Setting Up A Juice Shop

So I have decided to make a collection blog posts covering OWASP’s Juice Shop, from setup to going through some of the sections.

So before we jump into this, maybe I should explain what a Juice Shop is, but since OWASP has already written something cover this, so I will just use there blurb:

“OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools! Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other security flaws found in real-world applications!”

The Juice Shop has a GitHub repository that can be found here and a page covering further details on the Juice Shop can be found here.

For the purpose of this blog post, I have set up a basic Debian VM to install Juice Shop into. We will also be using Docker as part of this setup. So let’s install docker to start with:

First step is to ensure the VM is upto date and and outstanding updates have been installed:

sudo apt-get update
sudo apt-get update

Next we take care of prerequisites for Docker with the following:

sudo apt-get install \
 apt-transport-https \
 ca-certificates \
 curl \
 gnupg2 \

Now time to take care of the GPG key:

curl -fsSL | sudo apt-key add -

With the prerequisites and GPG key taken care of, let install the Docker repository:

sudo add-apt-repository \
 "deb [arch=amd64] \
 $(lsb_release -cs) \

We just need to do one last update since adding the new repository:

sudo apt-get update

Finally, we can install Docker:

sudo apt-get install docker-ce docker-ce-cli

The following command should download and run the hello-world container, this should confirm if Docker is installed and working:

sudo -g docker docker run hello-world

If everything went as intended, you should get a “Hello from Docker!” message (along with a bit more output).

Now it is time to set up the Juice Shop, so let’s pull down a prebuilt docker image (use at your own risk, always check the files you run on your system, etc):

sudo -g docker docker pull bkimminich/juice-shop
sudo -g docker docker run --rm -p 3000:3000 bkimminich/juice-shop

With that you should end up seeing something like the following:

nfo: Detected Node.js version v10.15.3 (OK)
info: Configuration default validated (OK)
info: Server listening on port 3000

With this, you should now have the Juice Shop up and running, browsing to the vm’s IP on port 3000 should now load the web application up.

Edits Made After posting

  • Put commands and console output into code blocks (Thanks to Ross for feedback)
  • Covered a little as to what Juice Shop is (Thanks to Ross for feedback)

Leave a Reply

Your email address will not be published. Required fields are marked *