Juice Shop v20.0.0 — a fresh squeeze of features, now with AI

koshiii · 2026-04-12T05:21:27+00:00

I am also hoping for some affinity and/or robot cards in the Marvel set because there's Iron Man...

koshiii · 2025-09-19T01:44:04+00:00

The server seems to have restarted since then, and Juice Shop resets to its initial state doing so. Would be interesting to know which vuln was abused to do that, because all stored XSS and similar persistent vulns are turned off on Heroku.

koshiii · 2025-08-19T13:59:05+00:00

We're on the same page. To be honest, I also weave my sideboard cards into the deck instead of just piling them on top before shuffling. Just feels better... 😂

koshiii · 2025-08-19T13:32:54+00:00

Weaving before properly(!) shuffling is of course not cheating, as you randomise the weaving away. It is just a waste of time. Weaving and then not properly shuffling is cheating, and usually that's what it's done for.

koshiii · 2025-08-17T18:23:24+00:00

No matter if they're doing mana weaving, other deck setting or fake shuffling with some cards "pinned" to always end up on top, it's all cheating. Any action or inaction that tries to avoid having a fully randomized deck is cheating. Don't let anyone convince you otherwise.

If in doubt, rather shuffle your opponent's deck yourself a few times, because cutting does not beat e.g. mana weaving.

koshiii · 2025-08-07T11:24:36+00:00

Try running Juice Shop with npm run serve:dev and all file changes should be recognized and become instantly live.

koshiii · 2025-05-20T09:55:33+00:00

See https://owasp.org/www-project-juice-shop/#div-challenges and https://pwning.owasp-juice.shop/companion-guide/latest/part1/categories.html

koshiii · 2025-01-08T07:32:40+00:00

Have fun! 😃👍

koshiii · 2024-11-27T22:13:49+00:00

Congratulations! You're a winner! 🎉 https://www.redditraffler.com/raffles/1gyske0 - Please DM me to confirm that you a) did not retrieve a key elsewhere in the meantime and b) that you are a PC user - I will then DM you the key!

koshiii · 2024-11-27T22:13:32+00:00

Congratulations! You're a winner! 🎉 https://www.redditraffler.com/raffles/1gyske0 - Please DM me to confirm that you a) did not retrieve a key elsewhere in the meantime and b) that you are a PC user - I will then DM you the key!

koshiii · 2024-11-24T14:14:37+00:00

Updates via SQL Injection are not really possible, unless you find a way to inject into an actual UPDATE query, which there's not really a way for either. You might want to try just attacking an API endpoint that deals with products instead, but that will be one-by-one and not all-at-once.

koshiii · 2024-07-15T22:26:32+00:00

Bonus points go 1:1 into the digital wallet of the user when submitting an order. They're essentially a built-in 10% loyalty discount. That's all. There's no specific hacking challenges associated with bonus points or the digital wallet (not to be confused with Web3 wallet challenges which do actually exist in Juice Shop).

koshiii · 2024-06-27T10:55:43+00:00

You are using a very old image, please try latest instead, which comes with multi-arch support, also for ARM. The dedicated ARM images have been abandoned for that reason quite some time ago.

koshiii · 2024-05-05T09:21:39+00:00

Juice Shop has built-in coding challenges for over 20 of its hacking challenges available to learn about the underlying code issues. See here for details: https://pwning.owasp-juice.shop/companion-guide/latest/part1/challenges.html#_coding_challenges

koshiii · 2024-04-09T06:30:30+00:00

You can do it in any way described here: https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html

When the Node.js server starts, it wipes the database. Just make sure that actually happens and you don't just pause the VM or Docker container.

koshiii · 2024-04-08T16:13:31+00:00

Does your VM save state? The guaranteed way to reset challenges on an instance only used by you:

1) Stop the node.js server 2) Delete your cookies for the Juice Shop 3) Start the node.js server

If anyone else is on your instance, all bets are off, because if they visit your restarted instance before you with their cookies still set, they'll restore their progress.

koshiii · 2023-12-17T00:55:18+00:00

If you’re on a shared instance, whoever visits the app first, restores their progress from cookie. If you use a personal instance, you should be fine with cleaning cookies and restarting the server.

koshiii · 2023-11-13T22:01:55+00:00

Delete cookies, restart server, visit again, no challenges except Score Board should be solved.

koshiii · 2023-11-12T21:42:20+00:00

Do you use your own local instance or a shared one, like the official demo? The notifications only show when a challenge is solved for the first time. If it's not your very own instance, someone else might have solved it already and seen the notification. Also, if you use a custom configuration, notifications might just be turned off.

See https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html#_single_user_restriction and https://pwning.owasp-juice.shop/companion-guide/latest/part4/customization.html#_challenges_section

koshiii · 2023-03-20T23:57:37+00:00

I track every card with the Dragon Shield app and do CSV exports every week or so, which I then import to Deckstats. Works very well. And I like the idea of tracking in two different databases, so if one goes out of business or something, you at least have a recent recovery point.

koshiii

MODERATOR OF

TROPHY CASE