The world's most sophisticated intentionally vulnerable web app with OWASP Top 10 flaws built in - perfect for security training, pentesting practice, and CTF challenges

Ever wanted to practice your hacking skills without breaking any laws? OWASP Juice Shop is an intentionally vulnerable e-commerce application that’s become the gold standard for security training. With 12.5k+ stars, this TypeScript-powered web app contains real-world vulnerabilities from SQL injection to broken authentication, all packaged in a polished, modern interface that actually looks like something you’d encounter in production.

What sets Juice Shop apart is its sophistication - this isn’t some basic demo riddled with obvious flaws. It features a complete e-commerce experience with user accounts, product reviews, file uploads, and payment processing, each hiding carefully crafted security vulnerabilities. The platform includes built-in progress tracking, hints for stuck hackers, and integration with CTF scoring systems. Whether you’re teaching OWASP Top 10 concepts, running security workshops, or testing new penetration testing tools, Juice Shop provides a safe, legal playground that covers everything from XSS to business logic flaws.

Perfect for security professionals, developers wanting to understand common vulnerabilities, and educators running cybersecurity courses. The project ships with Docker support for instant setup, comprehensive documentation, and an active community contributing new challenges. It’s like having a deliberately broken application that’s ironically built better than most production systems.

⭐ Stars: 12594
💻 Language: TypeScript
🔗 Repository: juice-shop/juice-shop