CybersecurityFeatured

OWASP Juice Shop — Web Penetration Testing & Audit

Full OWASP Top 10 penetration test on Juice Shop: SQL injection, XSS (reflected/stored), IDOR, JWT algorithm confusion — complete audit report with CVSS scores and ASVS remediations.

2025
Completed (October 2025)
1 member

Technologies Used

Burp SuiteOWASP ZAPSQLmapjwt-toolSQL InjectionXSSIDORJWTCVSSASVS

Comprehensive penetration test and security audit of OWASP Juice Shop, a deliberately vulnerable web application. Covers identification, exploitation, and remediation of the full OWASP Top 10 vulnerability set.

🎯 Project Overview

Simulates a real-world web application security audit. Findings are documented with CVSS v3.1 scores and remediations aligned with the OWASP Application Security Verification Standard (ASVS).

🔍 Vulnerability Coverage (OWASP Top 10)

A01 — Broken Access Control

  • IDOR — Accessing other users' orders by manipulating basket IDs
  • Admin panel exposure — Forced browsing to /administration without authentication

A02 — Cryptographic Failures

  • JWT algorithm confusion — Forging admin tokens by exploiting alg: none vulnerability using jwt-tool

A03 — Injection

  • SQL Injection (login bypass)' OR 1=1-- in login form
  • SQLi (data extraction) — UNION-based injection to extract user table via SQLmap

A07 — Authentication Failures

  • Weak password policy — Default admin credentials brute-forced
  • Security question bypass — Predictable answers enabling account takeover

A03 — XSS

  • Reflected XSS — Injected in search parameter
  • Stored XSS — Persistent payload in product reviews

📋 Audit Report

  • Vulnerability inventory with CVSS v3.1 scores (Base, Temporal, Environmental)
  • Proof-of-Concept (PoC) steps for each finding
  • Risk prioritization matrix
  • Remediations aligned with OWASP ASVS

Severity distribution: 2 Critical · 3 High · 4 Medium · 2 Low · 3 Informational

🛠️ Tooling

| Tool | Usage | |------|-------| | Burp Suite | HTTP proxy, request manipulation, repeater, intruder | | OWASP ZAP | Automated scanning baseline | | SQLmap | Automated SQL injection testing | | jwt-tool | JWT token analysis and manipulation |

Challenges

  • Systematically covering all OWASP Top 10 categories without missing attack surfaces
  • Chaining multiple vulnerabilities for higher-impact exploitation paths
  • Writing CVSS scores that accurately reflect business risk context
  • Writing remediations specific enough to be actionable for developers

Solutions

  • Followed a structured OWASP Top 10 checklist, documenting each test case before exploitation
  • Identified IDOR + privilege escalation chains and JWT + access control bypass combinations
  • Used CVSS v3.1 calculator with environmental metrics adjusted to web application context
  • Mapped each finding to OWASP ASVS verification requirements for precise remediation guidance

Outcomes

  • Complete OWASP Top 10 coverage with 14 validated findings across 6 vulnerability categories
  • Professional audit report with CVSS v3.1 scores, PoC steps, and ASVS-aligned remediations
  • Demonstrated practical exploitation: SQLi login bypass, XSS payloads, JWT alg:none, IDOR
  • Risk prioritization matrix enabling developer teams to address critical findings first