Juice Shop - Hacking an intentionally insecure Javascript Web Application

A session at JS Unconf

Saturday 25th April, 2015

4:45pm to 5:30pm (CET)

Juice Shop* (https://github.com/bkimminich/ju...) is an intentionally insecure webapp suitable for pentesting and security awareness trainings written in Node, Express and Angular. It is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

In this talk I will show why and how the app was created followed by a demo how to hack it. Prepare for some nasty XSS, SQLI and CSRF flaws bundled with some seriously broken access control and business logic - all in one single application!

*Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "Javascript" was purely coincidental!

About the speaker

This person is speaking at this event.
Björn Kimminich

IT Architect at Kuehne+Nagel, Clean Coder, OWASP Juice Shop Project Leader, Java Lecturer at FH Nordakademie

Coverage of this session

Sign in to add slides, notes or videos to this session

JS Unconf

Germany Germany, Hamburg

25th26th April 2015

Tell your friends!


Time 4:45pm5:30pm CET

Date Sat 25th April 2015

Session Hash Tag


Short URL


View the schedule


See something wrong?

Report an issue with this session