker is the best default
For most people, the Docker mode is the best starting point because:
- setup is quick;
- teardown is trivial;
- you can rerun from a clean state easily;
- the lab stays isolated from your day-to-day development environment.
How to study Juice Shop well
Donโt chase only challenge completion
A better study sequence is:
- identify the entry point;
- describe the flawed trust assumption;
- identify the missing control;
- identify the detection or logging opportunity;
- write the engineering recommendation.
Use it for review discipline
For each challenge or issue type, write:
- what the insecure assumption was;
- how you would spot it in code review or architecture review;
- what test, lint, gate, or checklist could catch it earlier.
High-value topic clusters to practice
- authentication and session flows;
- authorization and object access;
- XSS and browser behavior;
- API-only attack paths;
- sensitive data exposure;
- insecure components and dependency trust;
- observability and logging failures.
Pair it with these KB pages
- Frontend Security Review Playbook
- Browser Security Foundations: CSP, CORS, Cookies, and Sessions
- API Design and Contract Security
- API Authentication and Authorization
- Business Logic Abuse Review Playbook
- Worked Example API Review Lab
Good ways to use Juice Shop with a team
- assign one challenge category per engineer and have them explain the control failure;
- run a โreview-firstโ session where nobody exploits anything until they describe the risk;
- compare scanner output to manual findings;
- use it as a secure coding training environment before writing internal code-review checklists.
Common mistakes
- treating it only as a hacking game;
- skipping the API and frontend perspective;
- ignoring what logs or alerts would have helped;
- using the public demo for unauthorized testing instead of your own instance.
Cleanup
If you used the container path, stopping the container is usually enough:
docker ps
docker stop <container_id>
Or just end the docker run --rm ... session if it was interactive.
References
- Official project page: https://owasp.org/www-project-juice-shop/
- Official repository: https://github.com/juice-shop/juice-shop
- Official companion guide: https://pwning.owasp-juice.shop/
---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.