juice-shop
OWASP Juice Shop is an intentionally vulnerable web application designed for security training, awareness demos, and CTF competitions. It runs on TypeScript/Node.js and includes a wide range of OWASP Top Ten vulnerabilities plus additional real-world security flaws for hands-on learning.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | juice-shop/juice-shop |
| Owner | juice-shop |
| Primary language | TypeScript |
| License | MIT — OSI-approved |
| Stars | 13.5k |
| Forks | 18.6k |
| Open issues | 3 |
| Latest release | v20.1.1 (2026-06-23) |
| Last updated | 2026-07-07 |
| Source | https://github.com/juice-shop/juice-shop |
What juice-shop is
A full-stack TypeScript application with a Node.js backend and Angular/React frontend that deliberately embeds multiple vulnerability classes (injection, broken auth, XSS, insecure deserialization, etc.) across the OWASP Top Ten. Deployment options include source, packaged distributions, Docker, and Vagrant; some challenges require external AI/LLM provider configuration.
Get the juice-shop source
Clone the repository and explore it locally.
git clone https://github.com/juice-shop/juice-shop.gitcd juice-shop# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Node.js LTS version (officially supports 24.x, 26.x); verify compatibility before deployment to avoid binary compatibility issues with sqlite3 and libxmljs2.
- Some challenges require external AI/LLM provider setup (local or cloud-based); document this requirement in your training materials and provision credentials securely.
- Deploy in isolated network segment or sandboxed environment only; intentional vulnerabilities must never be exposed to untrusted networks or public internet.
- Plan for multiple concurrent users if running workshops; Docker or Vagrant deployments scale better than single-machine source installs.
- Customize challenge difficulty and learning paths via official companion guide; don't assume one-size-fits-all works for mixed-skill audiences.
When to avoid it — and what to weigh
- You need a production-ready application — Juice Shop is explicitly designed to be insecure and is not suitable for handling real data, users, or transactions.
- Your team lacks security baseline knowledge — Without guided instruction, users may struggle to understand why each vulnerability is dangerous or how to fix it; recommend pairing with official companion guide.
- You need guaranteed uptime or SLA compliance — The demo instance at demo.owasp-juice.shop explicitly has no guaranteed uptime and is test/sneak-peek only; self-hosted instances depend on your infrastructure.
- You require features beyond OWASP Top Ten coverage — Juice Shop focuses on educational vulnerabilities; if you need domain-specific or compliance-specific attack scenarios (e.g., API gateway bypasses, supply chain attacks), look elsewhere.
License & commercial use
MIT License (permissive, OSI-approved). Allows free use, modification, and distribution for any purpose with minimal restrictions (retain license and copyright notice).
MIT License permits commercial use. However, use Juice Shop only for internal training, vendor evaluation, or managed-services delivery in isolated environments. Do not repurpose as a live application or expose intentional vulnerabilities to production systems or unauthorized third parties. Consult legal counsel if bundling as a commercial security training product.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Juice Shop is intentionally full of vulnerabilities—that is its purpose. Do not run on production systems, public internet, or untrusted networks. Isolate it to internal labs or sandboxed environments. Monitor for actual exploitation attempts if running shared instances. Keep dependencies up-to-date via npm; periodic security updates may patch unintended holes that undermine training goals. Do not use as a template for real application architecture.
Alternatives to consider
WebGoat (OWASP)
Similar OWASP-backed educational vulnerable app, Java-based, lesson-driven format; choose if Java ecosystem or structured lesson path preferred over Juice Shop's exploration model.
Damn Vulnerable Web Application (DVWA)
Older, simpler vulnerable app (PHP/MySQL); lighter resource footprint but less modern tech stack and fewer vulnerabilities; suitable for basic intro training.
HackTheBox / TryHackMe
Hosted CTF/training platforms with curated vulnerable labs and scoring; choose if you prefer managed infrastructure, guided learning paths, and multi-user competitions over self-hosted setup.
Build on juice-shop with DEV.co software developers
Deploy OWASP Juice Shop in an isolated lab environment to train your team on OWASP Top Ten exploitation and defense. Start with Docker or packaged distributions, pair with the official companion guide, and validate your security tools.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
juice-shop FAQ
Can I run Juice Shop on the public internet?
Does Juice Shop teach how to fix vulnerabilities, or just how to exploit them?
What happens if I find a real 0-day or unintended bug in Juice Shop?
Can I use Juice Shop to test my WAF or intrusion detection system?
Custom software development services
DEV.co helps companies turn open-source tools like juice-shop into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source security stack.
Ready to practice real-world vulnerabilities safely?
Deploy OWASP Juice Shop in an isolated lab environment to train your team on OWASP Top Ten exploitation and defense. Start with Docker or packaged distributions, pair with the official companion guide, and validate your security tools.