This report documents multiple security vulnerabilities identified in the OWASP Juice Shop application. Each finding is described in detail, including severity assessment, exploitation steps and remediation guidance.

Setup OWASP Juice Shop Locally Using Docker

Install Docker

Run:

docker pull bkimminich/juice-shop
docker run - rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop

Browse to: http://localhost:3000

None
None

1. Privilege Escalation via User Registration API

Summary (with CWE)

The application allows an attacker to self-register an administrator account by directly invoking the user creation API and supplying the role parameter in the request body. Due to missing server-side authorization and role validation, the backend blindly trusts client input. This results in unauthorized privilege escalation, granting full administrative access without authentication or approval.

CWE ID

  • CWE-269 — Improper Privilege Management
  • CWE-285 — Improper Authorization

Severity (CVSS v3.1)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Metrics:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

CVSS Base Score: 9.8 (Critical)

Description

OWASP Juice Shop exposes a user registration API endpoint (/api/Users) that accepts user details in JSON format. The backend fails to enforce role based access control during user creation and allows the client to specify sensitive attributes such as role. An attacker can exploit this flaw by sending a crafted POST request with "role":"admin", resulting in the creation of an administrator account without any authorization checks.

This vulnerability completely compromises the application, as administrative privileges allow full access to sensitive data and management functions.

Steps to Reproduce

  1. Send a POST request to: http://localhost:3000/api/Users
  2. Edit request body and add role parameter: { "role": "admin" }
  3. Submit the request using Burp Suite.
  4. The server responds with a successful user creation message.
  5. Log in using the created credentials.
None
None

Suggested Remediation

  • Enforce server-side role control
  • Default role assignment
  • Allow admin role assignment only through authenticated admin workflows
  • Validate permissions on every sensitive endpoint

References

  1. OWASP Top 10 — Broken Access Control
  2. CWE-269: Improper Privilege Management
  3. CWE-285: Improper Authorization
  4. OWASP Juice Shop Project

2. OAuth Account Takeover

Summary (with CWE)

OWASP Juice Shop implements Google OAuth login in an insecure manner by deterministically generating user passwords on the client side. The password is derived by reversing the user's email address and Base64-encoding it, which can be easily reproduced by an attacker.

This design flaw allows an attacker to log in directly using email/password authentication for an OAuth-registered user, resulting in full account takeover without cracking hashes or bypassing authentication controls.

CWE ID

  • CWE-522 — Insufficiently Protected Credentials
  • CWE-287 — Improper Authentication
  • CWE-284 — Improper Access Control

Severity (CVSS v3.1)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Metrics

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

CVSS Base Score: 9.1 (Critical)

Description

OWASP Juice Shop allows users to register and log in via Google OAuth. During this process, the application uses a client-side JavaScript function userService.oauthLogin() found in main.js.

The OAuth workflow internally calls:

  • userService.save() (user creation)
  • userService.login() (standard login)

Both functions set the user password using the following logic:

password = btoa(n.email.split("").reverse().join(""))

Password Generation Logic

  • The email address is reversed.
  • The reversed string is Base64-encoded.
  • The result is used as the account password.

Steps to Reproduce:

Identify OAuth Password Logic

  • Open main.js
  • Search for oauthLogin
  • Locate: password: btoa(n.email.split("").reverse().join(""))

Derive Victim Password

Email: bjoern@gmail.com Reversed: moc.liamg@nreojb Base64 encoded password:

bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI=
None
None

Suggested Remediation

  • Never generate passwords client-side
  • Separate OAuth and password authentication
  • Use strong, random credentials
  • Do not expose authentication logic
  • Perform security design reviews

References

  1. OWASP Top 10 — Broken Authentication
  2. CWE-522 — Insufficiently Protected Credentials
  3. OAuth 2.0 Security Best Practices (RFC 8252)
  4. OWASP Juice Shop Project

3. SQL Injection in Product Search Endpoint

Summary (with CWE)

An SQL Injection (SQLi) vulnerability was identified in the product search functionality of OWASP Juice Shop. The application fails to properly sanitize user-controlled input in the q parameter, allowing attackers to inject malicious SQL queries.

This flaw enables unauthorized database access, including enumeration of database tables and potential exposure of sensitive data.

CWE ID

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

Severity (CVSS v3.1)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Metrics

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

CVSS Base Score: 9.1 (Critical)

Description

The /rest/products/search API endpoint accepts user input via the q parameter to search for products. This input is directly incorporated into backend SQL queries without sufficient sanitization or parameterization.

An attacker can exploit this weakness to inject arbitrary SQL commands, allowing enumeration of database schema and extraction of sensitive information. Automated tools such as sqlmap can successfully detect and exploit this vulnerability, confirming the presence of SQL injection.

This issue represents a complete breakdown of input validation and secure query handling, posing a serious risk to application confidentiality and integrity.

Exploit Using sqlmap

sqlmap -u "http://localhost:3000/rest/products/search?q=apple" --tables
None
None
None
None
None

Got User credentials :)

Suggested Remediation

  • Sanitize and validate all user-supplied inputs
  • Implement parameterized queries
  • Deploy a Web Application Firewall (WAF)
  • Enable logging & monitoring

References

  1. OWASP SQL Injection Prevention Cheat Sheet
  2. CWE-89 — SQL Injection
  3. OWASP Juice Shop Documentation
  4. CVSS v3.1 Specification: https://www.first.org/cvss/v3.1/

4. Arbitrary File Download via Poison Null Byte Injection

Summary (with CWE)

The application is vulnerable to Poison Null Byte Injection, allowing an attacker to bypass file extension validation and download sensitive backup files stored on the server. By exploiting improper input validation and unsafe file handling, restricted backup files such as developer and salesman data can be accessed.

CWE ID

  • CWE-158 — Improper Neutralization of Null Byte
  • CWE-22 — Improper Limitation of Pathname to Restricted Directory

Severity (CVSS v3.1)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score: 7.5 (High)

Description

OWASP Juice Shop restricts file downloads in the /ftp endpoint by validating file extensions. However, this validation can be bypassed using a Poison Null Byte (%00) injection combined with double URL encoding.

The backend improperly handles null bytes during file system access, causing the application to truncate the filename at the null byte and serve restricted backup files (e.g., .bak) while still passing extension validation checks.

This results in unauthorized access to sensitive backup files, potentially exposing configuration details, credentials, or business data.

Steps to Reproduce:

Access a Developer's Forgotten Backup File:

  1. Navigate to the FTP directory: http://localhost:3000/ftp
  2. Attempt direct access (fails due to extension restriction): http://localhost:3000/ftp/package.json.bak
  3. Try Poison Null Byte injection (fails initially): http://localhost:3000/ftp/package.json.bak%00.md
  4. URL-encode the % character as well: http://localhost:3000/ftp/package.json.bak%2500.md

The server successfully returns the restricted backup file, completing the exploit.

Access a Salesman's Forgotten Backup File:

  1. Use the same Poison Null Byte technique: http://localhost:3000/ftp/coupons_2013.md.bak%2500.md
  2. The backup file downloads successfully, revealing sensitive business data.
None
None

Backup file downloads successfully.

None
None

Suggested Remediation

  • Reject null bytes explicitly
  • Decode input before validation
  • Use allow-listed file access
  • Disable public access to backups
  • Use secure file APIs

References

  1. OWASP Foundation — OWASP Juice Shop
  2. CWE-158: Improper Neutralization of Null Byte
  3. OWASP Testing Guide — File Handling Vulnerabilities
  4. PortSwigger — File Path Traversal & Null Byte Attacks

Thanks For Reading :)

Happy Hacking ;)