## https://sploitus.com/exploit?id=D2E685CC-D748-5CFA-B9AA-9A493CB9D25F
# OWASP Juice Shop โ Web Application Security Assessment
A hands-on OWASP Top 10 penetration test of [OWASP Juice Shop](https://github.com/juice-shop/juice-shop) โ the industry-standard, intentionally-vulnerable web application. **15 vulnerabilities were identified and runtime-verified**, including a full authentication bypass and exfiltration of the entire user credential store.
> **Authorized & legal.** Conducted against a local, self-hosted Juice Shop instance (Docker, `localhost:3000`) โ a standard, intentionally-vulnerable security-training target. All testing was non-destructive and read-only.
## Summary
| Severity | Count |
|:--|:--:|
| ๐ด Critical | 3 |
| ๐ High | 6 |
| ๐ก Medium | 5 |
| ๐ต Low | 1 |
| **Total** | **15** |
- ๐ **[FINDINGS.md](FINDINGS.md)** โ full findings with proof-of-concept, evidence, and remediation
- ๐ฌ **[METHODOLOGY.md](METHODOLOGY.md)** โ how the assessment was run (multi-agent orchestration โ adversarial verification โ manual reproduction)
- ๐ **[report/](report/)** โ the complete assessment report (PDF + styled HTML)
## Highlights
- **SQL injection โ full authentication bypass** on the login endpoint (`' OR 1=1--`) โ logs in as the administrator with no credentials.
- **UNION-based SQL injection** dumps all **23 users' emails + password hashes** in a single unauthenticated request.
- **JWT `alg:none` forgery** โ the server accepts unsigned, self-issued tokens for any identity.
- Broken access control (basket IDOR, full user enumeration), `/ftp/` file exposure via poison-null-byte, and multiple unauthenticated data/config/metrics endpoints.
## About
Assessment by **Alexey Hairov** โ Python Backend & Automation Developer ยท Information Security.
GitHub: [@c0dem4sters](https://github.com/c0dem4sters)
*Every finding was reproduced at runtime with a concrete proof-of-concept. Full PoCs available on request.*