juice-shop/juice-shop

View on GitHub
data/static/challenges.yml

Summary

Maintainability
Test Coverage
-
  name: 'API-only XSS'
  category: 'XSS'
  tags:
    - Danger Zone
  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> without using the frontend application at all.'
  difficulty: 3
  hint: 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-without-using-the-frontend-application-at-all'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: restfulXssChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Access Log'
  category: 'Sensitive Data Exposure'
  description: 'Gain access to any access log file of the server.'
  difficulty: 4
  hint: 'Who would want a server access log to be accessible through a web application?'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#gain-access-to-any-access-log-file-of-the-server'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html'
  key: accessLogDisclosureChallenge
-
  name: 'Admin Registration'
  category: 'Improper Input Validation'
  description: 'Register as a user with administrator privileges.'
  difficulty: 3
  hint: 'You have to assign the unassignable.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#register-as-a-user-with-administrator-privileges'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html'
  key: registerAdminChallenge
-
  name: 'Admin Section'
  category: 'Broken Access Control'
  tags:
    - Good for Demos
  description: 'Access the administration section of the store.'
  difficulty: 2
  hint: 'It is just slightly harder to find than the score board link.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#access-the-administration-section-of-the-store'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
  key: adminSectionChallenge
-
  name: 'Arbitrary File Write'
  category: 'Vulnerable Components'
  tags:
    - Danger Zone
    - Prerequisite
  description: 'Overwrite the <a href="/ftp/legal.md">Legal Information</a> file.'
  difficulty: 6
  hint: 'Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#overwrite-the-legal-information-file'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
  key: fileWriteChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Bjoern''s Favorite Pet'
  category: 'Broken Authentication'
  tags:
    - OSINT
  description: 'Reset the password of Bjoern''s OWASP account via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
  difficulty: 3
  hint: 'He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-the-password-of-bjoerns-owasp-account-via-the-forgot-password-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: resetPasswordBjoernOwaspChallenge
-
  name: 'Blockchain Hype'
  category: 'Security through Obscurity'
  tags:
    - Contraption
    - Code Analysis
  description: 'Learn about the Token Sale before its official announcement.'
  difficulty: 5
  hint: 'The developers truly believe in "Security through Obscurity" over actual access restrictions.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#learn-about-the-token-sale-before-its-official-announcement'
  mitigationUrl: ~
  key: tokenSaleChallenge
-
  name: 'Blocked RCE DoS'
  category: 'Insecure Deserialization'
  tags:
    - Danger Zone
  description: 'Perform a Remote Code Execution that would keep a less hardened application busy <em>forever</em>.'
  difficulty: 5
  hint: 'The feature you need to exploit for this challenge is not directly advertised anywhere.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-would-keep-a-less-hardened-application-busy-forever'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
  key: rceChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'CAPTCHA Bypass'
  category: 'Broken Anti Automation'
  tags:
    - Brute Force
  description: 'Submit 10 or more customer feedbacks within 20 seconds.'
  difficulty: 3
  hint: 'After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#submit-10-or-more-customer-feedbacks-within-20-seconds'
  mitigationUrl: ~
  key: captchaBypassChallenge
-
  name: 'Change Bender''s Password'
  category: 'Broken Authentication'
  description: 'Change Bender''s password into <i>slurmCl4ssic</i> without using SQL Injection or Forgot Password.'
  difficulty: 5
  hint: 'In previous releases this challenge was wrongly accused of being based on CSRF.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#change-benders-password-into-slurmcl4ssic-without-using-sql-injection-or-forgot-password'
  mitigationUrl: ~
  key: changePasswordBenderChallenge
-
  name: 'Christmas Special'
  category: 'Injection'
  description: 'Order the Christmas special offer of 2014.'
  difficulty: 4
  hint: 'Find out how the application handles unavailable products and try to find a loophole.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#order-the-christmas-special-offer-of-2014'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: christmasSpecialChallenge
-
  name: 'CSP Bypass'
  category: 'XSS'
  tags:
    - Danger Zone
  description: 'Bypass the Content Security Policy and perform an XSS attack with <code>&lt;script&gt;alert(`xss`)&lt;/script&gt;</code> on a legacy page within the application.'
  difficulty: 4
  hint: 'What is even "better" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#bypass-the-content-security-policy-and-perform-an-xss-attack-on-a-legacy-page'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: usernameXssChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Client-side XSS Protection'
  category: 'XSS'
  tags:
    - Danger Zone
  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> bypassing a <i>client-side</i> security mechanism.'
  difficulty: 3
  hint: 'Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-client-side-security-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: persistedXssUserChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Confidential Document'
  category: 'Sensitive Data Exposure'
  tags:
    - Good for Demos
  description: 'Access a confidential document.'
  difficulty: 1
  hint: 'Analyze and tamper with links in the application that deliver a file directly.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-confidential-document'
  mitigationUrl: ~
  key: directoryListingChallenge
-
  name: 'DOM XSS'
  category: 'XSS'
  tags:
    - Tutorial
    - Good for Demos
  description: 'Perform a <i>DOM</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code>.'
  difficulty: 1
  hint: 'Look for an input field where its content appears in the HTML when its form is submitted.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-dom-xss-attack'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html'
  key: localXssChallenge
  tutorial:
    order: 2
-
  name: 'Database Schema'
  category: 'Injection'
  description: 'Exfiltrate the entire DB schema definition via SQL Injection.'
  difficulty: 3
  hint: 'Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#exfiltrate-the-entire-db-schema-definition-via-sql-injection'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: dbSchemaChallenge
-
  name: 'Deprecated Interface'
  category: 'Security Misconfiguration'
  tags:
    - Contraption
    - Prerequisite
  description: 'Use a deprecated B2B interface that was not properly shut down.'
  difficulty: 2
  hint: 'The developers who disabled the interface think they could go invisible by just closing their eyes.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/security-misconfiguration.html#use-a-deprecated-b2b-interface-that-was-not-properly-shut-down'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html'
  key: deprecatedInterfaceChallenge
-
  name: 'Easter Egg'
  category: 'Broken Access Control'
  tags:
    - Shenanigans
    - Contraption
    - Good for Demos
  description: 'Find the hidden <a href="http://en.wikipedia.org/wiki/Easter_egg_(media)" target="_blank">easter egg</a>.'
  difficulty: 4
  hint: 'If you solved one of the three file access challenges, you already know where to find the easter egg.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#find-the-hidden-easter-egg'
  mitigationUrl: ~
  key: easterEggLevelOneChallenge
-
  name: 'Email Leak'
  category: 'Sensitive Data Exposure'
  description: 'Perform an unwanted information disclosure by accessing data cross-domain.'
  difficulty: 5
  hint: 'Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#perform-an-unwanted-information-disclosure-by-accessing-data-cross-domain'
  mitigationUrl: ~
  key: emailLeakChallenge
-
  name: 'Ephemeral Accountant'
  category: 'Injection'
  description: 'Log in with the (non-existing) accountant <i>acc0unt4nt@juice-sh.op</i> without ever registering that user.'
  difficulty: 4
  hint: 'Try to create the needed user "out of thin air".'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-the-non-existing-accountant-without-ever-registering-that-user'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: ephemeralAccountantChallenge
-
  name: 'Error Handling'
  category: 'Security Misconfiguration'
  tags:
    - Prerequisite
  description: 'Provoke an error that is neither very gracefully nor consistently handled.'
  difficulty: 1
  hint: 'Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/security-misconfiguration.html#provoke-an-error-that-is-neither-very-gracefully-nor-consistently-handled'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html'
  key: errorHandlingChallenge
-
  name: 'Expired Coupon'
  category: 'Improper Input Validation'
  description: 'Successfully redeem an expired campaign coupon code.'
  difficulty: 4
  hint: 'Try to identify past special event or holiday campaigns of the shop first.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#successfully-redeem-an-expired-campaign-coupon-code'
  mitigationUrl: ~
  key: manipulateClockChallenge
-
  name: 'Extra Language'
  category: 'Broken Anti Automation'
  tags:
    - Brute Force
  description: 'Retrieve the language file that never made it into production.'
  difficulty: 5
  hint: 'Brute force is not the only option for this challenge, but a perfectly viable one.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#retrieve-the-language-file-that-never-made-it-into-production'
  mitigationUrl: ~
  key: extraLanguageChallenge
-
  name: 'Five-Star Feedback'
  category: 'Broken Access Control'
  description: 'Get rid of all 5-star customer feedback.'
  difficulty: 2
  hint: 'Once you found admin section of the application, this challenge is almost trivial.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#get-rid-of-all-5-star-customer-feedback'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
  key: feedbackChallenge
-
  name: 'Forged Coupon'
  category: 'Cryptographic Issues'
  tags:
    - Good for Demos
    - Code Analysis
  description: 'Forge a coupon code that gives you a discount of at least 80%.'
  difficulty: 6
  hint: 'Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#forge-a-coupon-code-that-gives-you-a-discount-of-at-least-80'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html'
  key: forgedCouponChallenge
-
  name: 'Forged Feedback'
  category: 'Broken Access Control'
  tags:
    - Tutorial
  description: "Post some feedback in another user's name."
  difficulty: 3
  hint: 'You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#post-some-feedback-in-another-users-name'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
  key: forgedFeedbackChallenge
  tutorial:
    order: 8
-
  name: 'Forged Review'
  category: 'Broken Access Control'
  description: 'Post a product review as another user or edit any user''s existing review.'
  difficulty: 3
  hint: 'Observe the flow of product review posting and editing and see if you can exploit it.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#post-a-product-review-as-another-user-or-edit-any-users-existing-review'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
  key: forgedReviewChallenge
-
  name: 'Forged Signed JWT'
  category: 'Vulnerable Components'
  description: 'Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user <i>rsa_lord@juice-sh.op</i>.'
  difficulty: 6
  hint: 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#forge-an-almost-properly-rsa-signed-jwt-token'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html'
  key: jwtForgedChallenge
  disabledEnv:
    - Windows
-
  name: 'Forgotten Developer Backup'
  category: 'Sensitive Data Exposure'
  tags:
    - Contraption
    - Good for Demos
    - Prerequisite
  description: 'Access a developer''s forgotten backup file.'
  difficulty: 4
  hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-developers-forgotten-backup-file'
  mitigationUrl: ~
  key: forgottenDevBackupChallenge
-
  name: 'Forgotten Sales Backup'
  category: 'Sensitive Data Exposure'
  tags:
    - Contraption
  description: 'Access a salesman''s forgotten backup file.'
  difficulty: 4
  hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-salesmans-forgotten-backup-file'
  mitigationUrl: ~
  key: forgottenBackupChallenge
-
  name: 'Frontend Typosquatting'
  category: 'Vulnerable Components'
  description: '<a href="/#/contact">Inform the shop</a> about a <i>typosquatting</i> imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)'
  difficulty: 5
  hint: 'This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-shop-about-a-typosquatting-imposter-that-dug-itself-deep-into-the-frontend'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
  key: typosquattingAngularChallenge
-
  name: 'GDPR Data Erasure'
  category: 'Broken Authentication'
  description: 'Log in with Chris'' erased user account.'
  difficulty: 3
  hint: 'Turns out that something is technically and legally wrong with the implementation of the "right to be forgotten" for users.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-chris-erased-user-account'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html'
  key: ghostLoginChallenge
-
  name: 'GDPR Data Theft'
  category: 'Sensitive Data Exposure'
  description: 'Steal someone else''s personal data without using Injection.'
  difficulty: 4
  hint: 'Trick the regular Data Export to give you more than actually belongs to you.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#steal-someone-elses-personal-data-without-using-injection'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html'
  key: dataExportChallenge
-
  name: 'HTTP-Header XSS'
  category: 'XSS'
  tags:
    - Danger Zone
  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> through an HTTP header.'
  difficulty: 4
  hint: 'Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-through-an-http-header'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: httpHeaderXssChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Imaginary Challenge'
  category: 'Cryptographic Issues'
  tags:
    - Shenanigans
    - Code Analysis
  description: 'Solve challenge #999. Unfortunately, this challenge does not exist.'
  difficulty: 6
  hint: 'You need to trick the hacking progress persistence feature into thinking you solved challenge #999.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#solve-challenge-999'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html'
  key: continueCodeChallenge
-
  name: 'Leaked Access Logs'
  category: 'Sensitive Data Exposure'
  tags:
    - OSINT
  description: 'Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)'
  difficulty: 5
  hint: 'Once you have it, a technique called "Password Spraying" might prove useful.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#dumpster-dive-the-internet-for-a-leaked-password-and-log-in-to-the-original-user-account-it-belongs-to'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html'
  key: dlpPasswordSprayingChallenge
-
  name: 'Leaked Unsafe Product'
  category: 'Sensitive Data Exposure'
  tags:
    - Shenanigans
    - OSINT
  description: 'Identify an unsafe product that was removed from the shop and <a href="/#/contact">inform the shop</a> which ingredients are dangerous.'
  difficulty: 4
  hint: 'Your own SQLi and someone else''s Ctrl-V will be your accomplices in this challenge!'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#identify-an-unsafe-product-that-was-removed-from-the-shop-and-inform-the-shop-which-ingredients-are-dangerous'
  mitigationUrl: ~
  key: dlpPastebinDataLeakChallenge
-
  name: 'Legacy Typosquatting'
  category: 'Vulnerable Components'
  description: '<a href="/#/contact">Inform the shop</a> about a <i>typosquatting</i> trick it has been a victim of at least in <code>v6.2.0-SNAPSHOT</code>. (Mention the exact name of the culprit)'
  difficulty: 4
  hint: 'This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer''s backup file instead.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-shop-about-a-typosquatting-trick-it-has-been-a-victim-of'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
  key: typosquattingNpmChallenge
-
  name: 'Login Admin'
  category: 'Injection'
  tags:
    - Tutorial
    - Good for Demos
  description: 'Log in with the administrator''s user account.'
  difficulty: 2
  hint: 'Try different SQL Injection attack patterns depending whether you know the admin''s email address or not.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-the-administrators-user-account'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: loginAdminChallenge
  tutorial:
    order: 5
-
  name: 'Login Amy'
  category: 'Sensitive Data Exposure'
  tags:
    - OSINT
  description: 'Log in with Amy''s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")'
  difficulty: 3
  hint: 'This challenge will make you go after a needle in a haystack.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#log-in-with-amys-original-user-credentials'
  mitigationUrl: ~
  key: loginAmyChallenge
-
  name: 'Login Bender'
  category: 'Injection'
  tags:
    - Tutorial
  description: 'Log in with Bender''s user account.'
  difficulty: 3
  hint: 'If you know Bender''s email address, try SQL Injection. Bender''s password hash might not help you very much.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-benders-user-account'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: loginBenderChallenge
  tutorial:
    order: 10
-
  name: 'Login Bjoern'
  category: 'Broken Authentication'
  tags:
    - Code Analysis
  description: 'Log in with Bjoern''s Gmail account <i>without</i> previously changing his password, applying SQL Injection, or hacking his Google account.'
  difficulty: 4
  hint: 'The security flaw behind this challenge is 100% OWASP Juice Shop''s fault and 0% Google''s.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-bjoerns-gmail-account'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
  key: oauthUserPasswordChallenge
-
  name: 'Login Jim'
  category: 'Injection'
  tags:
    - Tutorial
  description: 'Log in with Jim''s user account.'
  difficulty: 3
  hint: 'Try cracking Jim''s password hash if you harvested it already. Alternatively, if you know Jim''s email address, try SQL Injection.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-jims-user-account'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: loginJimChallenge
  tutorial:
    order: 9
-
  name: 'Login MC SafeSearch'
  category: 'Sensitive Data Exposure'
  tags:
    - Shenanigans
    - OSINT
  description: 'Log in with MC SafeSearch''s original user credentials without applying SQL Injection or any other bypass.'
  difficulty: 2
  hint: 'You should listen to MC''s hit song "Protect Ya Passwordz".'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#log-in-with-mc-safesearchs-original-user-credentials'
  mitigationUrl: ~
  key: loginRapperChallenge
-
  name: 'Login Support Team'
  category: 'Security Misconfiguration'
  tags:
    - Brute Force
    - Code Analysis
  description: 'Log in with the support team''s original user credentials without applying SQL Injection or any other bypass.'
  difficulty: 6
  hint: 'The underlying flaw of this challenge is a lot more human error than technical weakness.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/security-misconfiguration.html#log-in-with-the-support-teams-original-user-credentials'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
  key: loginSupportChallenge
-
  name: 'Manipulate Basket'
  category: 'Broken Access Control'
  description: 'Put an additional product into another user''s shopping basket.'
  difficulty: 3
  hint: 'Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn''t count.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#put-an-additional-product-into-another-users-shopping-basket'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
  key: basketManipulateChallenge
-
  name: 'Misplaced Signature File'
  category: 'Sensitive Data Exposure'
  tags:
    - Good Practice
    - Contraption
  description: 'Access a misplaced <a href="https://github.com/Neo23x0/sigma">SIEM signature</a> file.'
  difficulty: 4
  hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-misplaced-siem-signature-file'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html'
  key: misplacedSignatureFileChallenge
-
  name: 'Multiple Likes'
  category: 'Broken Anti Automation'
  description: 'Like any review at least three times as the same user.'
  difficulty: 6
  hint: 'Punctuality is the politeness of kings.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#like-any-review-at-least-three-times-as-the-same-user'
  mitigationUrl: ~
  key: timingAttackChallenge
-
  name: 'Nested Easter Egg'
  category: 'Cryptographic Issues'
  tags:
    - Shenanigans
    - Good for Demos
  description: 'Apply some advanced cryptanalysis to find <i>the real</i> easter egg.'
  difficulty: 4
  hint: 'You might have to peel through several layers of tough-as-nails encryption for this challenge.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#apply-some-advanced-cryptanalysis-to-find-the-real-easter-egg'
  mitigationUrl: ~
  key: easterEggLevelTwoChallenge
-
  name: 'NoSQL DoS'
  category: 'Injection'
  tags:
    - Danger Zone
  description: 'Let the server sleep for some time. (It has done more than enough hard work for you)'
  difficulty: 4
  hint: 'This challenge is essentially a stripped-down Denial of Service (DoS) attack.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#let-the-server-sleep-for-some-time'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
  key: noSqlCommandChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'NoSQL Exfiltration'
  category: 'Injection'
  tags:
    - Danger Zone
  description: 'All your orders are belong to us! Even the ones which don''t.'
  difficulty: 5
  hint: 'Take a close look on how the $where query operator works in MongoDB.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#all-your-orders-are-belong-to-us'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html'
  key: noSqlOrdersChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'NoSQL Manipulation'
  category: 'Injection'
  description: 'Update multiple product reviews at the same time.'
  difficulty: 4
  hint: 'Take a close look on how the equivalent of UPDATE-statements in MongoDB work.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#update-multiple-product-reviews-at-the-same-time'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html'
  key: noSqlReviewsChallenge
-
  name: 'Outdated Allowlist'
  category: 'Unvalidated Redirects'
  tags:
    - Code Analysis
  description: 'Let us redirect you to one of our crypto currency addresses which are not promoted any longer.'
  difficulty: 1
  hint: 'We might have failed to take this out of our code properly.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html#let-us-redirect-you-to-one-of-our-crypto-currency-addresses'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html'
  key: redirectCryptoCurrencyChallenge
-
  name: 'Password Strength'
  category: 'Broken Authentication'
  tags:
    - Brute Force
    - Tutorial
  description: 'Log in with the administrator''s user credentials without previously changing them or applying SQL Injection.'
  difficulty: 2
  hint: 'This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-the-administrators-user-credentials-without-previously-changing-them-or-applying-sql-injection'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html'
  key: weakPasswordChallenge
  tutorial:
    order: 6
-
  name: 'Payback Time'
  category: 'Improper Input Validation'
  description: 'Place an order that makes you rich.'
  difficulty: 3
  hint: 'You literally need to make the shop owe you any amount of money.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#place-an-order-that-makes-you-rich'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
  key: negativeOrderChallenge
-
  name: 'Premium Paywall'
  category: 'Cryptographic Issues'
  tags:
    - Shenanigans
  description: '<i class="far fa-gem"></i><i class="far fa-gem"></i><i class="far fa-gem"></i><i class="far fa-gem"></i><i class="far fa-gem"></i><!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==--> <a href="https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm" target="_blank"><i class="fab fa-btc fa-sm"></i> Unlock Premium Challenge</a> to access exclusive content.'
  difficulty: 6
  hint: 'You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#unlock-premium-challenge-to-access-exclusive-content'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html'
  key: premiumPaywallChallenge
-
  name: 'Privacy Policy'
  category: 'Miscellaneous'
  tags:
    - Good Practice
    - Tutorial
    - Good for Demos
  description: 'Read our privacy policy.'
  difficulty: 1
  hint: 'We won''t even ask you to confirm that you did. Just read it. Please. Pretty please.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/miscellaneous.html#read-our-privacy-policy'
  mitigationUrl: ~
  key: privacyPolicyChallenge
  tutorial:
    order: 4
-
  name: 'Privacy Policy Inspection'
  category: 'Security through Obscurity'
  tags:
    - Shenanigans
    - Good for Demos
  description: 'Prove that you actually read our privacy policy.'
  difficulty: 3
  hint: 'Only by visiting a special URL you can confirm that you read it carefully.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#prove-that-you-actually-read-our-privacy-policy'
  mitigationUrl: ~
  key: privacyPolicyProofChallenge
-
  name: 'Product Tampering'
  category: 'Broken Access Control'
  description: 'Change the <code>href</code> of the link within the <a href="/#/search?q=OWASP SSL Advanced Forensic Tool (O-Saft)">OWASP SSL Advanced Forensic Tool (O-Saft)</a> product description into <i>https://owasp.slack.com</i>.'
  difficulty: 3
  hint: 'Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#change-the-href-of-the-link-within-the-o-saft-product-description'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html'
  key: changeProductChallenge
-
  name: 'Reflected XSS'
  category: 'XSS'
  tags:
    - Danger Zone
    - Good for Demos
  description: 'Perform a <i>reflected</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code>.'
  difficulty: 2
  hint: 'Look for a url parameter where its value appears in the page it is leading to.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-reflected-xss-attack'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: reflectedXssChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Repetitive Registration'
  category: 'Improper Input Validation'
  description: 'Follow the DRY principle while registering a user.'
  difficulty: 1
  hint: 'You can solve this by cleverly interacting with the UI or bypassing it altogether.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#follow-the-dry-principle-while-registering-a-user'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html'
  key: passwordRepeatChallenge
-
  name: 'Reset Bender''s Password'
  category: 'Broken Authentication'
  tags:
    - OSINT
  description: 'Reset Bender''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
  difficulty: 4
  hint: 'Not as trivial as Jim''s but still not too difficult with some "Futurama" background knowledge.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-benders-password-via-the-forgot-password-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: resetPasswordBenderChallenge
-
  name: 'Reset Bjoern''s Password'
  category: 'Broken Authentication'
  tags:
    - OSINT
  description: 'Reset the password of Bjoern''s internal account via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
  difficulty: 5
  hint: 'Nothing a little bit of Facebook stalking couldn''t reveal. Might involve a historical twist.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-the-password-of-bjoerns-internal-account-via-the-forgot-password-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: resetPasswordBjoernChallenge
-
  name: 'Reset Jim''s Password'
  category: 'Broken Authentication'
  tags:
    - OSINT
  description: 'Reset Jim''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
  difficulty: 3
  hint: 'It''s hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-jims-password-via-the-forgot-password-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: resetPasswordJimChallenge
-
  name: 'Reset Morty''s Password'
  category: 'Broken Anti Automation'
  tags:
    - OSINT
    - Brute Force
  description: 'Reset Morty''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>his obfuscated answer</i> to his security question.'
  difficulty: 5
  hint: 'Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty''s security question.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#reset-mortys-password-via-the-forgot-password-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html'
  key: resetPasswordMortyChallenge
-
  name: 'Retrieve Blueprint'
  category: 'Sensitive Data Exposure'
  description: 'Deprive the shop of earnings by downloading the blueprint for one of its products.'
  difficulty: 5
  hint: 'The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#deprive-the-shop-of-earnings-by-downloading-the-blueprint-for-one-of-its-products'
  mitigationUrl: ~
  key: retrieveBlueprintChallenge
-
  name: 'SSRF'
  category: 'Broken Access Control'
  tags:
    - Code Analysis
  description: 'Request a hidden resource on server through server.'
  difficulty: 6
  hint: 'Reverse engineering something bad can make good things happen.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#request-a-hidden-resource-on-server-through-server'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html'
  key: ssrfChallenge
-
  name: 'SSTi'
  category: 'Injection'
  tags:
    - Contraption
    - Danger Zone
    - Code Analysis
  description: 'Infect the server with juicy malware by abusing arbitrary command execution.'
  difficulty: 6
  hint: '"SSTi" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#infect-the-server-with-juicy-malware-by-abusing-arbitrary-command-execution'
  mitigationUrl: ~
  key: sstiChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Score Board'
  category: 'Miscellaneous'
  tags:
    - Tutorial
    - Code Analysis
  description: 'Find the carefully hidden ''Score Board'' page.'
  difficulty: 1
  hint: 'Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/score-board.html#find-the-carefully-hidden-score-board-page'
  mitigationUrl: ~
  key: scoreBoardChallenge
  tutorial:
    order: 1
-
  name: 'Security Policy'
  category: 'Miscellaneous'
  tags:
    - Good Practice
  description: 'Behave like any "white-hat" should before getting into the action.'
  difficulty: 2
  hint: 'Undoubtably you want to read our security policy before conducting any research on our application.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/miscellaneous.html#behave-like-any-white-hat-should-before-getting-into-the-action'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html'
  key: securityPolicyChallenge
-
  name: 'Server-side XSS Protection'
  category: 'XSS'
  tags:
    - Danger Zone
  description: 'Perform a <i>persisted</i> XSS attack with <code>&lt;iframe src="javascript:alert(`xss`)"&gt;</code> bypassing a <i>server-side</i> security mechanism.'
  difficulty: 4
  hint: 'The "Comment" field in the "Customer Feedback" screen is where you want to put your focus on.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-server-side-security-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: persistedXssFeedbackChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Steganography'
  category: 'Security through Obscurity'
  tags:
    - Shenanigans
  description: '<a href="/#/contact">Rat out</a> a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)'
  difficulty: 4
  hint: 'No matter how good your eyes are, you will need tool assistance for this challenge.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#rat-out-a-notorious-character-hiding-in-plain-sight-in-the-shop'
  mitigationUrl: ~
  key: hiddenImageChallenge
-
  name: 'Successful RCE DoS'
  category: 'Insecure Deserialization'
  tags:
    - Danger Zone
  description: 'Perform a Remote Code Execution that occupies the server for a while without using infinite loops.'
  difficulty: 6
  hint: 'Your attack payload must not trigger the protection against too many iterations.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-occupies-the-server-for-a-while-without-using-infinite-loops'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html'
  key: rceOccupyChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Supply Chain Attack'
  category: 'Vulnerable Components'
  tags:
    - OSINT
  description: '<a href="/#/contact">Inform the development team</a> about a danger to some of <em>their</em> credentials. (Send them the URL of the <em>original report</em> or an assigned CVE or another identifier of this vulnerability)'
  difficulty: 5
  hint: 'This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-development-team-about-a-danger-to-some-of-their-credentials'
  mitigationUrl: ~
  key: supplyChainAttackChallenge
-
  name: 'Two Factor Authentication'
  category: 'Broken Authentication'
  description: 'Solve the 2FA challenge for user "wurstbrot". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)'
  difficulty: 5
  hint: 'The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#solve-the-2fa-challenge-for-user-wurstbrot'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html'
  key: twoFactorAuthUnsafeSecretStorageChallenge
-
  name: 'Unsigned JWT'
  category: 'Vulnerable Components'
  description: 'Forge an essentially unsigned JWT token that impersonates the (non-existing) user <i>jwtn3d@juice-sh.op</i>.'
  difficulty: 5
  hint: 'This challenge exploits a weird option that is supported when signing tokens with JWT.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#forge-an-essentially-unsigned-jwt-token'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html'
  key: jwtUnsignedChallenge
-
  name: 'Upload Size'
  category: 'Improper Input Validation'
  description: 'Upload a file larger than 100 kB.'
  difficulty: 3
  hint: 'You can attach a small file to the "Complaint" form. Investigate how this upload actually works.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#upload-a-file-larger-than-100-kb'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html'
  key: uploadSizeChallenge
-
  name: 'Upload Type'
  category: 'Improper Input Validation'
  description: 'Upload a file that has no .pdf or .zip extension.'
  difficulty: 3
  hint: 'You can attach a PDF or ZIP file to the "Complaint" form. Investigate how this upload actually works.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#upload-a-file-that-has-no-pdf-or-zip-extension'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html'
  key: uploadTypeChallenge
-
  name: 'User Credentials'
  category: 'Injection'
  description: 'Retrieve a list of all user credentials via SQL Injection.'
  difficulty: 4
  hint: 'Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#retrieve-a-list-of-all-user-credentials-via-sql-injection'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
  key: unionSqlInjectionChallenge
-
  name: 'Video XSS'
  category: 'XSS'
  tags:
    - Danger Zone
  description: 'Embed an XSS payload <code>&lt;/script&gt;&lt;script&gt;alert(`xss`)&lt;/script&gt;</code> into our promo video.'
  difficulty: 6
  hint: 'You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#embed-an-xss-payload-into-our-promo-video'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html'
  key: videoXssChallenge
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'View Basket'
  category: 'Broken Access Control'
  tags:
    - Tutorial
    - Good for Demos
  description: 'View another user''s shopping basket.'
  difficulty: 2
  hint: 'Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#view-another-users-shopping-basket'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html'
  key: basketAccessChallenge
  tutorial:
    order: 7
-
  name: 'Vulnerable Library'
  category: 'Vulnerable Components'
  tags:
    - OSINT
  description: '<a href="/#/contact">Inform the shop</a> about a vulnerable library it is using. (Mention the exact library name and version in your comment)'
  difficulty: 4
  hint: 'Report one of two possible answers via the "Customer Feedback" form. Do not forget to submit the library''s version as well.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-shop-about-a-vulnerable-library-it-is-using'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html'
  key: knownVulnerableComponentChallenge
-
  name: 'Weird Crypto'
  category: 'Cryptographic Issues'
  description: '<a href="/#/contact">Inform the shop</a> about an algorithm or library it should definitely not use the way it does.'
  difficulty: 2
  hint: 'Report one of four possible answers via the "Customer Feedback" form.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#inform-the-shop-about-an-algorithm-or-library-it-should-definitely-not-use-the-way-it-does'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html'
  key: weirdCryptoChallenge
-
  name: 'Allowlist Bypass'
  category: 'Unvalidated Redirects'
  tags:
    - Prerequisite
  description: 'Enforce a redirect to a page you are not supposed to redirect to.'
  difficulty: 4
  hint: 'You have to find a way to beat the allowlist of allowed redirect URLs.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html#enforce-a-redirect-to-a-page-you-are-not-supposed-to-redirect-to'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html'
  key: redirectChallenge
-
  name: 'XXE Data Access'
  category: 'XXE'
  tags:
    - Danger Zone
  description: 'Retrieve the content of <code>C:\Windows\system.ini</code> or <code>/etc/passwd</code> from the server.'
  difficulty: 3
  hint: 'The leverage point for this challenge is the deprecated B2B interface.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xxe.html#retrieve-the-content-of-cwindowssystemini-or-etcpasswd-from-the-server'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html'
  key: xxeFileDisclosureChallenge
  disabledEnv:
  - Docker
  - Heroku
  - Gitpod
-
  name: 'XXE DoS'
  category: 'XXE'
  tags:
    - Danger Zone
  description: 'Give the server something to chew on for quite a while.'
  difficulty: 5
  hint: 'It is not as easy as sending a large amount of data directly to the deprecated B2B interface.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xxe.html#give-the-server-something-to-chew-on-for-quite-a-while'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html'
  key: xxeDosChallenge
  disabledEnv:
  - Docker
  - Heroku
  - Gitpod
-
  name: 'Zero Stars'
  category: 'Improper Input Validation'
  description: 'Give a devastating zero-star feedback to the store.'
  difficulty: 1
  hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#give-a-devastating-zero-star-feedback-to-the-store'
  mitigationUrl: ~
  key: zeroStarsChallenge
-
  name: 'Missing Encoding'
  category: 'Improper Input Validation'
  tags:
    - Shenanigans
  description: 'Retrieve the photo of Bjoern''s cat in "melee combat-mode".'
  difficulty: 1
  hint: 'Check the Photo Wall for an image that could not be loaded correctly.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#retrieve-the-photo-of-bjoerns-cat-in-melee-combat-mode'
  mitigationUrl: ~
  key: missingEncodingChallenge
-
  name: 'Cross-Site Imaging'
  category: 'Security Misconfiguration'
  tags:
    - Contraption
  description: 'Stick <a href="http://placekitten.com/" target="_blank">cute cross-domain kittens</a> all over our delivery boxes.'
  difficulty: 5
  hint: 'This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#stick-cute-cross-domain-kittens-all-over-our-delivery-boxes'
  mitigationUrl: ~
  key: svgInjectionChallenge
-
  name: 'Exposed Metrics'
  category: 'Sensitive Data Exposure'
  tags:
    - Good Practice
  description: 'Find the endpoint that serves usage data to be scraped by a <a href="https://github.com/prometheus/prometheus">popular monitoring system</a>.'
  difficulty: 1
  hint: 'Try to guess what URL the endpoint might have.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#find-the-endpoint-that-serves-usage-data-to-be-scraped-by-a-popular-monitoring-system'
  mitigationUrl: ~
  key: exposedMetricsChallenge
-
  name: 'Deluxe Fraud'
  category: 'Improper Input Validation'
  description: 'Obtain a Deluxe Membership without paying for it.'
  difficulty: 3
  hint: 'Look closely at what happens when you attempt to upgrade your account.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#obtain-a-deluxe-membership-without-paying-for-it'
  mitigationUrl: ~
  key: freeDeluxeChallenge
-
  name: 'CSRF' # FIXME No e2e test automation! No longer works in Chrome >=80 and Firefox >=100 or other latest browsers!
  category: 'Broken Access Control'
  description: 'Change the name of a user by performing Cross-Site Request Forgery from <a href="http://htmledit.squarefree.com">another origin</a>.'
  difficulty: 3
  hint: 'Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#change-the-name-of-a-user-by-performing-cross-site-request-forgery-from-another-origin'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html'
  key: csrfChallenge
-
  name: 'Bonus Payload'
  category: 'XSS'
  tags:
    - Shenanigans
    - Tutorial
  description: 'Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.'
  difficulty: 1
  hint: 'Copy + Paste = Solved!'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#use-the-bonus-payload-in-the-dom-xss-challenge'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html'
  key: xssBonusChallenge
  tutorial:
    order: 3
-
  name: 'Reset Uvogin''s Password'
  category: 'Sensitive Data Exposure'
  tags:
    - OSINT
  description: 'Reset Uvogin''s password via the <a href="/#/forgot-password">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.'
  difficulty: 4
  hint: 'You might have to do some OSINT on his social media personas to find out his honest answer to the security question.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#reset-uvogins-password-via-the-forgot-password-mechanism'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: resetPasswordUvoginChallenge
-
  name: 'Meta Geo Stalking'
  category: 'Sensitive Data Exposure'
  tags:
    - OSINT
  description: 'Determine the answer to John''s security question by looking at an upload of him to the Photo Wall and use it to reset his password via the <a href="/#/forgot-password">Forgot Password</a> mechanism.'
  difficulty: 2
  hint: 'Take a look at the meta data of the corresponding photo.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#determine-the-answer-to-johns-security-question'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: geoStalkingMetaChallenge
-
  name: 'Visual Geo Stalking'
  category: 'Sensitive Data Exposure'
  tags:
    - OSINT
  description: 'Determine the answer to Emma''s security question by looking at an upload of her to the Photo Wall and use it to reset her password via the <a href="/#/forgot-password">Forgot Password</a> mechanism.'
  difficulty: 2
  hint: 'Take a look at the details in the photo to determine the location of where it was taken.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#determine-the-answer-to-emmas-security-question'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html'
  key: geoStalkingVisualChallenge
-
  name: 'Kill Chatbot'
  category: 'Vulnerable Components'
  tags:
    - Code Analysis
  description: 'Permanently disable the support chatbot so that it can no longer answer customer queries.'
  difficulty: 5
  hint: 'Think of a way to get a hold of the internal workings on the chatbot API.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#permanently-disable-the-support-chatbot'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html'
  key: killChatbotChallenge
-
  name: 'Poison Null Byte'
  category: 'Improper Input Validation'
  tags:
    - Prerequisite
  description: 'Bypass a security control with a <a href="http://hakipedia.com/index.php/Poison_Null_Byte">Poison Null Byte</a> to access a file not meant for your eyes.'
  difficulty: 4
  hint: 'Take a look at the details in the photo to determine the location of where it was taken.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#bypass-a-security-control-with-a-poison-null-byte'
  mitigationUrl: ~
  key: nullByteChallenge
-
  name: 'Bully Chatbot'
  category: 'Miscellaneous'
  tags:
    - Shenanigans
    - Brute Force
  description: 'Receive a coupon code from the support chatbot.'
  difficulty: 1
  hint: 'Just keep asking.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/miscellaneous.html#receive-a-coupon-code-from-the-support-chatbot'
  mitigationUrl: ~
  key: bullyChatbotChallenge
-
  name: 'Local File Read'
  category: 'Vulnerable Components'
  tags:
    - OSINT
    - Danger Zone
  difficulty: 5
  hint: 'You should read up on vulnerabilities in popular NodeJs template engines.'
  description: 'Gain read access to an arbitrary local file on the web server.'
  key: 'lfrChallenge'
  disabledEnv:
    - Docker
    - Heroku
    - Gitpod
-
  name: 'Mass Dispel'
  category: 'Miscellaneous'
  description: 'Close multiple "Challenge solved"-notifications in one go.'
  difficulty: 1
  hint: 'Either check the official documentation or inspect a notification UI element directly.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/score-board.html#close-multiple-challenge-solved-notifications-in-one-go'
  mitigationUrl: ~
  key: closeNotificationsChallenge