OWASP Juice Shop

So I’m going to run some sessions of Juice Shop internally in my dept. If you’re not familar, Juice Shop is a deliberately insecure app from OWASP (Open Web Application Security Project). For more info, see here: https://owasp.org/www-project-juice-shop/

Some 50-70% of the attendees don’t have experience with Juice Shop. My plan is to, depending on number of attendees, have a group session where we take turns driving and navigating, or split the group into breakout rooms and have them work in pairs or small groups.

We have an instance all set up, I’m more looking to see if anyone else has done similar and has any tips/tricks/resources :slight_smile:


Wondering if maybe @pejgan @billmatthews or @danielbilling might be able to add some suggestions here?

Others, of course, welcome to add suggestions too, these are just the people off the top of my head :slight_smile:

Firstly, I would do a lot of research on the application yourself. Get familiar with the tech stack and how the application utilises it. This will be useful when discussing where potential vulnerabilities are, and associated risks.

Secondly, I would have more than one instance available. This is just In case the attendees testing makes the system unavailable, and the Score Board system being shared across teams, giving away clues before another team has uncovered a challenge. It would make it far easier for running a CTF session for example, to have more than one instance.

Try to work your way through as many of the vulnerabilities and challenges as possible before hand, giving you the preparation you need to answer any tricky questions, or support their investigations.

Working with threat models is a good place to start, so they can explore the application from the perspective of a potential victim of a hack, or business owner. Utilise some personas for the activities.

I’ve got many other ideas, and happy to have a chat