Share
## https://sploitus.com/exploit?id=D2E685CC-D748-5CFA-B9AA-9A493CB9D25F
# OWASP Juice Shop โ€” Web Application Security Assessment

A hands-on OWASP Top 10 penetration test of [OWASP Juice Shop](https://github.com/juice-shop/juice-shop) โ€” the industry-standard, intentionally-vulnerable web application. **15 vulnerabilities were identified and runtime-verified**, including a full authentication bypass and exfiltration of the entire user credential store.

> **Authorized & legal.** Conducted against a local, self-hosted Juice Shop instance (Docker, `localhost:3000`) โ€” a standard, intentionally-vulnerable security-training target. All testing was non-destructive and read-only.

## Summary

| Severity | Count |
|:--|:--:|
| ๐Ÿ”ด Critical | 3 |
| ๐ŸŸ  High | 6 |
| ๐ŸŸก Medium | 5 |
| ๐Ÿ”ต Low | 1 |
| **Total** | **15** |

- ๐Ÿ“„ **[FINDINGS.md](FINDINGS.md)** โ€” full findings with proof-of-concept, evidence, and remediation
- ๐Ÿ”ฌ **[METHODOLOGY.md](METHODOLOGY.md)** โ€” how the assessment was run (multi-agent orchestration โ†’ adversarial verification โ†’ manual reproduction)
- ๐Ÿ“ **[report/](report/)** โ€” the complete assessment report (PDF + styled HTML)

## Highlights

- **SQL injection โ†’ full authentication bypass** on the login endpoint (`' OR 1=1--`) โ€” logs in as the administrator with no credentials.
- **UNION-based SQL injection** dumps all **23 users' emails + password hashes** in a single unauthenticated request.
- **JWT `alg:none` forgery** โ€” the server accepts unsigned, self-issued tokens for any identity.
- Broken access control (basket IDOR, full user enumeration), `/ftp/` file exposure via poison-null-byte, and multiple unauthenticated data/config/metrics endpoints.

## About

Assessment by **Alexey Hairov** โ€” Python Backend & Automation Developer ยท Information Security.
GitHub: [@c0dem4sters](https://github.com/c0dem4sters)

*Every finding was reproduced at runtime with a concrete proof-of-concept. Full PoCs available on request.*