OWASP Juice Shop – Main
This project contains a collection of Juice Shop hacking challenges solved as part of the Juice Shop Meister initiative.
The purpose is to demonstrate practical exploitation of common web vulnerabilities and document both the technical process and its implications.
The repository includes:
- Reproducible exploitation steps for selected challenges.
- Risk assessments and real-world consequences.
- Demo video walkthroughs showing step-by-step execution.
⚠️ Disclaimer:
This documentaion is intended strictly for educational purposes.
All activities demonstrated here were conducted in a controlled environment on intentionally vulnerable applications.
Do not use these techniques against systems you do not own or have explicit permission to test.
📘 Table of Contents
✅ Challenges
Each challenge targets a different vulnerability category and is documented in detail:
1. Admin Registration
- Category: Broken Access Control → Privilege Escalation
- Flag:
score-board#Admin Registration - Summary: Gains admin rights during signup by injecting
"role": "admin"in the request. - 📄 Read full report
- 🎥 Watch video demo
2. API-only XSS
- Category: Cross-Site Scripting → Stored XSS via API
- Flag:
score-board#API-only XSS - Summary: Injects a malicious payload via
PUT /api/Products/:idthat triggers on product pages. - 📄 Read full report
- 🎥 Watch video demo
3. Forged Feedback
- Category: Broken Access Control → Horizontal Privilege Escalation
- Flag:
score-board#Forged Feedback - Summary: Sends feedback under another user's identity by modifying the
UserId. - 📄 Read full report
- 🎥 Watch video demo
4. CAPTCHA Bypass
- Category: Broken Anti-Automation
- Flag:
score-board#CAPTCHA Bypass - Summary: Reuses a solved CAPTCHA token for unlimited feedback submissions, bypassing anti-bot measures.
- 📄 Read full report
- 🎥 Watch video demo