data/static/challenges.yml
-
name: 'API-only XSS'
category: 'XSS'
tags:
- Danger Zone
description: 'Perform a <i>persisted</i> XSS attack with <code><iframe src="javascript:alert(`xss`)"></code> without using the frontend application at all.'
difficulty: 3
hint: 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_without_using_the_frontend_application_at_all'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: restfulXssChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Access Log'
category: 'Sensitive Data Exposure'
description: 'Gain access to any access log file of the server.'
difficulty: 4
hint: 'Who would want a server access log to be accessible through a web application?'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_gain_access_to_any_access_log_file_of_the_server'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html'
key: accessLogDisclosureChallenge
-
name: 'Admin Registration'
category: 'Improper Input Validation'
description: 'Register as a user with administrator privileges.'
difficulty: 3
hint: 'You have to assign the unassignable.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_as_a_user_with_administrator_privileges'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html'
key: registerAdminChallenge
-
name: 'Admin Section'
category: 'Broken Access Control'
tags:
- Good for Demos
description: 'Access the administration section of the store.'
difficulty: 2
hint: 'It is just slightly harder to find than the score board link.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_access_the_administration_section_of_the_store'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
key: adminSectionChallenge
-
name: 'Arbitrary File Write'
category: 'Vulnerable Components'
tags:
- Danger Zone
- Prerequisite
description: 'Overwrite the <a href="/ftp/legal.md">Legal Information</a> file.'
difficulty: 6
hint: 'Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_overwrite_the_legal_information_file'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
key: fileWriteChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Bjoern''s Favorite Pet'
category: 'Broken Authentication'
tags:
- OSINT
description: 'Reset the password of Bjoern''s OWASP account via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
difficulty: 3
hint: 'He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_owasp_account_via_the_forgot_password_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: resetPasswordBjoernOwaspChallenge
-
name: 'Blockchain Hype'
category: 'Security through Obscurity'
tags:
- Contraption
- Code Analysis
- Web3
description: 'Learn about the Token Sale before its official announcement.'
difficulty: 5
hint: 'The developers truly believe in "Security through Obscurity" over actual access restrictions.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_learn_about_the_token_sale_before_its_official_announcement'
mitigationUrl: ~
key: tokenSaleChallenge
-
name: 'NFT Takeover'
category: 'Sensitive Data Exposure'
tags:
- Contraption
- Good for Demos
- Web3
description: 'Take over the wallet containing our official Soul Bound Token (NFT).'
difficulty: 2
hint: 'Find the seed phrase posted accidentally.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_take_over_the_wallet_containing_our_official_soul_bound_token'
mitigationUrl: ~
key: nftUnlockChallenge
-
name: 'Mint the Honey Pot'
category: 'Improper Input Validation'
tags:
- Web3
- Internet Traffic
description: 'Mint the Honey Pot NFT by gathering BEEs from the bee haven.'
difficulty: 3
hint: 'Discover NFT wonders among the captivating visual memories.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_mint_the_honey_pot_nft_by_gathering_bees_from_the_bee_haven'
mitigationUrl: ~
key: nftMintChallenge
-
name: 'Wallet Depletion'
category: 'Miscellaneous'
tags:
- Web3
- Internet Traffic
description: 'Withdraw more ETH from the new wallet than you deposited.'
difficulty: 6
hint: 'Try to exploit the contract of the wallet.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_withdraw_more_eth_from_the_new_wallet_than_you_deposited'
mitigationUrl: ~
key: web3WalletChallenge
-
name: 'Web3 Sandbox'
category: 'Broken Access Control'
tags:
- Web3
description: 'Find an accidentally deployed code sandbox for writing smart contracts on the fly.'
difficulty: 1
hint: 'It is just as easy as finding the Score Board.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_an_accidentally_deployed_code_sandbox'
mitigationUrl: ~
key: web3SandboxChallenge
-
name: 'Blocked RCE DoS'
category: 'Insecure Deserialization'
tags:
- Danger Zone
description: 'Perform a Remote Code Execution that would keep a less hardened application busy <em>forever</em>.'
difficulty: 5
hint: 'The feature you need to exploit for this challenge is not directly advertised anywhere.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_would_keep_a_less_hardened_application_busy_forever'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
key: rceChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'CAPTCHA Bypass'
category: 'Broken Anti Automation'
tags:
- Brute Force
description: 'Submit 10 or more customer feedbacks within 20 seconds.'
difficulty: 3
hint: 'After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_submit_10_or_more_customer_feedbacks_within_20_seconds'
mitigationUrl: ~
key: captchaBypassChallenge
-
name: 'Change Bender''s Password'
category: 'Broken Authentication'
description: 'Change Bender''s password into <i>slurmCl4ssic</i> without using SQL Injection or Forgot Password.'
difficulty: 5
hint: 'In previous releases this challenge was wrongly accused of being based on CSRF.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_change_benders_password_into_slurmcl4ssic_without_using_sql_injection_or_forgot_password'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
key: changePasswordBenderChallenge
-
name: 'Christmas Special'
category: 'Injection'
description: 'Order the Christmas special offer of 2014.'
difficulty: 4
hint: 'Find out how the application handles unavailable products and try to find a loophole.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_order_the_christmas_special_offer_of_2014'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: christmasSpecialChallenge
-
name: 'CSP Bypass'
category: 'XSS'
tags:
- Danger Zone
description: 'Bypass the Content Security Policy and perform an XSS attack with <code><script>alert(`xss`)</script></code> on a legacy page within the application.'
difficulty: 4
hint: 'What is even "better" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_bypass_the_content_security_policy_and_perform_an_xss_attack_on_a_legacy_page'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: usernameXssChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Client-side XSS Protection'
category: 'XSS'
tags:
- Danger Zone
description: 'Perform a <i>persisted</i> XSS attack with <code><iframe src="javascript:alert(`xss`)"></code> bypassing a <i>client-side</i> security mechanism.'
difficulty: 3
hint: 'Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_client_side_security_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: persistedXssUserChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Confidential Document'
category: 'Sensitive Data Exposure'
tags:
- Good for Demos
description: 'Access a confidential document.'
difficulty: 1
hint: 'Analyze and tamper with links in the application that deliver a file directly.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_confidential_document'
mitigationUrl: ~
key: directoryListingChallenge
-
name: 'DOM XSS'
category: 'XSS'
tags:
- Tutorial
- Good for Demos
description: 'Perform a <i>DOM</i> XSS attack with <code><iframe src="javascript:alert(`xss`)"></code>.'
difficulty: 1
hint: 'Look for an input field where its content appears in the HTML when its form is submitted.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_dom_xss_attack'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html'
key: localXssChallenge
tutorial:
order: 2
-
name: 'Database Schema'
category: 'Injection'
description: 'Exfiltrate the entire DB schema definition via SQL Injection.'
difficulty: 3
hint: 'Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_exfiltrate_the_entire_db_schema_definition_via_sql_injection'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: dbSchemaChallenge
-
name: 'Deprecated Interface'
category: 'Security Misconfiguration'
tags:
- Contraption
- Prerequisite
description: 'Use a deprecated B2B interface that was not properly shut down.'
difficulty: 2
hint: 'The developers who disabled the interface think they could go invisible by just closing their eyes.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_use_a_deprecated_b2b_interface_that_was_not_properly_shut_down'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html'
key: deprecatedInterfaceChallenge
-
name: 'Easter Egg'
category: 'Broken Access Control'
tags:
- Shenanigans
- Contraption
- Good for Demos
description: 'Find the hidden <a href="https://en.wikipedia.org/wiki/Easter_egg_(media)" target="_blank">easter egg</a>.'
difficulty: 4
hint: 'If you solved one of the three file access challenges, you already know where to find the easter egg.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_the_hidden_easter_egg'
mitigationUrl: ~
key: easterEggLevelOneChallenge
-
name: 'Email Leak'
category: 'Sensitive Data Exposure'
description: 'Perform an unwanted information disclosure by accessing data cross-domain.'
difficulty: 5
hint: 'Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_perform_an_unwanted_information_disclosure_by_accessing_data_cross_domain'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html'
key: emailLeakChallenge
-
name: 'Empty User Registration'
category: 'Improper Input Validation'
description: 'Register a user with an empty email and password.'
difficulty: 2
hint: 'Consider intercepting and playing with the request payload.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_a_user_account_with_an_empty_email_and_password'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
key: emptyUserRegistration
-
name: 'Ephemeral Accountant'
category: 'Injection'
description: 'Log in with the (non-existing) accountant <i>acc0unt4nt@juice-sh.op</i> without ever registering that user.'
difficulty: 4
hint: 'Try to create the needed user "out of thin air".'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_non_existing_accountant_without_ever_registering_that_user'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: ephemeralAccountantChallenge
-
name: 'Error Handling'
category: 'Security Misconfiguration'
tags:
- Prerequisite
description: 'Provoke an error that is neither very gracefully nor consistently handled.'
difficulty: 1
hint: 'Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_provoke_an_error_that_is_neither_very_gracefully_nor_consistently_handled'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html'
key: errorHandlingChallenge
-
name: 'Expired Coupon'
category: 'Improper Input Validation'
description: 'Successfully redeem an expired campaign coupon code.'
difficulty: 4
hint: 'Try to identify past special event or holiday campaigns of the shop first.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_successfully_redeem_an_expired_campaign_coupon_code'
mitigationUrl: ~
key: manipulateClockChallenge
-
name: 'Extra Language'
category: 'Broken Anti Automation'
tags:
- Brute Force
description: 'Retrieve the language file that never made it into production.'
difficulty: 5
hint: 'Brute force is not the only option for this challenge, but a perfectly viable one.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_retrieve_the_language_file_that_never_made_it_into_production'
mitigationUrl: ~
key: extraLanguageChallenge
-
name: 'Five-Star Feedback'
category: 'Broken Access Control'
description: 'Get rid of all 5-star customer feedback.'
difficulty: 2
hint: 'Once you found admin section of the application, this challenge is almost trivial.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_get_rid_of_all_5_star_customer_feedback'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
key: feedbackChallenge
-
name: 'Forged Coupon'
category: 'Cryptographic Issues'
tags:
- Good for Demos
- Code Analysis
description: 'Forge a coupon code that gives you a discount of at least 80%.'
difficulty: 6
hint: 'Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_forge_a_coupon_code_that_gives_you_a_discount_of_at_least_80'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html'
key: forgedCouponChallenge
-
name: 'Forged Feedback'
category: 'Broken Access Control'
tags:
- Tutorial
description: "Post some feedback in another user's name."
difficulty: 3
hint: 'You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_some_feedback_in_another_users_name'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
key: forgedFeedbackChallenge
tutorial:
order: 8
-
name: 'Forged Review'
category: 'Broken Access Control'
description: 'Post a product review as another user or edit any user''s existing review.'
difficulty: 3
hint: 'Observe the flow of product review posting and editing and see if you can exploit it.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_a_product_review_as_another_user_or_edit_any_users_existing_review'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
key: forgedReviewChallenge
-
name: 'Forged Signed JWT'
category: 'Vulnerable Components'
description: 'Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user <i>rsa_lord@juice-sh.op</i>.'
difficulty: 6
hint: 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_almost_properly_rsa_signed_jwt_token'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html'
key: jwtForgedChallenge
disabledEnv:
- Windows
-
name: 'Forgotten Developer Backup'
category: 'Sensitive Data Exposure'
tags:
- Contraption
- Good for Demos
- Prerequisite
description: 'Access a developer''s forgotten backup file.'
difficulty: 4
hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_developers_forgotten_backup_file'
mitigationUrl: ~
key: forgottenDevBackupChallenge
-
name: 'Forgotten Sales Backup'
category: 'Sensitive Data Exposure'
tags:
- Contraption
description: 'Access a salesman''s forgotten backup file.'
difficulty: 4
hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_salesmans_forgotten_backup_file'
mitigationUrl: ~
key: forgottenBackupChallenge
-
name: 'Frontend Typosquatting'
category: 'Vulnerable Components'
description: '<a href="/#/contact">Inform the shop</a> about a <i>typosquatting</i> imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)'
difficulty: 5
hint: 'This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_imposter_that_dug_itself_deep_into_the_frontend'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
key: typosquattingAngularChallenge
-
name: 'GDPR Data Erasure'
category: 'Broken Authentication'
description: 'Log in with Chris'' erased user account.'
difficulty: 3
hint: 'Turns out that something is technically and legally wrong with the implementation of the "right to be forgotten" for users.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_chris_erased_user_account'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html'
key: ghostLoginChallenge
-
name: 'GDPR Data Theft'
category: 'Sensitive Data Exposure'
description: 'Steal someone else''s personal data without using Injection.'
difficulty: 4
hint: 'Trick the regular Data Export to give you more than actually belongs to you.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_steal_someone_elses_personal_data_without_using_injection'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html'
key: dataExportChallenge
-
name: 'HTTP-Header XSS'
category: 'XSS'
tags:
- Danger Zone
description: 'Perform a <i>persisted</i> XSS attack with <code><iframe src="javascript:alert(`xss`)"></code> through an HTTP header.'
difficulty: 4
hint: 'Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_through_an_http_header'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: httpHeaderXssChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Imaginary Challenge'
category: 'Cryptographic Issues'
tags:
- Shenanigans
- Code Analysis
description: 'Solve challenge #999. Unfortunately, this challenge does not exist.'
difficulty: 6
hint: 'You need to trick the hacking progress persistence feature into thinking you solved challenge #999.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_solve_challenge_999'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html'
key: continueCodeChallenge
-
name: 'Leaked Access Logs'
category: 'Sensitive Data Exposure'
tags:
- OSINT
description: 'Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)'
difficulty: 5
hint: 'Once you have it, a technique called "Password Spraying" might prove useful.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_dumpster_dive_the_internet_for_a_leaked_password_and_log_in_to_the_original_user_account_it_belongs_to'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html'
key: dlpPasswordSprayingChallenge
-
name: 'Leaked Unsafe Product'
category: 'Sensitive Data Exposure'
tags:
- Shenanigans
- OSINT
description: 'Identify an unsafe product that was removed from the shop and <a href="/#/contact">inform the shop</a> which ingredients are dangerous.'
difficulty: 4
hint: 'Your own SQLi and someone else''s Ctrl-V will be your accomplices in this challenge!'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_identify_an_unsafe_product_that_was_removed_from_the_shop_and_inform_the_shop_which_ingredients_are_dangerous'
mitigationUrl: ~
key: dlpPastebinDataLeakChallenge
-
name: 'Legacy Typosquatting'
category: 'Vulnerable Components'
description: '<a href="/#/contact">Inform the shop</a> about a <i>typosquatting</i> trick it has been a victim of at least in <code>v6.2.0-SNAPSHOT</code>. (Mention the exact name of the culprit)'
difficulty: 4
hint: 'This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer''s backup file instead.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_trick_it_has_been_a_victim_of'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
key: typosquattingNpmChallenge
-
name: 'Login Admin'
category: 'Injection'
tags:
- Tutorial
- Good for Demos
description: 'Log in with the administrator''s user account.'
difficulty: 2
hint: 'Try different SQL Injection attack patterns depending whether you know the admin''s email address or not.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_administrators_user_account'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: loginAdminChallenge
tutorial:
order: 5
-
name: 'Login Amy'
category: 'Sensitive Data Exposure'
tags:
- OSINT
description: 'Log in with Amy''s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")'
difficulty: 3
hint: 'This challenge will make you go after a needle in a haystack.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_amys_original_user_credentials'
mitigationUrl: ~
key: loginAmyChallenge
-
name: 'Login Bender'
category: 'Injection'
tags:
- Tutorial
description: 'Log in with Bender''s user account.'
difficulty: 3
hint: 'If you know Bender''s email address, try SQL Injection. Bender''s password hash might not help you very much.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_benders_user_account'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: loginBenderChallenge
tutorial:
order: 10
-
name: 'Login Bjoern'
category: 'Broken Authentication'
tags:
- Code Analysis
description: 'Log in with Bjoern''s Gmail account <i>without</i> previously changing his password, applying SQL Injection, or hacking his Google account.'
difficulty: 4
hint: 'The security flaw behind this challenge is 100% OWASP Juice Shop''s fault and 0% Google''s.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_bjoerns_gmail_account'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
key: oauthUserPasswordChallenge
-
name: 'Login Jim'
category: 'Injection'
tags:
- Tutorial
description: 'Log in with Jim''s user account.'
difficulty: 3
hint: 'Try cracking Jim''s password hash if you harvested it already. Alternatively, if you know Jim''s email address, try SQL Injection.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_jims_user_account'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: loginJimChallenge
tutorial:
order: 9
-
name: 'Login MC SafeSearch'
category: 'Sensitive Data Exposure'
tags:
- Shenanigans
- OSINT
description: 'Log in with MC SafeSearch''s original user credentials without applying SQL Injection or any other bypass.'
difficulty: 2
hint: 'You should listen to MC''s hit song "Protect Ya Passwordz".'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_mc_safesearchs_original_user_credentials'
mitigationUrl: ~
key: loginRapperChallenge
-
name: 'Login Support Team'
category: 'Security Misconfiguration'
tags:
- Brute Force
- Code Analysis
description: 'Log in with the support team''s original user credentials without applying SQL Injection or any other bypass.'
difficulty: 6
hint: 'The underlying flaw of this challenge is a lot more human error than technical weakness.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_log_in_with_the_support_teams_original_user_credentials'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
key: loginSupportChallenge
-
name: 'Manipulate Basket'
category: 'Broken Access Control'
description: 'Put an additional product into another user''s shopping basket.'
difficulty: 3
hint: 'Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn''t count.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_put_an_additional_product_into_another_users_shopping_basket'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
key: basketManipulateChallenge
-
name: 'Misplaced Signature File'
category: 'Sensitive Data Exposure'
tags:
- Good Practice
- Contraption
description: 'Access a misplaced <a href="https://github.com/Neo23x0/sigma">SIEM signature</a> file.'
difficulty: 4
hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_misplaced_siem_signature_file'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html'
key: misplacedSignatureFileChallenge
-
name: 'Multiple Likes'
category: 'Broken Anti Automation'
description: 'Like any review at least three times as the same user.'
difficulty: 6
hint: 'Punctuality is the politeness of kings.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_like_any_review_at_least_three_times_as_the_same_user'
mitigationUrl: ~
key: timingAttackChallenge
-
name: 'Nested Easter Egg'
category: 'Cryptographic Issues'
tags:
- Shenanigans
- Good for Demos
description: 'Apply some advanced cryptanalysis to find <i>the real</i> easter egg.'
difficulty: 4
hint: 'You might have to peel through several layers of tough-as-nails encryption for this challenge.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_apply_some_advanced_cryptanalysis_to_find_the_real_easter_egg'
mitigationUrl: ~
key: easterEggLevelTwoChallenge
-
name: 'NoSQL DoS'
category: 'Injection'
tags:
- Danger Zone
description: 'Let the server sleep for some time. (It has done more than enough hard work for you)'
difficulty: 4
hint: 'This challenge is essentially a stripped-down Denial of Service (DoS) attack.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_let_the_server_sleep_for_some_time'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
key: noSqlCommandChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'NoSQL Exfiltration'
category: 'Injection'
tags:
- Danger Zone
description: 'All your orders are belong to us! Even the ones which don''t.'
difficulty: 5
hint: 'Take a close look on how the $where query operator works in MongoDB.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_all_your_orders_are_belong_to_us'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html'
key: noSqlOrdersChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'NoSQL Manipulation'
category: 'Injection'
description: 'Update multiple product reviews at the same time.'
difficulty: 4
hint: 'Take a close look on how the equivalent of UPDATE-statements in MongoDB work.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_update_multiple_product_reviews_at_the_same_time'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html'
key: noSqlReviewsChallenge
-
name: 'Outdated Allowlist'
category: 'Unvalidated Redirects'
tags:
- Code Analysis
description: 'Let us redirect you to one of our crypto currency addresses which are not promoted any longer.'
difficulty: 1
hint: 'We might have failed to take this out of our code properly.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_let_us_redirect_you_to_one_of_our_crypto_currency_addresses'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html'
key: redirectCryptoCurrencyChallenge
-
name: 'Password Strength'
category: 'Broken Authentication'
tags:
- Brute Force
- Tutorial
description: 'Log in with the administrator''s user credentials without previously changing them or applying SQL Injection.'
difficulty: 2
hint: 'This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_the_administrators_user_credentials_without_previously_changing_them_or_applying_sql_injection'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
key: weakPasswordChallenge
tutorial:
order: 6
-
name: 'Payback Time'
category: 'Improper Input Validation'
description: 'Place an order that makes you rich.'
difficulty: 3
hint: 'You literally need to make the shop owe you any amount of money.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_place_an_order_that_makes_you_rich'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
key: negativeOrderChallenge
-
name: 'Premium Paywall'
category: 'Cryptographic Issues'
tags:
- Shenanigans
description: '<i class="far fa-gem"></i><i class="far fa-gem"></i><i class="far fa-gem"></i><i class="far fa-gem"></i><i class="far fa-gem"></i><!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==--> <a href="https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm" target="_blank"><i class="fab fa-btc fa-sm"></i> Unlock Premium Challenge</a> to access exclusive content.'
difficulty: 6
hint: 'You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_unlock_premium_challenge_to_access_exclusive_content'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html'
key: premiumPaywallChallenge
-
name: 'Privacy Policy'
category: 'Miscellaneous'
tags:
- Good Practice
- Tutorial
- Good for Demos
description: 'Read our privacy policy.'
difficulty: 1
hint: 'We won''t even ask you to confirm that you did. Just read it. Please. Pretty please.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_read_our_privacy_policy'
mitigationUrl: ~
key: privacyPolicyChallenge
tutorial:
order: 4
-
name: 'Privacy Policy Inspection'
category: 'Security through Obscurity'
tags:
- Shenanigans
- Good for Demos
description: 'Prove that you actually read our privacy policy.'
difficulty: 3
hint: 'Only by visiting a special URL you can confirm that you read it carefully.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_prove_that_you_actually_read_our_privacy_policy'
mitigationUrl: ~
key: privacyPolicyProofChallenge
-
name: 'Product Tampering'
category: 'Broken Access Control'
description: 'Change the <code>href</code> of the link within the <a href="/#/search?q=OWASP SSL Advanced Forensic Tool (O-Saft)">OWASP SSL Advanced Forensic Tool (O-Saft)</a> product description into <i>https://owasp.slack.com</i>.'
difficulty: 3
hint: 'Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_href_of_the_link_within_the_o_saft_product_description'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html'
key: changeProductChallenge
-
name: 'Reflected XSS'
category: 'XSS'
tags:
- Danger Zone
- Good for Demos
description: 'Perform a <i>reflected</i> XSS attack with <code><iframe src="javascript:alert(`xss`)"></code>.'
difficulty: 2
hint: 'Look for a url parameter where its value appears in the page it is leading to.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_reflected_xss_attack'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: reflectedXssChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Repetitive Registration'
category: 'Improper Input Validation'
description: 'Follow the DRY principle while registering a user.'
difficulty: 1
hint: 'You can solve this by cleverly interacting with the UI or bypassing it altogether.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_follow_the_dry_principle_while_registering_a_user'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
key: passwordRepeatChallenge
-
name: 'Reset Bender''s Password'
category: 'Broken Authentication'
tags:
- OSINT
description: 'Reset Bender''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
difficulty: 4
hint: 'Not as trivial as Jim''s but still not too difficult with some "Futurama" background knowledge.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_benders_password_via_the_forgot_password_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: resetPasswordBenderChallenge
-
name: 'Reset Bjoern''s Password'
category: 'Broken Authentication'
tags:
- OSINT
description: 'Reset the password of Bjoern''s internal account via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
difficulty: 5
hint: 'Nothing a little bit of Facebook stalking couldn''t reveal. Might involve a historical twist.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_internal_account_via_the_forgot_password_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: resetPasswordBjoernChallenge
-
name: 'Reset Jim''s Password'
category: 'Broken Authentication'
tags:
- OSINT
description: 'Reset Jim''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
difficulty: 3
hint: 'It''s hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_jims_password_via_the_forgot_password_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: resetPasswordJimChallenge
-
name: 'Reset Morty''s Password'
category: 'Broken Anti Automation'
tags:
- OSINT
- Brute Force
description: 'Reset Morty''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>his obfuscated answer</i> to his security question.'
difficulty: 5
hint: 'Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty''s security question.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_reset_mortys_password_via_the_forgot_password_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html'
key: resetPasswordMortyChallenge
-
name: 'Retrieve Blueprint'
category: 'Sensitive Data Exposure'
description: 'Deprive the shop of earnings by downloading the blueprint for one of its products.'
difficulty: 5
hint: 'The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_deprive_the_shop_of_earnings_by_downloading_the_blueprint_for_one_of_its_products'
mitigationUrl: ~
key: retrieveBlueprintChallenge
-
name: 'SSRF'
category: 'Broken Access Control'
tags:
- Code Analysis
description: 'Request a hidden resource on server through server.'
difficulty: 6
hint: 'Reverse engineering something bad can make good things happen.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_request_a_hidden_resource_on_server_through_server'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html'
key: ssrfChallenge
-
name: 'SSTi'
category: 'Injection'
tags:
- Contraption
- Danger Zone
- Code Analysis
description: 'Infect the server with juicy malware by abusing arbitrary command execution.'
difficulty: 6
hint: '"SSTi" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_infect_the_server_with_juicy_malware_by_abusing_arbitrary_command_execution'
mitigationUrl: ~
key: sstiChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Score Board'
category: 'Miscellaneous'
tags:
- Tutorial
- Code Analysis
description: 'Find the carefully hidden ''Score Board'' page.'
difficulty: 1
hint: 'Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_find_the_carefully_hidden_score_board_page'
mitigationUrl: ~
key: scoreBoardChallenge
tutorial:
order: 1
-
name: 'Security Policy'
category: 'Miscellaneous'
tags:
- Good Practice
description: 'Behave like any "white-hat" should before getting into the action.'
difficulty: 2
hint: 'Undoubtedly you want to read our security policy before conducting any research on our application.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_behave_like_any_white_hat_should_before_getting_into_the_action'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html'
key: securityPolicyChallenge
-
name: 'Server-side XSS Protection'
category: 'XSS'
tags:
- Danger Zone
description: 'Perform a <i>persisted</i> XSS attack with <code><iframe src="javascript:alert(`xss`)"></code> bypassing a <i>server-side</i> security mechanism.'
difficulty: 4
hint: 'The "Comment" field in the "Customer Feedback" screen is where you want to put your focus on.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_server_side_security_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: persistedXssFeedbackChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Steganography'
category: 'Security through Obscurity'
tags:
- Shenanigans
description: '<a href="/#/contact">Rat out</a> a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)'
difficulty: 4
hint: 'No matter how good your eyes are, you will need tool assistance for this challenge.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_rat_out_a_notorious_character_hiding_in_plain_sight_in_the_shop'
mitigationUrl: ~
key: hiddenImageChallenge
-
name: 'Successful RCE DoS'
category: 'Insecure Deserialization'
tags:
- Danger Zone
description: 'Perform a Remote Code Execution that occupies the server for a while without using infinite loops.'
difficulty: 6
hint: 'Your attack payload must not trigger the protection against too many iterations.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_occupies_the_server_for_a_while_without_using_infinite_loops'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
key: rceOccupyChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Supply Chain Attack'
category: 'Vulnerable Components'
tags:
- OSINT
description: '<a href="/#/contact">Inform the development team</a> about a danger to some of <em>their</em> credentials. (Send them the URL of the <em>original report</em> or an assigned CVE or another identifier of this vulnerability)'
difficulty: 5
hint: 'This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_development_team_about_a_danger_to_some_of_their_credentials'
mitigationUrl: ~
key: supplyChainAttackChallenge
-
name: 'Two Factor Authentication'
category: 'Broken Authentication'
description: 'Solve the 2FA challenge for user "wurstbrot". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)'
difficulty: 5
hint: 'The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_solve_the_2fa_challenge_for_user_wurstbrot'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html'
key: twoFactorAuthUnsafeSecretStorageChallenge
-
name: 'Unsigned JWT'
category: 'Vulnerable Components'
description: 'Forge an essentially unsigned JWT token that impersonates the (non-existing) user <i>jwtn3d@juice-sh.op</i>.'
difficulty: 5
hint: 'This challenge exploits a weird option that is supported when signing tokens with JWT.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_essentially_unsigned_jwt_token'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html'
key: jwtUnsignedChallenge
-
name: 'Upload Size'
category: 'Improper Input Validation'
description: 'Upload a file larger than 100 kB.'
difficulty: 3
hint: 'You can attach a small file to the "Complaint" form. Investigate how this upload actually works.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_larger_than_100_kb'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html'
key: uploadSizeChallenge
-
name: 'Upload Type'
category: 'Improper Input Validation'
description: 'Upload a file that has no .pdf or .zip extension.'
difficulty: 3
hint: 'You can attach a PDF or ZIP file to the "Complaint" form. Investigate how this upload actually works.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_that_has_no_pdf_or_zip_extension'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html'
key: uploadTypeChallenge
-
name: 'User Credentials'
category: 'Injection'
description: 'Retrieve a list of all user credentials via SQL Injection.'
difficulty: 4
hint: 'Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_retrieve_a_list_of_all_user_credentials_via_sql_injection'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
key: unionSqlInjectionChallenge
-
name: 'Video XSS'
category: 'XSS'
tags:
- Danger Zone
description: 'Embed an XSS payload <code></script><script>alert(`xss`)</script></code> into our promo video.'
difficulty: 6
hint: 'You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_embed_an_xss_payload_into_our_promo_video'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
key: videoXssChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'View Basket'
category: 'Broken Access Control'
tags:
- Tutorial
- Good for Demos
description: 'View another user''s shopping basket.'
difficulty: 2
hint: 'Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_view_another_users_shopping_basket'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
key: basketAccessChallenge
tutorial:
order: 7
-
name: 'Vulnerable Library'
category: 'Vulnerable Components'
tags:
- OSINT
description: '<a href="/#/contact">Inform the shop</a> about a vulnerable library it is using. (Mention the exact library name and version in your comment)'
difficulty: 4
hint: 'Report one of two possible answers via the "Customer Feedback" form. Do not forget to submit the library''s version as well.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_vulnerable_library_it_is_using'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html'
key: knownVulnerableComponentChallenge
-
name: 'Weird Crypto'
category: 'Cryptographic Issues'
description: '<a href="/#/contact">Inform the shop</a> about an algorithm or library it should definitely not use the way it does.'
difficulty: 2
hint: 'Report one of four possible answers via the "Customer Feedback" form.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_inform_the_shop_about_an_algorithm_or_library_it_should_definitely_not_use_the_way_it_does'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html'
key: weirdCryptoChallenge
-
name: 'Allowlist Bypass'
category: 'Unvalidated Redirects'
tags:
- Prerequisite
description: 'Enforce a redirect to a page you are not supposed to redirect to.'
difficulty: 4
hint: 'You have to find a way to beat the allowlist of allowed redirect URLs.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_enforce_a_redirect_to_a_page_you_are_not_supposed_to_redirect_to'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html'
key: redirectChallenge
-
name: 'XXE Data Access'
category: 'XXE'
tags:
- Danger Zone
description: 'Retrieve the content of <code>C:\Windows\system.ini</code> or <code>/etc/passwd</code> from the server.'
difficulty: 3
hint: 'The leverage point for this challenge is the deprecated B2B interface.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_retrieve_the_content_of_cwindowssystemini_or_etcpasswd_from_the_server'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html'
key: xxeFileDisclosureChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'XXE DoS'
category: 'XXE'
tags:
- Danger Zone
description: 'Give the server something to chew on for quite a while.'
difficulty: 5
hint: 'It is not as easy as sending a large amount of data directly to the deprecated B2B interface.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_give_the_server_something_to_chew_on_for_quite_a_while'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html'
key: xxeDosChallenge
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Zero Stars'
category: 'Improper Input Validation'
description: 'Give a devastating zero-star feedback to the store.'
difficulty: 1
hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_give_a_devastating_zero_star_feedback_to_the_store'
mitigationUrl: ~
key: zeroStarsChallenge
-
name: 'Missing Encoding'
category: 'Improper Input Validation'
tags:
- Shenanigans
description: 'Retrieve the photo of Bjoern''s cat in "melee combat-mode".'
difficulty: 1
hint: 'Check the Photo Wall for an image that could not be loaded correctly.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_retrieve_the_photo_of_bjoerns_cat_in_melee_combat_mode'
mitigationUrl: ~
key: missingEncodingChallenge
-
name: 'Cross-Site Imaging'
category: 'Security Misconfiguration'
tags:
- Contraption
description: 'Stick <a href="http://placekitten.com/" target="_blank">cute cross-domain kittens</a> all over our delivery boxes.'
difficulty: 5
hint: 'This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_stick_cute_cross_domain_kittens_all_over_our_delivery_boxes'
mitigationUrl: ~
key: svgInjectionChallenge
-
name: 'Exposed Metrics'
category: 'Sensitive Data Exposure'
tags:
- Good Practice
description: 'Find the endpoint that serves usage data to be scraped by a <a href="https://github.com/prometheus/prometheus">popular monitoring system</a>.'
difficulty: 1
hint: 'Try to guess what URL the endpoint might have.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_find_the_endpoint_that_serves_usage_data_to_be_scraped_by_a_popular_monitoring_system'
mitigationUrl: ~
key: exposedMetricsChallenge
-
name: 'Deluxe Fraud'
category: 'Improper Input Validation'
description: 'Obtain a Deluxe Membership without paying for it.'
difficulty: 3
hint: 'Look closely at what happens when you attempt to upgrade your account.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_obtain_a_deluxe_membership_without_paying_for_it'
mitigationUrl: ~
key: freeDeluxeChallenge
-
name: 'CSRF' # FIXME No e2e test automation! No longer works in Chrome >=80 and Firefox >=100 or other latest browsers!
category: 'Broken Access Control'
description: 'Change the name of a user by performing Cross-Site Request Forgery from <a href="http://htmledit.squarefree.com">another origin</a>.'
difficulty: 3
hint: 'Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_name_of_a_user_by_performing_cross_site_request_forgery_from_another_origin'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html'
key: csrfChallenge
-
name: 'Bonus Payload'
category: 'XSS'
tags:
- Shenanigans
- Tutorial
description: 'Use the bonus payload <code><iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe></code> in the <i>DOM XSS</i> challenge.'
difficulty: 1
hint: 'Copy + Paste = Solved!'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_use_the_bonus_payload_in_the_dom_xss_challenge'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html'
key: xssBonusChallenge
tutorial:
order: 3
-
name: 'Reset Uvogin''s Password'
category: 'Sensitive Data Exposure'
tags:
- OSINT
description: 'Reset Uvogin''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
difficulty: 4
hint: 'You might have to do some OSINT on his social media personas to find out his honest answer to the security question.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_reset_uvogins_password_via_the_forgot_password_mechanism'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: resetPasswordUvoginChallenge
-
name: 'Meta Geo Stalking'
category: 'Sensitive Data Exposure'
tags:
- OSINT
description: 'Determine the answer to John''s security question by looking at an upload of him to the Photo Wall and use it to reset his password via the <a href="/#/forgot-password">Forgot Password</a> mechanism.'
difficulty: 2
hint: 'Take a look at the meta data of the corresponding photo.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_johns_security_question'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: geoStalkingMetaChallenge
-
name: 'Visual Geo Stalking'
category: 'Sensitive Data Exposure'
tags:
- OSINT
description: 'Determine the answer to Emma''s security question by looking at an upload of her to the Photo Wall and use it to reset her password via the <a href="/#/forgot-password">Forgot Password</a> mechanism.'
difficulty: 2
hint: 'Take a look at the details in the photo to determine the location of where it was taken.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_emmas_security_question'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
key: geoStalkingVisualChallenge
-
name: 'Kill Chatbot'
category: 'Vulnerable Components'
tags:
- Code Analysis
description: 'Permanently disable the support chatbot so that it can no longer answer customer queries.'
difficulty: 5
hint: 'Think of a way to get a hold of the internal workings on the chatbot API.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_permanently_disable_the_support_chatbot'
mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
key: killChatbotChallenge
-
name: 'Poison Null Byte'
category: 'Improper Input Validation'
tags:
- Prerequisite
description: 'Bypass a security control with a <a href="https://hakipedia.com/index.php/Poison_Null_Byte">Poison Null Byte</a> to access a file not meant for your eyes.'
difficulty: 4
hint: 'Take a look at the details in the photo to determine the location of where it was taken.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_bypass_a_security_control_with_a_poison_null_byte'
mitigationUrl: ~
key: nullByteChallenge
-
name: 'Bully Chatbot'
category: 'Miscellaneous'
tags:
- Shenanigans
- Brute Force
description: 'Receive a coupon code from the support chatbot.'
difficulty: 1
hint: 'Just keep asking.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_receive_a_coupon_code_from_the_support_chatbot'
mitigationUrl: ~
key: bullyChatbotChallenge
-
name: 'Local File Read'
category: 'Vulnerable Components'
tags:
- OSINT
- Danger Zone
difficulty: 5
hint: 'You should read up on vulnerabilities in popular NodeJs template engines.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_gain_read_access_to_an_arbitrary_local_file_on_the_web_server'
description: 'Gain read access to an arbitrary local file on the web server.'
key: 'lfrChallenge'
disabledEnv:
- Docker
- Heroku
- Gitpod
-
name: 'Mass Dispel'
category: 'Miscellaneous'
description: 'Close multiple "Challenge solved"-notifications in one go.'
difficulty: 1
hint: 'Either check the official documentation or inspect a notification UI element directly.'
hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_close_multiple_challenge_solved_notifications_in_one_go'
mitigationUrl: ~
key: closeNotificationsChallenge