This repository documents my independent security assessment and vulnerability audit of OWASP Juice Shop, an intentionally vulnerable web application designed for practicing modern web security testing. The objective of this project was to perform comprehensive manual and automated testing, identify critical security flaws mapped to the OWASP Top 10, and provide actionable mitigation strategies.
- Conduct black-box web application vulnerability assessment.
- Identify, exploit, and document critical web vulnerabilities.
- Provide secure coding remediation strategies.
- Compile a professional-grade Security Assessment Report.
- Interception & Manual Testing: Burp Suite Community Edition
- Automated Scanners: OWASP ZAP, Nikto
- Methodology: Payload crafting, session manipulation, input validation bypassing, and browser-based exploitation.
Exploited the login mechanism by injecting crafted SQL payloads into the email parameter, bypassing authentication controls entirely to gain unauthorized administrative access.
- Payloads Used:
"email":"admin@juice-sh.op'--", "password":"anything""email":"admin@juice-sh.op' OR '1'='1", "password":"anything"
Proof of Concept:
Burp Suite Repeater capturing the successful SQLi Authentication Bypass payload.
Server responding with a 200 OK and a valid JWT authentication token for the admin account.
- Impact: Granted unauthorized access to the application's administrative accounts and exposed the database to a risk of full compromise.
- Mitigation: Implement parameterized queries (prepared statements), utilize ORM protections, and strictly enforce input validation.
Identified multiple XSS vulnerabilities across different application features, allowing for the execution of arbitrary JavaScript within the victim's browser context.
Injected malicious payloads into the search query parameter which were reflected back un-sanitized by the server.
- Payload Used:
<iframe src="javascript:alert('XSS_Detected')">
Injected a persistent payload into the customer feedback form, which triggers whenever an admin or user reviews the feedback.
- Payload Used:
{"comment":"<script>alert('XSS')</script>","rating":5}
Manipulated the user profile interface to execute a payload via the username parameter.
- Payload Used:
{"username":"<img src=x onerror=alert(1)>"}
- Impact: Potential for severe session hijacking, credential theft, phishing attacks, and website defacement.
- Mitigation: Implement strict input sanitization, context-aware output encoding, and enforce robust Content Security Policy (CSP) headers.
| Vulnerability Discovered | OWASP Top 10 Category | Severity |
|---|---|---|
| SQL Injection (Auth Bypass) | A03:2021-Injection | Critical |
| Reflected XSS | A03:2021-Injection | High |
| Stored XSS | A03:2021-Injection | High |
| DOM-Based XSS | A03:2021-Injection | High |
- 📁
/Report→ Contains the final, detailed Security Assessment Report (Task_1_OWASP_JuiceShop_Security_Assessment_Report_Rishav.pdf). - 📁
/Screenshots→ Raw Proof of Concept (PoC) evidence images. - 📄
README.md→ Project overview and vulnerability summary.
All security testing and exploitation demonstrated in this repository were conducted on a localized, intentionally vulnerable environment specifically built for educational and research purposes. No live, unauthorized systems were targeted.
Rishav Raj – Cyber Security Researcher
👉 Star ⭐ this repository if you found these security testing methodologies helpful!



