SOLUTIONS.md
# Solutions
Did you write a guide specifically on hacking OWASP Juice Shop or record a hacking session of your own? Add it to this
file and open a PR! The same goes for any scripts or automated tools you made for making Juice Shop easier to hack!
> :godmode: **Everything** mentioned on this specific page is considered
> to contain _spoilers for entire challenge solutions_ so the entries
> themselves are not individually tagged! You might not want to view
> anything from this page before tackling the related challenges
> yourself! :broken_heart: marks resources which rely on
> [_some form of cheating_](https://pwning.owasp-juice.shop/part1/rules.html#%E2%9D%8C-things-considered-cheating)
> to solve a challenge.
>
> ๐ง is followed by the last known major release of OWASP Juice Shop
> that a solution/script/tool is supposedly working with or that a video
> guide/solution was recorded for.
## Table of contents
* [Hacking Videos](#hacking-videos)
* [Walkthroughs](#walkthroughs)
* [Scripts & Tools](#scripts--tools)
## Hacking Videos
* [7 Minute Security](https://7ms.us) Podcast (๐ง`v16.x`)
* Episode #606: [7MS #606: Hacking OWASP Juice Shop (2024 edition)]() ([YouTube](https://www.youtube.com/watch?v=-1rpelarf2E))
* Legacy Episodes (๐ง`v2.x`)
* Episode #234:
[7MS #234: Pentesting OWASP Juice Shop - Part 5](https://7ms.us/7ms-234-pentesting-owasp-juice-shop-part5/)
([YouTube](https://www.youtube.com/watch?v=lGVAXCfFwv0))
* Episode #233:
[7MS #233: Pentesting OWASP Juice Shop - Part 4](https://7ms.us/7ms-233-pentesting-owasp-juice-shop-part-4/)
([YouTube](https://www.youtube.com/watch?v=1hhd9EwX7h0))
* Episode #232:
[7MS #232: Pentesting OWASP Juice Shop - Part 3](https://7ms.us/7ms-232-pentesting-owasp-juice-shop-part-3/)
([YouTube](https://www.youtube.com/watch?v=F8iRF2d-YzE))
* Episode #231:
[7MS #231: Pentesting OWASP Juice Shop - Part 2](https://7ms.us/7ms-231-pentesting-owasp-juice-shop-part-2/)
([YouTube](https://www.youtube.com/watch?v=523l4Pzhimc))
* Episode #230:
[7MS #230: Pentesting OWASP Juice Shop - Part 1](https://7ms.us/7ms-230-pentesting-owasp-juice-shop-part-1/)
([YouTube](https://www.youtube.com/watch?v=Cz37iejTsH4))
* Episode #229:
[7MS #229: Intro to Docker for Pentesters](https://7ms.us/7ms-229-intro-to-docker-for-pentesters/)
([YouTube](https://youtu.be/WIpxvBpnylI?t=407))
* [How to Solve Juiceshop Challenges - Intern Talks](https://www.youtube.com/watch?v=dqxdbIWFD5c) by [Indian Servers University](https://www.youtube.com/c/IndianServersUniversity) (๐ง`v11.x`)
* [Hacking the OWASP Juice Shop Series](https://www.youtube.com/playlist?list=PLcsrjMNFrcmbAFV8BxDKXZCcPrOlaYfWK) playlist of [Compass IT Compliance](https://www.youtube.com/channel/UCccfSU7EGGTS76hz2i6qdrg) (๐ง`v12.x`)
* [Hacking the OWASP Juice Shop Series - Deploying the Juice Shop](https://youtu.be/qjrEMEztxWM)
* [Hacking the OWASP Juice Shop Series - Challenge #1 (Score Board)](https://youtu.be/3TKm5T0ul5Y)
* [Hacking the OWASP Juice Shop Series - Challenge #2 (DOM XSS)](https://youtu.be/qTm52tJu4i4)
* [Hacking the OWASP Juice Shop Series - Challenge #3 (Bonus Payload)](https://youtu.be/GoZbpBY6R1E)
* [Hacking the OWASP Juice Shop Series - Challenge #4 (Repetitive Registration)](https://youtu.be/hRF1StzaXo4)
* [Hacking the OWASP Juice Shop Series - Challenge #5 (Bully Chatbot)](https://youtu.be/dTm_55SUW88)
* [Hacking the OWASP Juice Shop Series - Challenge #6 (Confidential Document)](https://youtu.be/pt6a5-O90G4)
* [Hacking the OWASP Juice Shop Series - Challenge #7 (Error Handling)](https://youtu.be/aFJzZJcxVd8)
* [Hacking the OWASP Juice Shop Series - Challenge #8 (Exposed Metrics)](https://youtu.be/PuU2deMxj3E)
* [Hacking the OWASP Juice Shop Series - Challenge #9 (Missing Encoding)](https://youtu.be/40ndR8btKaU)
* [Hacking the OWASP Juice Shop Series - Challenge #10 (Outdated Allowlist)](https://youtu.be/diXuxUxLmXU)
* [Hacking the OWASP Juice Shop Series - Challenge #11 (Privacy Policy)](https://youtu.be/C3Qeyh3_xOA)
* [Hacking the OWASP Juice Shop Series - Challenge #12 (Zero Stars)](https://youtu.be/aJOvzpOdAC0)
* [Hacking the OWASP Juice Shop Series - Manage Heroku and Juice Shop](https://youtu.be/5jerMnM0vXw)
* [OWASP Juice Shop | TryHackMe Burp Suite Fundamentals](https://youtu.be/6n1pI9dJpW4) by [CyberInsight](https://www.youtube.com/channel/UCmJJUewPWfnyzvZRrFHlykA)
* [Wie werden APIs "gehackt" - API Sicherheit am Beispiel](https://youtu.be/wGtS5qQ0bC0) (:de:)
by
[predic8](https://www.youtube.com/channel/UC9ONq2LjrImWzWrWf6MYd2A) (๐ง`v12.x`)
* [Hack OWASP Juice Shop](https://www.youtube.com/watch?v=0YSNRz0NRt8&list=PL8j1j35M7wtKXpTBE6V1RlN_pBZ4StKZw)
playlist of
[Hacksplained](https://www.youtube.com/channel/UCyv6ItVqQPnlFFi2zLxlzXA)
(๐ง`v10.x` - `v11.x`)
* [โ
Zero Stars](https://youtu.be/0YSNRz0NRt8)
* [โ
Confidential Document](https://youtu.be/Yi7OiMtzGXc)
* [โ
DOM XSS](https://youtu.be/BuVxyBo05F8)
* [โ
Error Handling](https://youtu.be/WGafQnjSMk4)
* [โ
Missing Encoding](https://youtu.be/W7Bt2AmYtao)
* [โ
Outdated Allowlist](https://youtu.be/TEdZAXuTfpk)
* [โ
Privacy Policy](https://youtu.be/f5tM_4vBq-w)
* [โ
Repetitive Registration](https://youtu.be/mHjYOtKGYQM)
* [โ
โ
Login Admin](https://youtu.be/LuU1fSuc7Gg)
* [โ
โ
Admin Section](https://youtu.be/BPLhu354esc)
* [โ
โ
Classic Stored XSS](https://youtu.be/dxzU6djocJQ)
* [โ
โ
Deprecated Interface](https://youtu.be/yQ40B_eSj48)
* [โ
โ
Five Star Feedback](https://youtu.be/9BsfRJA_-ik)
* [โ
โ
Login MC SafeSearch](https://youtu.be/8VhGBdVK9ik)
* [โ
โ
Password Strength](https://youtu.be/fnuz-3QM8ac)
* [โ
โ
Security Policy](https://youtu.be/_h829JTNtKo)
* [โ
โ
View Basket](https://youtu.be/hBbdxn3-aiU)
* [โ
โ
Weird Crypto](https://youtu.be/GWJouiMUJno)
* [โ
โ
โ
API-Only XSS](https://youtu.be/aGjLR4uc0ys)
* [โ
โ
โ
Admin Registration](https://youtu.be/-H3Ngs-S0Ms)
* [โ
โ
โ
Bjรถrn's Favorite Pet](https://youtu.be/a0k465G8Zkc)
* [โ
โ
โ
Captcha Bypass](https://youtu.be/pgGVVOhIiaM)
* [โ
โ
โ
Client-side XSS Protection](https://youtu.be/bNjsjs0T0_k)
* [โ
โ
โ
Database Schema](https://youtu.be/0-D-e66U2Z0)
* [โ
โ
โ
Forged Feedback](https://youtu.be/99iKTSkZ814)
* [โ
โ
โ
Forged Review](https://youtu.be/k2abfhtuU9c)
* [โ
โ
โ
GDPR Data Erasure](https://youtu.be/zBTYSpp41u8)
* [โ
โ
โ
Login Amy](https://youtu.be/ICln3xcVxzI)
* [โ
โ
โ
Login Bender](https://youtu.be/a6kh9fL77A0)
* [โ
โ
โ
Login Jim](https://youtu.be/zJpJibswGWA)
* [โ
โ
โ
Manipluate Basket](https://youtu.be/pdtDtmIiSOQ)
* [โ
โ
โ
Payback Time](https://youtu.be/QN4f00VsXn4)
* [โ
โ
โ
Privacy Policy Inspection](https://youtu.be/5DUXTmp5KbI)
* [โ
โ
โ
Product Tampering](https://youtu.be/G4UKdotkyu8)
* [โ
โ
โ
Reset Jim's Password](https://youtu.be/qYVlxeKVhgA)
* [โ
โ
โ
Upload Size](https://youtu.be/5pcAPUihhWA)
* [โ
โ
โ
Upload Type](https://youtu.be/4FPyMdyVt2s)
* [โ
โ
โ
โ
Access Log (Sensitive Data Exposure)](https://youtu.be/RBTfGk-ZwnY)
* [โ
โ
โ
โ
Ephemeral Accountant (SQL-Injection)](https://youtu.be/rD-_fRDHf9o)
* [โ
โ
โ
โ
Expired Coupon (Improper Input Validation)](https://youtu.be/4cWTUdTvTZg)
* [โ
โ
โ
โ
Forgotten Developer Backup (Sensitive Data Exposure)](https://youtu.be/YvkuVZ6r2Rg)
* [โ
โ
โ
โ
Forgotten Sales Backup (Sensitive Data Exposure)](https://youtu.be/5g4WRASni6g)
* [โ
โ
โ
โ
GDPR Data Theft (Sensitive Data Exposure)](https://youtu.be/GPW90c4Ahbc)
* [โ
โ
โ
โ
Legacy Typosquatting (Vulnerable Components)](https://youtu.be/HqkGeWtwiHY)
* [โ
โ
โ
โ
Login Bjoern (Broken Authentication)](https://youtu.be/pmBJ1ZAlpF8)
* [โ
โ
โ
โ
Misplaced Signature File (Sensitive Data Exposure)](https://youtu.be/56qHiwxTjYY)
* [โ
โ
โ
โ
Nested Easter Egg (Cryptographic Issues)](https://youtu.be/yvatrnWvcGE)
* [โ
โ
โ
โ
NoSql Manipulation (Injection)](https://youtu.be/frymuDxKwmc)
:broken_heart:
* [โ
โ
โ
โ
โ
Change Benders Password (Broken Authentication)](https://youtu.be/J3BSi-z9_7I)
* [โ
โ
โ
โ
โ
Extra Language (Broken Anti Automation)](https://youtu.be/KU2LzxABetk)
* [Broken Authentication and SQL Injection - OWASP Juice Shop TryHackMe](https://youtu.be/W4MXUnZB2jc)
by
[Motasem Hamdan - CyberSecurity Trainer](https://www.youtube.com/channel/UCNSdU_1ehXtGclimTVckHmQ)
* Live Hacking von Online-Shop โJuice Shopโ (:de:)
[Twitch live stream](https://www.twitch.tv/GregorBiswanger) recordings by
[Gregor Biswanger](https://www.youtube.com/channel/UCGMA9qDbIQ-EhgLD-ZrsHWw)
(๐ง`v11.x`)
* [Level 1](https://youtu.be/ccy-eKYpdbk)
* [Level 2](https://youtu.be/KtMPEDJx0Sg)
* [Level 3](https://youtu.be/aqXfFVHJ91g)
* [Level 4](https://youtu.be/jfe-iEePlTc)
* [HackerOne #h1-2004 Community Day: Intro to Web Hacking - OWASP Juice Shop](https://youtu.be/KmlwIwG7Kv4)
by [Nahamsec](https://twitch.tv/nahamsec) including the creation of a
(fake) bugbounty report for all findings (๐ง`v10.x`)
* [TryHackme - JuiceShop Walkthrough](https://youtu.be/3yYNvRVlKmo) by
[Profesor Parno](https://www.youtube.com/channel/UCcBThq4OKjox_kfPkG1BF0Q)
(๐ง`v8.x`, ๐ฎ๐ฉ)
* [OWASP Juice Shop All Challenges Solved || ETHIKERS](https://youtu.be/Fjdhf6OHgRk)
full-spoiler, time-lapsed, no-commentary hacking trip (๐ง`v8.x`)
* [Hacking JavaScript - Intro to Hacking Web Apps (Episode 3)](https://youtu.be/ejB1i5n_d7o)
by Arthur Kay (๐ง`v8.x`)
* [HackerSploit](https://www.youtube.com/channel/UC0ZTPkdxlAKf-V33tqXwi3Q)
YouTube channel (๐ง`v7.x`)
* [OWASP Juice Shop - SQL Injection](https://youtu.be/nH4r6xv-qGg)
* [Web App Penetration Testing - #15 - HTTP Attributes (Cookie Stealing)](https://youtu.be/8s3ChNKU85Q)
* [Web App Penetration Testing - #14 - Cookie Collection & Reverse Engineering](https://youtu.be/qtr0qtptYys)
* [Web App Penetration Testing - #13 - CSRF (Cross Site Request Forgery)](https://youtu.be/TwG0Rd0hr18)
* [How To Install OWASP Juice Shop](https://youtu.be/tvNKp1QXV_8)
## Walkthroughs
* Blog post (:myanmar:) on [LOL Security](http://location-href.com/):
[Juice Shop Walkthrough](http://location-href.com/owasp-juice-shop-walkthroughs/)
(๐ง`v2.x`)
* Blog post on [IncognitJoe](https://incognitjoe.github.io/):
[Hacking(and automating!) the OWASP Juice Shop](https://incognitjoe.github.io/hacking-the-juice-shop.html)
(๐ง`v2.x`)
## Scripts & Tools
* [Session management script for OWASP Juice Shop](https://github.com/zaproxy/zaproxy/blob/master/zap/src/main/dist/scripts/templates/session/Juice%20Shop%20Session%20Management.js)
distributed as a scripting template with
[OWASP ZAP](https://github.com/zaproxy/zaproxy) since version 2.9.0
(๐ง`v10.x`)
* [Automated solving script for the OWASP Juice Shop](https://github.com/incognitjoe/juice-shop-solver)
written in Python by [@incognitjoe](https://github.com/incognitjoe)
(๐ง`v2.x`)