DEV.co
Open-Source Security · juice-shop

juice-shop

OWASP Juice Shop is an intentionally vulnerable web application designed for security training, awareness demos, and CTF competitions. It runs on TypeScript/Node.js and includes a wide range of OWASP Top Ten vulnerabilities plus additional real-world security flaws for hands-on learning.

Source: GitHub — github.com/juice-shop/juice-shop
13.5k
GitHub stars
18.6k
Forks
TypeScript
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryjuice-shop/juice-shop
Ownerjuice-shop
Primary languageTypeScript
LicenseMIT — OSI-approved
Stars13.5k
Forks18.6k
Open issues3
Latest releasev20.1.1 (2026-06-23)
Last updated2026-07-07
Sourcehttps://github.com/juice-shop/juice-shop

What juice-shop is

A full-stack TypeScript application with a Node.js backend and Angular/React frontend that deliberately embeds multiple vulnerability classes (injection, broken auth, XSS, insecure deserialization, etc.) across the OWASP Top Ten. Deployment options include source, packaged distributions, Docker, and Vagrant; some challenges require external AI/LLM provider configuration.

Quickstart

Get the juice-shop source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/juice-shop/juice-shop.gitcd juice-shop# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security training and awareness workshops

Hands-on platform for teaching developers, QA, and security professionals how real vulnerabilities manifest and can be exploited; OWASP Flagship status ensures curriculum alignment.

Penetration testing and CTF practice

Rich set of intentional vulnerabilities across multiple attack vectors provides realistic practice environment for security researchers and authorized red-team exercises.

Testing and validating security tools

Known vulnerability landscape makes Juice Shop an ideal guinea pig for evaluating SAST, DAST, WAF, and other appsec tools without risk of false negatives on real production code.

Implementation considerations

  • Requires Node.js LTS version (officially supports 24.x, 26.x); verify compatibility before deployment to avoid binary compatibility issues with sqlite3 and libxmljs2.
  • Some challenges require external AI/LLM provider setup (local or cloud-based); document this requirement in your training materials and provision credentials securely.
  • Deploy in isolated network segment or sandboxed environment only; intentional vulnerabilities must never be exposed to untrusted networks or public internet.
  • Plan for multiple concurrent users if running workshops; Docker or Vagrant deployments scale better than single-machine source installs.
  • Customize challenge difficulty and learning paths via official companion guide; don't assume one-size-fits-all works for mixed-skill audiences.

When to avoid it — and what to weigh

  • You need a production-ready application — Juice Shop is explicitly designed to be insecure and is not suitable for handling real data, users, or transactions.
  • Your team lacks security baseline knowledge — Without guided instruction, users may struggle to understand why each vulnerability is dangerous or how to fix it; recommend pairing with official companion guide.
  • You need guaranteed uptime or SLA compliance — The demo instance at demo.owasp-juice.shop explicitly has no guaranteed uptime and is test/sneak-peek only; self-hosted instances depend on your infrastructure.
  • You require features beyond OWASP Top Ten coverage — Juice Shop focuses on educational vulnerabilities; if you need domain-specific or compliance-specific attack scenarios (e.g., API gateway bypasses, supply chain attacks), look elsewhere.

License & commercial use

MIT License (permissive, OSI-approved). Allows free use, modification, and distribution for any purpose with minimal restrictions (retain license and copyright notice).

MIT License permits commercial use. However, use Juice Shop only for internal training, vendor evaluation, or managed-services delivery in isolated environments. Do not repurpose as a live application or expose intentional vulnerabilities to production systems or unauthorized third parties. Consult legal counsel if bundling as a commercial security training product.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Juice Shop is intentionally full of vulnerabilities—that is its purpose. Do not run on production systems, public internet, or untrusted networks. Isolate it to internal labs or sandboxed environments. Monitor for actual exploitation attempts if running shared instances. Keep dependencies up-to-date via npm; periodic security updates may patch unintended holes that undermine training goals. Do not use as a template for real application architecture.

Alternatives to consider

WebGoat (OWASP)

Similar OWASP-backed educational vulnerable app, Java-based, lesson-driven format; choose if Java ecosystem or structured lesson path preferred over Juice Shop's exploration model.

Damn Vulnerable Web Application (DVWA)

Older, simpler vulnerable app (PHP/MySQL); lighter resource footprint but less modern tech stack and fewer vulnerabilities; suitable for basic intro training.

HackTheBox / TryHackMe

Hosted CTF/training platforms with curated vulnerable labs and scoring; choose if you prefer managed infrastructure, guided learning paths, and multi-user competitions over self-hosted setup.

Software development agency

Build on juice-shop with DEV.co software developers

Deploy OWASP Juice Shop in an isolated lab environment to train your team on OWASP Top Ten exploitation and defense. Start with Docker or packaged distributions, pair with the official companion guide, and validate your security tools.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

juice-shop FAQ

Can I run Juice Shop on the public internet?
Not recommended. Juice Shop contains real working exploits; publicly exposed instances invite unwanted attacks and violate responsible disclosure norms. Deploy only in isolated internal networks or sandboxed labs with explicit authorization.
Does Juice Shop teach how to fix vulnerabilities, or just how to exploit them?
Official companion guide includes exploitation walkthroughs and remediation guidance. README provides links to remediation resources. Pairing Juice Shop with instructor-led discussion of secure coding practices is recommended for complete learning outcomes.
What happens if I find a real 0-day or unintended bug in Juice Shop?
Report to the OWASP Juice Shop maintainers via GitHub issues or responsible disclosure. Since it is open-source and explicitly educational, new vulnerability types are tracked and may be intentionally added to expand training scope.
Can I use Juice Shop to test my WAF or intrusion detection system?
Yes. The known vulnerability landscape makes it ideal for validating security tool effectiveness. Deploy in a lab, configure your tool to monitor it, and run exploitation scenarios; compare tool alerts to expected attack patterns.

Custom software development services

DEV.co helps companies turn open-source tools like juice-shop into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.

Ready to practice real-world vulnerabilities safely?

Deploy OWASP Juice Shop in an isolated lab environment to train your team on OWASP Top Ten exploitation and defense. Start with Docker or packaged distributions, pair with the official companion guide, and validate your security tools.