{"status":"success","data":[{"id":1,"key":"restfulXssChallenge","name":"API-only XSS","category":"XSS","tags":"Danger Zone","description":"Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\">
without using the frontend application at all. (This challenge is potentially harmful on Heroku!)","difficulty":3,"hint":"You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_without_using_the_frontend_application_at_all","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":2,"key":"accessLogDisclosureChallenge","name":"Access Log","category":"Sensitive Data Exposure","tags":null,"description":"Gain access to any access log file of the server.","difficulty":4,"hint":"Who would want a server access log to be accessible through a web application?","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_gain_access_to_any_access_log_file_of_the_server","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":3,"key":"registerAdminChallenge","name":"Admin Registration","category":"Improper Input Validation","tags":null,"description":"Register as a user with administrator privileges.","difficulty":3,"hint":"You have to assign the unassignable.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_as_a_user_with_administrator_privileges","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":4,"key":"adminSectionChallenge","name":"Admin Section","category":"Broken Access Control","tags":"Good for Demos","description":"Access the administration section of the store.","difficulty":2,"hint":"It is just slightly harder to find than the score board link.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_access_the_administration_section_of_the_store","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":5,"key":"fileWriteChallenge","name":"Arbitrary File Write","category":"Vulnerable Components","tags":"Danger Zone,Prerequisite","description":"Overwrite the Legal Information file. (This challenge is potentially harmful on Heroku!)","difficulty":6,"hint":"Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_overwrite_the_legal_information_file","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":6,"key":"resetPasswordBjoernOwaspChallenge","name":"Bjoern's Favorite Pet","category":"Broken Authentication","tags":"OSINT","description":"Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.","difficulty":3,"hint":"He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_owasp_account_via_the_forgot_password_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":7,"key":"tokenSaleChallenge","name":"Blockchain Hype","category":"Security through Obscurity","tags":"Contraption,Code Analysis,Web3","description":"Learn about the Token Sale before its official announcement.","difficulty":5,"hint":"The developers truly believe in \"Security through Obscurity\" over actual access restrictions.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_learn_about_the_token_sale_before_its_official_announcement","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":8,"key":"nftUnlockChallenge","name":"NFT Takeover","category":"Sensitive Data Exposure","tags":"Contraption,Good for Demos,Web3","description":"Take over the wallet containing our official Soul Bound Token (NFT).","difficulty":2,"hint":"Find the seed phrase posted accidentally.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_take_over_the_wallet_containing_our_official_soul_bound_token","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.455Z","updatedAt":"2024-03-28T08:29:16.455Z"},{"id":9,"key":"nftMintChallenge","name":"Mint the Honey Pot","category":"Improper Input Validation","tags":"Web3,Internet Traffic","description":"Mint the Honey Pot NFT by gathering BEEs from the bee haven.","difficulty":3,"hint":"Discover NFT wonders among the captivating visual memories.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_mint_the_honey_pot_nft_by_gathering_bees_from_the_bee_haven","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":10,"key":"web3WalletChallenge","name":"Wallet Depletion","category":"Miscellaneous","tags":"Web3,Internet Traffic","description":"Withdraw more ETH from the new wallet than you deposited.","difficulty":6,"hint":"Try to exploit the contract of the wallet.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_withdraw_more_eth_from_the_new_wallet_than_you_deposited","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":11,"key":"web3SandboxChallenge","name":"Web3 Sandbox","category":"Broken Access Control","tags":"Web3","description":"Find an accidentally deployed code sandbox for writing smart contracts on the fly.","difficulty":1,"hint":"It is just as easy as finding the Score Board.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_an_accidentally_deployed_code_sandbox","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":12,"key":"rceChallenge","name":"Blocked RCE DoS","category":"Insecure Deserialization","tags":"Danger Zone","description":"Perform a Remote Code Execution that would keep a less hardened application busy forever. (This challenge is potentially harmful on Heroku!)","difficulty":5,"hint":"The feature you need to exploit for this challenge is not directly advertised anywhere.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_would_keep_a_less_hardened_application_busy_forever","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":13,"key":"captchaBypassChallenge","name":"CAPTCHA Bypass","category":"Broken Anti Automation","tags":"Brute Force","description":"Submit 10 or more customer feedbacks within 20 seconds.","difficulty":3,"hint":"After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_submit_10_or_more_customer_feedbacks_within_20_seconds","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":14,"key":"changePasswordBenderChallenge","name":"Change Bender's Password","category":"Broken Authentication","tags":null,"description":"Change Bender's password into slurmCl4ssic without using SQL Injection or Forgot Password.","difficulty":5,"hint":"In previous releases this challenge was wrongly accused of being based on CSRF.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_change_benders_password_into_slurmcl4ssic_without_using_sql_injection_or_forgot_password","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":15,"key":"christmasSpecialChallenge","name":"Christmas Special","category":"Injection","tags":null,"description":"Order the Christmas special offer of 2014.","difficulty":4,"hint":"Find out how the application handles unavailable products and try to find a loophole.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_order_the_christmas_special_offer_of_2014","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":16,"key":"usernameXssChallenge","name":"CSP Bypass","category":"XSS","tags":"Danger Zone","description":"Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script>
on a legacy page within the application. (This challenge is potentially harmful on Heroku!)","difficulty":4,"hint":"What is even \"better\" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_bypass_the_content_security_policy_and_perform_an_xss_attack_on_a_legacy_page","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":17,"key":"persistedXssUserChallenge","name":"Client-side XSS Protection","category":"XSS","tags":"Danger Zone","description":"Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\">
bypassing a client-side security mechanism. (This challenge is potentially harmful on Heroku!)","difficulty":3,"hint":"Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_client_side_security_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":18,"key":"directoryListingChallenge","name":"Confidential Document","category":"Sensitive Data Exposure","tags":"Good for Demos","description":"Access a confidential document.","difficulty":1,"hint":"Analyze and tamper with links in the application that deliver a file directly.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_confidential_document","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":19,"key":"localXssChallenge","name":"DOM XSS","category":"XSS","tags":"Tutorial,Good for Demos","description":"Perform a DOM XSS attack with <iframe src=\"javascript:alert(`xss`)\">
.","difficulty":1,"hint":"Look for an input field where its content appears in the HTML when its form is submitted.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_dom_xss_attack","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html","solved":true,"disabledEnv":null,"tutorialOrder":2,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:21.272Z"},{"id":20,"key":"dbSchemaChallenge","name":"Database Schema","category":"Injection","tags":null,"description":"Exfiltrate the entire DB schema definition via SQL Injection.","difficulty":3,"hint":"Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_exfiltrate_the_entire_db_schema_definition_via_sql_injection","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.456Z","updatedAt":"2024-03-28T08:29:16.456Z"},{"id":21,"key":"deprecatedInterfaceChallenge","name":"Deprecated Interface","category":"Security Misconfiguration","tags":"Contraption,Prerequisite","description":"Use a deprecated B2B interface that was not properly shut down.","difficulty":2,"hint":"The developers who disabled the interface think they could go invisible by just closing their eyes.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_use_a_deprecated_b2b_interface_that_was_not_properly_shut_down","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":22,"key":"easterEggLevelOneChallenge","name":"Easter Egg","category":"Broken Access Control","tags":"Shenanigans,Contraption,Good for Demos","description":"Find the hidden easter egg.","difficulty":4,"hint":"If you solved one of the three file access challenges, you already know where to find the easter egg.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_the_hidden_easter_egg","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":23,"key":"emailLeakChallenge","name":"Email Leak","category":"Sensitive Data Exposure","tags":null,"description":"Perform an unwanted information disclosure by accessing data cross-domain.","difficulty":5,"hint":"Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_perform_an_unwanted_information_disclosure_by_accessing_data_cross_domain","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":24,"key":"emptyUserRegistration","name":"Empty User Registration","category":"Improper Input Validation","tags":null,"description":"Register a user with an empty email and password.","difficulty":2,"hint":"Consider intercepting and playing with the request payload.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_a_user_account_with_an_empty_email_and_password","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":25,"key":"ephemeralAccountantChallenge","name":"Ephemeral Accountant","category":"Injection","tags":null,"description":"Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.","difficulty":4,"hint":"Try to create the needed user \"out of thin air\".","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_non_existing_accountant_without_ever_registering_that_user","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":26,"key":"errorHandlingChallenge","name":"Error Handling","category":"Security Misconfiguration","tags":"Prerequisite","description":"Provoke an error that is neither very gracefully nor consistently handled.","difficulty":1,"hint":"Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_provoke_an_error_that_is_neither_very_gracefully_nor_consistently_handled","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html","solved":true,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:21.272Z"},{"id":27,"key":"manipulateClockChallenge","name":"Expired Coupon","category":"Improper Input Validation","tags":null,"description":"Successfully redeem an expired campaign coupon code.","difficulty":4,"hint":"Try to identify past special event or holiday campaigns of the shop first.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_successfully_redeem_an_expired_campaign_coupon_code","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":28,"key":"extraLanguageChallenge","name":"Extra Language","category":"Broken Anti Automation","tags":"Brute Force","description":"Retrieve the language file that never made it into production.","difficulty":5,"hint":"Brute force is not the only option for this challenge, but a perfectly viable one.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_retrieve_the_language_file_that_never_made_it_into_production","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":29,"key":"feedbackChallenge","name":"Five-Star Feedback","category":"Broken Access Control","tags":null,"description":"Get rid of all 5-star customer feedback.","difficulty":2,"hint":"Once you found admin section of the application, this challenge is almost trivial.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_get_rid_of_all_5_star_customer_feedback","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":30,"key":"forgedCouponChallenge","name":"Forged Coupon","category":"Cryptographic Issues","tags":"Good for Demos,Code Analysis","description":"Forge a coupon code that gives you a discount of at least 80%.","difficulty":6,"hint":"Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_forge_a_coupon_code_that_gives_you_a_discount_of_at_least_80","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":31,"key":"forgedFeedbackChallenge","name":"Forged Feedback","category":"Broken Access Control","tags":"Tutorial","description":"Post some feedback in another user's name.","difficulty":3,"hint":"You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_some_feedback_in_another_users_name","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":8,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":32,"key":"forgedReviewChallenge","name":"Forged Review","category":"Broken Access Control","tags":null,"description":"Post a product review as another user or edit any user's existing review.","difficulty":3,"hint":"Observe the flow of product review posting and editing and see if you can exploit it.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_a_product_review_as_another_user_or_edit_any_users_existing_review","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.457Z","updatedAt":"2024-03-28T08:29:16.457Z"},{"id":33,"key":"jwtForgedChallenge","name":"Forged Signed JWT","category":"Vulnerable Components","tags":null,"description":"Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.","difficulty":6,"hint":"This challenge is explicitly not about acquiring the RSA private key used for JWT signing.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_almost_properly_rsa_signed_jwt_token","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":34,"key":"forgottenDevBackupChallenge","name":"Forgotten Developer Backup","category":"Sensitive Data Exposure","tags":"Contraption,Good for Demos,Prerequisite","description":"Access a developer's forgotten backup file.","difficulty":4,"hint":"You need to trick a security mechanism into thinking that the file you want has a valid file type.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_developers_forgotten_backup_file","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":35,"key":"forgottenBackupChallenge","name":"Forgotten Sales Backup","category":"Sensitive Data Exposure","tags":"Contraption","description":"Access a salesman's forgotten backup file.","difficulty":4,"hint":"You need to trick a security mechanism into thinking that the file you want has a valid file type.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_salesmans_forgotten_backup_file","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":36,"key":"typosquattingAngularChallenge","name":"Frontend Typosquatting","category":"Vulnerable Components","tags":null,"description":"Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)","difficulty":5,"hint":"This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_imposter_that_dug_itself_deep_into_the_frontend","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":37,"key":"ghostLoginChallenge","name":"GDPR Data Erasure","category":"Broken Authentication","tags":null,"description":"Log in with Chris' erased user account.","difficulty":3,"hint":"Turns out that something is technically and legally wrong with the implementation of the \"right to be forgotten\" for users.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_chris_erased_user_account","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":38,"key":"dataExportChallenge","name":"GDPR Data Theft","category":"Sensitive Data Exposure","tags":null,"description":"Steal someone else's personal data without using Injection.","difficulty":4,"hint":"Trick the regular Data Export to give you more than actually belongs to you.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_steal_someone_elses_personal_data_without_using_injection","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":39,"key":"httpHeaderXssChallenge","name":"HTTP-Header XSS","category":"XSS","tags":"Danger Zone","description":"Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\">
through an HTTP header. (This challenge is potentially harmful on Heroku!)","difficulty":4,"hint":"Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_through_an_http_header","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":40,"key":"continueCodeChallenge","name":"Imaginary Challenge","category":"Cryptographic Issues","tags":"Shenanigans,Code Analysis","description":"Solve challenge #999. Unfortunately, this challenge does not exist.","difficulty":6,"hint":"You need to trick the hacking progress persistence feature into thinking you solved challenge #999.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_solve_challenge_999","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":41,"key":"dlpPasswordSprayingChallenge","name":"Leaked Access Logs","category":"Sensitive Data Exposure","tags":"OSINT","description":"Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)","difficulty":5,"hint":"Once you have it, a technique called \"Password Spraying\" might prove useful.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_dumpster_dive_the_internet_for_a_leaked_password_and_log_in_to_the_original_user_account_it_belongs_to","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":42,"key":"dlpPastebinDataLeakChallenge","name":"Leaked Unsafe Product","category":"Sensitive Data Exposure","tags":"Shenanigans,OSINT","description":"Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.","difficulty":4,"hint":"Your own SQLi and someone else's Ctrl-V will be your accomplices in this challenge!","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_identify_an_unsafe_product_that_was_removed_from_the_shop_and_inform_the_shop_which_ingredients_are_dangerous","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":43,"key":"typosquattingNpmChallenge","name":"Legacy Typosquatting","category":"Vulnerable Components","tags":null,"description":"Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT
. (Mention the exact name of the culprit)","difficulty":4,"hint":"This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer's backup file instead.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_trick_it_has_been_a_victim_of","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":44,"key":"loginAdminChallenge","name":"Login Admin","category":"Injection","tags":"Tutorial,Good for Demos","description":"Log in with the administrator's user account.","difficulty":2,"hint":"Try different SQL Injection attack patterns depending whether you know the admin's email address or not.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_administrators_user_account","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":true,"disabledEnv":null,"tutorialOrder":5,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:21.272Z"},{"id":45,"key":"loginAmyChallenge","name":"Login Amy","category":"Sensitive Data Exposure","tags":"OSINT","description":"Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the \"One Important Final Note\")","difficulty":3,"hint":"This challenge will make you go after a needle in a haystack.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_amys_original_user_credentials","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":46,"key":"loginBenderChallenge","name":"Login Bender","category":"Injection","tags":"Tutorial","description":"Log in with Bender's user account.","difficulty":3,"hint":"If you know Bender's email address, try SQL Injection. Bender's password hash might not help you very much.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_benders_user_account","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":10,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":47,"key":"oauthUserPasswordChallenge","name":"Login Bjoern","category":"Broken Authentication","tags":"Code Analysis","description":"Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.","difficulty":4,"hint":"The security flaw behind this challenge is 100% OWASP Juice Shop's fault and 0% Google's.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_bjoerns_gmail_account","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.458Z","updatedAt":"2024-03-28T08:29:16.458Z"},{"id":48,"key":"loginJimChallenge","name":"Login Jim","category":"Injection","tags":"Tutorial","description":"Log in with Jim's user account.","difficulty":3,"hint":"Try cracking Jim's password hash if you harvested it already. Alternatively, if you know Jim's email address, try SQL Injection.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_jims_user_account","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":9,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":49,"key":"loginRapperChallenge","name":"Login MC SafeSearch","category":"Sensitive Data Exposure","tags":"Shenanigans,OSINT","description":"Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.","difficulty":2,"hint":"You should listen to MC's hit song \"Protect Ya Passwordz\".","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_mc_safesearchs_original_user_credentials","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":50,"key":"loginSupportChallenge","name":"Login Support Team","category":"Security Misconfiguration","tags":"Brute Force,Code Analysis","description":"Log in with the support team's original user credentials without applying SQL Injection or any other bypass.","difficulty":6,"hint":"The underlying flaw of this challenge is a lot more human error than technical weakness.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_log_in_with_the_support_teams_original_user_credentials","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":51,"key":"basketManipulateChallenge","name":"Manipulate Basket","category":"Broken Access Control","tags":null,"description":"Put an additional product into another user's shopping basket.","difficulty":3,"hint":"Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn't count.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_put_an_additional_product_into_another_users_shopping_basket","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":52,"key":"misplacedSignatureFileChallenge","name":"Misplaced Signature File","category":"Sensitive Data Exposure","tags":"Good Practice,Contraption","description":"Access a misplaced SIEM signature file.","difficulty":4,"hint":"You need to trick a security mechanism into thinking that the file you want has a valid file type.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_misplaced_siem_signature_file","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":53,"key":"timingAttackChallenge","name":"Multiple Likes","category":"Broken Anti Automation","tags":null,"description":"Like any review at least three times as the same user.","difficulty":6,"hint":"Punctuality is the politeness of kings.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_like_any_review_at_least_three_times_as_the_same_user","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":54,"key":"easterEggLevelTwoChallenge","name":"Nested Easter Egg","category":"Cryptographic Issues","tags":"Shenanigans,Good for Demos","description":"Apply some advanced cryptanalysis to find the real easter egg.","difficulty":4,"hint":"You might have to peel through several layers of tough-as-nails encryption for this challenge.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_apply_some_advanced_cryptanalysis_to_find_the_real_easter_egg","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":55,"key":"noSqlCommandChallenge","name":"NoSQL DoS","category":"Injection","tags":"Danger Zone","description":"Let the server sleep for some time. (It has done more than enough hard work for you) (This challenge is potentially harmful on Heroku!)","difficulty":4,"hint":"This challenge is essentially a stripped-down Denial of Service (DoS) attack.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_let_the_server_sleep_for_some_time","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":56,"key":"noSqlOrdersChallenge","name":"NoSQL Exfiltration","category":"Injection","tags":"Danger Zone","description":"All your orders are belong to us! Even the ones which don't. (This challenge is potentially harmful on Heroku!)","difficulty":5,"hint":"Take a close look on how the $where query operator works in MongoDB.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_all_your_orders_are_belong_to_us","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":57,"key":"noSqlReviewsChallenge","name":"NoSQL Manipulation","category":"Injection","tags":null,"description":"Update multiple product reviews at the same time.","difficulty":4,"hint":"Take a close look on how the equivalent of UPDATE-statements in MongoDB work.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_update_multiple_product_reviews_at_the_same_time","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":58,"key":"redirectCryptoCurrencyChallenge","name":"Outdated Allowlist","category":"Unvalidated Redirects","tags":"Code Analysis","description":"Let us redirect you to one of our crypto currency addresses which are not promoted any longer.","difficulty":1,"hint":"We might have failed to take this out of our code properly.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_let_us_redirect_you_to_one_of_our_crypto_currency_addresses","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":59,"key":"weakPasswordChallenge","name":"Password Strength","category":"Broken Authentication","tags":"Brute Force,Tutorial","description":"Log in with the administrator's user credentials without previously changing them or applying SQL Injection.","difficulty":2,"hint":"This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_the_administrators_user_credentials_without_previously_changing_them_or_applying_sql_injection","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":6,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.459Z","updatedAt":"2024-03-28T08:29:16.459Z"},{"id":60,"key":"negativeOrderChallenge","name":"Payback Time","category":"Improper Input Validation","tags":null,"description":"Place an order that makes you rich.","difficulty":3,"hint":"You literally need to make the shop owe you any amount of money.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_place_an_order_that_makes_you_rich","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":61,"key":"premiumPaywallChallenge","name":"Premium Paywall","category":"Cryptographic Issues","tags":"Shenanigans","description":" Unlock Premium Challenge to access exclusive content.","difficulty":6,"hint":"You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_unlock_premium_challenge_to_access_exclusive_content","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":62,"key":"privacyPolicyChallenge","name":"Privacy Policy","category":"Miscellaneous","tags":"Good Practice,Tutorial,Good for Demos","description":"Read our privacy policy.","difficulty":1,"hint":"We won't even ask you to confirm that you did. Just read it. Please. Pretty please.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_read_our_privacy_policy","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":4,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":63,"key":"privacyPolicyProofChallenge","name":"Privacy Policy Inspection","category":"Security through Obscurity","tags":"Shenanigans,Good for Demos","description":"Prove that you actually read our privacy policy.","difficulty":3,"hint":"Only by visiting a special URL you can confirm that you read it carefully.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_prove_that_you_actually_read_our_privacy_policy","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":64,"key":"changeProductChallenge","name":"Product Tampering","category":"Broken Access Control","tags":null,"description":"Change the href
of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.","difficulty":3,"hint":"Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_href_of_the_link_within_the_o_saft_product_description","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":65,"key":"reflectedXssChallenge","name":"Reflected XSS","category":"XSS","tags":"Danger Zone,Good for Demos","description":"Perform a reflected XSS attack with <iframe src=\"javascript:alert(`xss`)\">
. (This challenge is potentially harmful on Heroku!)","difficulty":2,"hint":"Look for a url parameter where its value appears in the page it is leading to.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_reflected_xss_attack","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":66,"key":"passwordRepeatChallenge","name":"Repetitive Registration","category":"Improper Input Validation","tags":null,"description":"Follow the DRY principle while registering a user.","difficulty":1,"hint":"You can solve this by cleverly interacting with the UI or bypassing it altogether.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_follow_the_dry_principle_while_registering_a_user","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":67,"key":"resetPasswordBenderChallenge","name":"Reset Bender's Password","category":"Broken Authentication","tags":"OSINT","description":"Reset Bender's password via the Forgot Password mechanism with the original answer to his security question.","difficulty":4,"hint":"Not as trivial as Jim's but still not too difficult with some \"Futurama\" background knowledge.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_benders_password_via_the_forgot_password_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":68,"key":"resetPasswordBjoernChallenge","name":"Reset Bjoern's Password","category":"Broken Authentication","tags":"OSINT","description":"Reset the password of Bjoern's internal account via the Forgot Password mechanism with the original answer to his security question.","difficulty":5,"hint":"Nothing a little bit of Facebook stalking couldn't reveal. Might involve a historical twist.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_internal_account_via_the_forgot_password_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":69,"key":"resetPasswordJimChallenge","name":"Reset Jim's Password","category":"Broken Authentication","tags":"OSINT","description":"Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.","difficulty":3,"hint":"It's hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_jims_password_via_the_forgot_password_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":70,"key":"resetPasswordMortyChallenge","name":"Reset Morty's Password","category":"Broken Anti Automation","tags":"OSINT,Brute Force","description":"Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question.","difficulty":5,"hint":"Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty's security question.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_reset_mortys_password_via_the_forgot_password_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":71,"key":"retrieveBlueprintChallenge","name":"Retrieve Blueprint","category":"Sensitive Data Exposure","tags":null,"description":"Deprive the shop of earnings by downloading the blueprint for one of its products.","difficulty":5,"hint":"The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_deprive_the_shop_of_earnings_by_downloading_the_blueprint_for_one_of_its_products","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":72,"key":"ssrfChallenge","name":"SSRF","category":"Broken Access Control","tags":"Code Analysis","description":"Request a hidden resource on server through server.","difficulty":6,"hint":"Reverse engineering something bad can make good things happen.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_request_a_hidden_resource_on_server_through_server","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":73,"key":"sstiChallenge","name":"SSTi","category":"Injection","tags":"Contraption,Danger Zone,Code Analysis","description":"Infect the server with juicy malware by abusing arbitrary command execution. (This challenge is potentially harmful on Heroku!)","difficulty":6,"hint":"\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_infect_the_server_with_juicy_malware_by_abusing_arbitrary_command_execution","mitigationUrl":null,"solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.460Z","updatedAt":"2024-03-28T08:29:16.460Z"},{"id":74,"key":"scoreBoardChallenge","name":"Score Board","category":"Miscellaneous","tags":"Tutorial,Code Analysis","description":"Find the carefully hidden 'Score Board' page.","difficulty":1,"hint":"Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_find_the_carefully_hidden_score_board_page","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":1,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":75,"key":"securityPolicyChallenge","name":"Security Policy","category":"Miscellaneous","tags":"Good Practice","description":"Behave like any \"white-hat\" should before getting into the action.","difficulty":2,"hint":"Undoubtedly you want to read our security policy before conducting any research on our application.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_behave_like_any_white_hat_should_before_getting_into_the_action","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":76,"key":"persistedXssFeedbackChallenge","name":"Server-side XSS Protection","category":"XSS","tags":"Danger Zone","description":"Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\">
bypassing a server-side security mechanism. (This challenge is potentially harmful on Heroku!)","difficulty":4,"hint":"The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_server_side_security_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":77,"key":"hiddenImageChallenge","name":"Steganography","category":"Security through Obscurity","tags":"Shenanigans","description":"Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)","difficulty":4,"hint":"No matter how good your eyes are, you will need tool assistance for this challenge.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_rat_out_a_notorious_character_hiding_in_plain_sight_in_the_shop","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":78,"key":"rceOccupyChallenge","name":"Successful RCE DoS","category":"Insecure Deserialization","tags":"Danger Zone","description":"Perform a Remote Code Execution that occupies the server for a while without using infinite loops. (This challenge is potentially harmful on Heroku!)","difficulty":6,"hint":"Your attack payload must not trigger the protection against too many iterations.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_occupies_the_server_for_a_while_without_using_infinite_loops","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":79,"key":"supplyChainAttackChallenge","name":"Supply Chain Attack","category":"Vulnerable Components","tags":"OSINT","description":"Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)","difficulty":5,"hint":"This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_development_team_about_a_danger_to_some_of_their_credentials","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":80,"key":"twoFactorAuthUnsafeSecretStorageChallenge","name":"Two Factor Authentication","category":"Broken Authentication","tags":null,"description":"Solve the 2FA challenge for user \"wurstbrot\". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)","difficulty":5,"hint":"The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_solve_the_2fa_challenge_for_user_wurstbrot","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":81,"key":"jwtUnsignedChallenge","name":"Unsigned JWT","category":"Vulnerable Components","tags":null,"description":"Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.","difficulty":5,"hint":"This challenge exploits a weird option that is supported when signing tokens with JWT.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_essentially_unsigned_jwt_token","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":82,"key":"uploadSizeChallenge","name":"Upload Size","category":"Improper Input Validation","tags":null,"description":"Upload a file larger than 100 kB.","difficulty":3,"hint":"You can attach a small file to the \"Complaint\" form. Investigate how this upload actually works.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_larger_than_100_kb","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":83,"key":"uploadTypeChallenge","name":"Upload Type","category":"Improper Input Validation","tags":null,"description":"Upload a file that has no .pdf or .zip extension.","difficulty":3,"hint":"You can attach a PDF or ZIP file to the \"Complaint\" form. Investigate how this upload actually works.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_that_has_no_pdf_or_zip_extension","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":84,"key":"unionSqlInjectionChallenge","name":"User Credentials","category":"Injection","tags":null,"description":"Retrieve a list of all user credentials via SQL Injection.","difficulty":4,"hint":"Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_retrieve_a_list_of_all_user_credentials_via_sql_injection","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":85,"key":"videoXssChallenge","name":"Video XSS","category":"XSS","tags":"Danger Zone","description":"Embed an XSS payload </script><script>alert(`xss`)</script>
into our promo video. (This challenge is potentially harmful on Heroku!)","difficulty":6,"hint":"You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_embed_an_xss_payload_into_our_promo_video","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":86,"key":"basketAccessChallenge","name":"View Basket","category":"Broken Access Control","tags":"Tutorial,Good for Demos","description":"View another user's shopping basket.","difficulty":2,"hint":"Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_view_another_users_shopping_basket","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":7,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":87,"key":"knownVulnerableComponentChallenge","name":"Vulnerable Library","category":"Vulnerable Components","tags":"OSINT","description":"Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)","difficulty":4,"hint":"Report one of two possible answers via the \"Customer Feedback\" form. Do not forget to submit the library's version as well.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_vulnerable_library_it_is_using","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":88,"key":"weirdCryptoChallenge","name":"Weird Crypto","category":"Cryptographic Issues","tags":null,"description":"Inform the shop about an algorithm or library it should definitely not use the way it does.","difficulty":2,"hint":"Report one of four possible answers via the \"Customer Feedback\" form.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_inform_the_shop_about_an_algorithm_or_library_it_should_definitely_not_use_the_way_it_does","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":89,"key":"redirectChallenge","name":"Allowlist Bypass","category":"Unvalidated Redirects","tags":"Prerequisite","description":"Enforce a redirect to a page you are not supposed to redirect to.","difficulty":4,"hint":"You have to find a way to beat the allowlist of allowed redirect URLs.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_enforce_a_redirect_to_a_page_you_are_not_supposed_to_redirect_to","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":90,"key":"xxeFileDisclosureChallenge","name":"XXE Data Access","category":"XXE","tags":"Danger Zone","description":"Retrieve the content of C:\\Windows\\system.ini
or /etc/passwd
from the server. (This challenge is potentially harmful on Heroku!)","difficulty":3,"hint":"The leverage point for this challenge is the deprecated B2B interface.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_retrieve_the_content_of_cwindowssystemini_or_etcpasswd_from_the_server","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":91,"key":"xxeDosChallenge","name":"XXE DoS","category":"XXE","tags":"Danger Zone","description":"Give the server something to chew on for quite a while. (This challenge is potentially harmful on Heroku!)","difficulty":5,"hint":"It is not as easy as sending a large amount of data directly to the deprecated B2B interface.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_give_the_server_something_to_chew_on_for_quite_a_while","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.461Z","updatedAt":"2024-03-28T08:29:16.461Z"},{"id":92,"key":"zeroStarsChallenge","name":"Zero Stars","category":"Improper Input Validation","tags":null,"description":"Give a devastating zero-star feedback to the store.","difficulty":1,"hint":"Before you invest time bypassing the API, you might want to play around with the UI a bit.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_give_a_devastating_zero_star_feedback_to_the_store","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":93,"key":"missingEncodingChallenge","name":"Missing Encoding","category":"Improper Input Validation","tags":"Shenanigans","description":"Retrieve the photo of Bjoern's cat in \"melee combat-mode\".","difficulty":1,"hint":"Check the Photo Wall for an image that could not be loaded correctly.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_retrieve_the_photo_of_bjoerns_cat_in_melee_combat_mode","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":94,"key":"svgInjectionChallenge","name":"Cross-Site Imaging","category":"Security Misconfiguration","tags":"Contraption","description":"Stick cute cross-domain kittens all over our delivery boxes.","difficulty":5,"hint":"This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_stick_cute_cross_domain_kittens_all_over_our_delivery_boxes","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":95,"key":"exposedMetricsChallenge","name":"Exposed Metrics","category":"Sensitive Data Exposure","tags":"Good Practice","description":"Find the endpoint that serves usage data to be scraped by a popular monitoring system.","difficulty":1,"hint":"Try to guess what URL the endpoint might have.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_find_the_endpoint_that_serves_usage_data_to_be_scraped_by_a_popular_monitoring_system","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":96,"key":"freeDeluxeChallenge","name":"Deluxe Fraud","category":"Improper Input Validation","tags":null,"description":"Obtain a Deluxe Membership without paying for it.","difficulty":3,"hint":"Look closely at what happens when you attempt to upgrade your account.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_obtain_a_deluxe_membership_without_paying_for_it","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":97,"key":"csrfChallenge","name":"CSRF","category":"Broken Access Control","tags":null,"description":"Change the name of a user by performing Cross-Site Request Forgery from another origin.","difficulty":3,"hint":"Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_name_of_a_user_by_performing_cross_site_request_forgery_from_another_origin","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":98,"key":"xssBonusChallenge","name":"Bonus Payload","category":"XSS","tags":"Shenanigans,Tutorial","description":"Use the bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>
in the DOM XSS challenge.","difficulty":1,"hint":"Copy + Paste = Solved!","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_use_the_bonus_payload_in_the_dom_xss_challenge","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":3,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":99,"key":"resetPasswordUvoginChallenge","name":"Reset Uvogin's Password","category":"Sensitive Data Exposure","tags":"OSINT","description":"Reset Uvogin's password via the Forgot Password mechanism with the original answer to his security question.","difficulty":4,"hint":"You might have to do some OSINT on his social media personas to find out his honest answer to the security question.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_reset_uvogins_password_via_the_forgot_password_mechanism","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":100,"key":"geoStalkingMetaChallenge","name":"Meta Geo Stalking","category":"Sensitive Data Exposure","tags":"OSINT","description":"Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.","difficulty":2,"hint":"Take a look at the meta data of the corresponding photo.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_johns_security_question","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":101,"key":"geoStalkingVisualChallenge","name":"Visual Geo Stalking","category":"Sensitive Data Exposure","tags":"OSINT","description":"Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.","difficulty":2,"hint":"Take a look at the details in the photo to determine the location of where it was taken.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_emmas_security_question","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":102,"key":"killChatbotChallenge","name":"Kill Chatbot","category":"Vulnerable Components","tags":"Code Analysis","description":"Permanently disable the support chatbot so that it can no longer answer customer queries.","difficulty":5,"hint":"Think of a way to get a hold of the internal workings on the chatbot API.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_permanently_disable_the_support_chatbot","mitigationUrl":"https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html","solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":103,"key":"nullByteChallenge","name":"Poison Null Byte","category":"Improper Input Validation","tags":"Prerequisite","description":"Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.","difficulty":4,"hint":"Take a look at the details in the photo to determine the location of where it was taken.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_bypass_a_security_control_with_a_poison_null_byte","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":104,"key":"bullyChatbotChallenge","name":"Bully Chatbot","category":"Miscellaneous","tags":"Shenanigans,Brute Force","description":"Receive a coupon code from the support chatbot.","difficulty":1,"hint":"Just keep asking.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_receive_a_coupon_code_from_the_support_chatbot","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":105,"key":"lfrChallenge","name":"Local File Read","category":"Vulnerable Components","tags":"OSINT,Danger Zone","description":"Gain read access to an arbitrary local file on the web server. (This challenge is potentially harmful on Heroku!)","difficulty":5,"hint":"You should read up on vulnerabilities in popular NodeJs template engines.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_gain_read_access_to_an_arbitrary_local_file_on_the_web_server","mitigationUrl":null,"solved":false,"disabledEnv":"Heroku","tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"},{"id":106,"key":"closeNotificationsChallenge","name":"Mass Dispel","category":"Miscellaneous","tags":null,"description":"Close multiple \"Challenge solved\"-notifications in one go.","difficulty":1,"hint":"Either check the official documentation or inspect a notification UI element directly.","hintUrl":"https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_close_multiple_challenge_solved_notifications_in_one_go","mitigationUrl":null,"solved":false,"disabledEnv":null,"tutorialOrder":null,"codingChallengeStatus":0,"createdAt":"2024-03-28T08:29:16.462Z","updatedAt":"2024-03-28T08:29:16.462Z"}]}