Target: OWASP Juice Shop (Intentionally Vulnerable Application) Tester: Ibrahim Sheikh — Founder & Lead Researcher, CySentra Engagement Type: Vulnerability Assessment & Penetration Testing (VAPT) Environment: Local Docker Deployment Date: December 2025

1. Executive Summary

CySentra conducted a controlled web application penetration test against an intentionally vulnerable OWASP Juice Shop deployment to simulate real-world attack scenarios and assess common security weaknesses.

The assessment identified multiple high-risk vulnerabilities, including:

  • SQL Injection leading to authentication bypass
  • Insecure Direct Object Reference (IDOR)
  • Reflected and Stored Cross-Site Scripting (XSS)
  • Broken Access Control exposing administrative configuration
  • Partial exposure to Cross-Site Request Forgery (CSRF) risks

If deployed in a production environment, these issues could result in account compromise, sensitive data exposure, fraud, and full application takeover.

2. Scope & Methodology

Scope

  • Application: OWASP Juice Shop
  • Deployment: Local Docker container
  • Access URL: http://10.0.2.15:3000
None
  • Authorization: Explicitly permitted educational testing

Methodology

Testing was performed using a manual-first approach, aligned with:

  • OWASP Web Security Testing Guide (WSTG)
  • OWASP Top 10 (2021)

Phases:

  1. Passive Reconnaissance
  2. Active Reconnaissance & Enumeration
  3. Vulnerability Exploitation
  4. Impact Analysis
  5. Remediation Recommendations

3. Passive Reconnaissance

Target Overview

CategoryDetailsFrameworkNode.js + ExpressFrontendAngular SPAAPI StyleJSON RESTAuthenticationJWT (RS256)PurposeIntentionally insecure lab

HTTP Header Analysis

Observed response headers included:

None
  • Access-Control-Allow-Origin: *
  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Feature-Policy: payment 'self'
  • X-Recruiting: /#/jobs

Security Implications

  • Permissive CORS broadens cross-origin attack surface
  • SPA architecture implies heavy reliance on API endpoints
  • Custom headers revealed hidden application routes
None
None

Evidence:

4. Active Reconnaissance & Enumeration

Network & Service Enumeration

An Nmap scan confirmed the Juice Shop service running on port 3000.

Command Used:

nmap -sS -sV -O 127.0.0.1
None

Key Findings:

  • Port 3000 open (HTTP)
  • Node.js/Express backend detected
  • REST-style API exposed

Directory & Endpoint Enumeration

Tools used:

  • dirb
None
  • gobuster
None

Notable endpoints discovered:

EndpointStatusRisk/api500REST backend present/rest500API surface/profile500Auth-protected – IDOR risk/ftp200Sensitive file exposure/redirect500Open redirect risk/.well-known/security.txt200Disclosure simulation

Note: In OWASP Juice Shop, HTTP 500 often indicates reachable but malformed endpoints requiring specific input.

5. Exploitation Findings

5.1 Insecure Direct Object Reference (IDOR)

Severity: High OWASP Category: A01 — Broken Access Control

Description

The application exposes user basket resources via predictable numeric identifiers without validating ownership.

Affected Endpoint

GET /rest/basket/{basketId}

Proof of Concept

Authenticated request as User #23:

GET /rest/basket/6

Malicious request:

GET /rest/basket/2

Result: Successful access to another user's basket.

📸 [Screenshot 4: Legitimate basket request showing UserId = 23]

None

📸 [Screenshot 5: Modified basketId request showing access to UserId = 2]

None

Impact

  • Unauthorized access to user data
  • Horizontal privilege escalation
  • Fraudulent order manipulation

Recommendation

  • Enforce object-level authorization
  • Validate resource ownership server-side
  • Avoid exposing sequential IDs

5.2 Cross-Site Scripting (XSS)

Severity: High OWASP Category: A03 — Injection

5.2.1 Reflected XSS

Location:

#/search?q=

Payload Used:

"><img src=x onerror=alert('XSS')>

Result: JavaScript executed immediately in browser context.

📸 [Screenshot 6: URL with injected payload in search parameter]

None
None

Impact

  • Session hijacking
  • Credential theft
  • CSRF chaining

5.2.2 Stored XSS

Location:

  • #/contact (Feedback submission)
  • Rendered in #/administration (Admin view)

Payload Submitted:

<img src=x onerror=alert('Stored XSS')>

Result: Payload stored in backend and executed when viewed by an admin.

Impact

  • Execution in admin context
  • Persistent compromise
  • Full application takeover potential

5.3 Broken Access Control Administrative API Exposure

Severity: High OWASP Category: A01 Broken Access Control

Description

Administrative API endpoints were accessible to authenticated low-privilege users.

Proof of Concept

Executed as normal user via browser console:

fetch('/rest/admin/application-configuration')
  .then(res => res.json())
  .then(console.log)

Result: Full administrative configuration returned.

📸 [Screenshot 10: Browser console showing admin configuration JSON response]

None
None
None

Impact

  • Disclosure of internal application settings
  • Feature flag exposure
  • Increased attack surface for chained exploits

5.4 SQL Injection Authentication Bypass

Severity: Critical OWASP Category: A03 Injection

Affected Functionality

  • Login form
  • Search functionality

Payload Used

' OR 1=1--

Result

Authentication successfully bypassed, logging attacker in as the first database user.

📸 [Screenshot 11: Login request with SQL injection payload]

None

📸 [Screenshot 12: Successful login after injection]

None

1️⃣ Injection Detection (Search Function)

Request:

http://10.0.2.15:3000/#/search?q='

Impact

  • Full account compromise
  • Potential database access
  • Business logic destruction
None

Observed Behavior:

  • Application returned abnormal results (single product)
  • Indicates improper handling of user input in backend SQL queries

This confirms that user input is being passed unsafely to the database layer.

5.5 Cross-Site Request Forgery (CSRF)

Severity: Medium

Description

CSRF vectors were assessed against authenticated, state-changing endpoints.

Observations

  • Cookie-based authentication in use
  • Some endpoints lack CSRF tokens
  • Method override attempts rejected
  • Invalid paths returned server-side errors

Conclusion

While full CSRF exploitation was not achieved, the architecture demonstrates CSRF risk patterns, particularly when combined with XSS.

6. Overall Risk Summary

VulnerabilitySeveritySQL InjectionCriticalIDORHighStored XSSHighReflected XSSHighBroken Access ControlHighCSRFMedium

7. Final Conclusion

This engagement demonstrates real-world exploitable vulnerabilities that mirror those found in production web applications.

Key systemic issues include:

  • Over-trust in client input
  • Weak authorization enforcement
  • Injection vulnerabilities with severe impact

CySentra Statement

CySentra delivers hands-on web application security testing focused on real exploitation, business impact, and actionable remediation — not just automated scans.