Main Content

Juice Shop - Hacking an intentionally insecure Javascript Web Application

About the Talk

April 25, 2015 4:45 PM

Hamburg, Germany

Hamburg, Germany

Juice Shop* ( is an intentionally insecure webapp suitable for pentesting and security awareness trainings written in Node, Express and Angular. It is the first application written entirely in Javascript listed in the OWASP VWA Directory. It also seems to be the first broken webapp that uses the currently popular architecture of an SPA/RIA frontend with a RESTful backend.

In this talk I will show why and how the app was created followed by a demo how to hack it. Prepare for some nasty XSS, SQLI and CSRF flaws bundled with some seriously broken access control and business logic - all in one single application!

*Translating "dump" or "useless outfit" into German yields "Saftladen" which can be reverse-translated word by word into "juice shop". Hence the project name. That the initials "JS" match with those of "Javascript" was purely coincidental!

Ratings and Recommendations

This Talk hasn't been rated yet. Sign In to rate Talks.

comments powered by Disqus