Hacking the OWASP Juice Shop

A session at OWASP NL Chapter Meeting

Thursday 22nd September, 2016

8:15pm to 9:00pm (AMT)

OWASP Juice Shop* is an intentionally insecure web app suitable for pentesting and security awareness trainings written in Node.js, Express and AngularJS. It is the first application written entirely in JavaScript listed in the OWASP VWA Directory. It also seems to be the first broken web app that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

In this talk I will show why and how the app was created followed by a demo how to hack it. Prepare for some nasty XSS, SQLI and CSRF flaws bundled with some seriously broken access control and business logic - all in one single application!

(*Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "JavaScript" was purely coincidental!)

About the speaker

This person is speaking at this event.
Björn Kimminich

IT Architect at Kuehne+Nagel, Clean Coder, OWASP Juice Shop Project Leader, Java Lecturer at FH Nordakademie

Coverage of this session

Sign in to add slides, notes or videos to this session

Tell your friends!


Time 8:15pm9:00pm AMT

Date Thu 22nd September 2016

Session Hash Tag


Short URL


View the schedule



See something wrong?

Report an issue with this session