⚠️ Security Notice
This project is strictly for educational and research purposes.
No real personal data, credentials, or sensitive information were used.
Perform security testing only with proper authorization.
Juice Shop Master
This project documents the analysis and exploitation of several security vulnerabilities within the OWASP Juice Shop application.
All findings and demonstrations are conducted strictly for educational and research purposes only.
Table of Contents
Project Overview
This repository contains the documentation of three selected Juice Shop challenges, each demonstrating a different type of vulnerability.
Quickstart
- Open the “Juice Shop Master” folder.
- Navigate to the individual challenge subfolders.
- Open each challenge's README to view documentation and video links.
Challenge Documentation
1. Unauthorized Access via Directory Browsing (/ftp)
- Category: Broken Access Control
- Description: A publicly accessible
/ftpdirectory allowed access to internal markdown files without authentication. - Documentation:
→ challenges/Broken_Access_Control - Directory Browsing (/ftp): https://www.loom.com/share/16de980d25f94615bd2851370d9391b4
2. Stored XSS via Manipulated Registration Request
- Category: Cross-Site Scripting (Stored XSS)
- Description: By modifying the registration request in Burp Suite, a payload was stored in the database and executed in the admin interface.
- Documentation:
→ challenges/XSS_Attack - Stored XSS Registration: https://www.loom.com/share/82ef9b217feb4caa86a8898663e18473
3. SQL Injection – Login Admin
- Category: Injection (SQLi)
- Description: Using a classic
' OR 1=1--payload, authentication was bypassed and the admin account was accessed. - Documentation:
→ challenges/SQL_Injection - SQL Injection Admin Login: https://www.loom.com/share/93c07f839b944ddab61468c8c4fedf09
Challenge Videos
Each challenge includes a short walkthrough video (max. 5 minutes) demonstrating:
- How the vulnerability works
- How the exploit is performed
- Why the vulnerability is dangerous