Deploy OWASP Juice Shop
An intentionally vulnerable web app for security skills testing.
juice-shop
Just deployed
Deploy and Host OWASP Juice Shop on Railway
OWASP Juice Shop is a deliberately vulnerable modern web application designed for security training, awareness demos, CTF events, and hands-on practice. It covers over 100 challenges across all OWASP Top Ten vulnerability categories, including injection, broken authentication, XSS, sensitive data exposure, and more.
About Hosting OWASP Juice Shop
Juice Shop is a Node.js application served via Docker that runs entirely in-memory with no persistent database — progress resets on each redeploy, which is intentional and useful for repeatable training scenarios. This Railway template deploys the official Docker image as a single service with no additional dependencies. There are no credentials to configure and no environment variables required. Once deployed, navigate to the public Railway URL, find the Score Board challenge to unlock the challenge tracker, and start hacking.
⚠️ Juice Shop is intentionally insecure. Do not deploy it on a network or domain where it could be mistaken for a legitimate service, and do not store any real data in it.
Common Use Cases
- Hands-on security training — work through 100+ graded challenges covering injection, XSS, broken access control, cryptographic issues, insecure deserialization, and more, with built-in hints and a progress tracker on the Score Board
- CTF event hosting — deploy a dedicated Juice Shop instance per team for capture-the-flag competitions; redeploy between rounds to reset state and flags
- Security tool testing — use Juice Shop as a safe, legal target for evaluating DAST scanners, fuzzing tools, SAST rules, and WAF configurations against a realistic application with known vulnerabilities
Dependencies for OWASP Juice Shop Hosting
- OWASP Juice Shop Docker image — used directly by this template
- No database, volume, or environment variables required
Deployment Dependencies
- OWASP Juice Shop project page
- OWASP Juice Shop GitHub repository
- alphasec guide: Practice Hacking Skills with OWASP Juice Shop
Implementation Details
Juice Shop covers 100+ challenges across 15 vulnerability categories:
| Category | Examples |
|---|---|
| Injection | SQL injection login bypass, NoSQL manipulation, SSTI |
| XSS | DOM XSS, reflected XSS, CSP bypass, HTTP-header XSS |
| Broken Access Control | Admin section access, CSRF, SSRF, basket manipulation |
| Broken Authentication | Password strength, 2FA bypass, account takeover |
| Sensitive Data Exposure | Confidential document retrieval, GDPR data theft, leaked backups |
| Vulnerable Components | JWT forgery, arbitrary file write, supply chain attack |
| Cryptographic Issues | Forged coupons, weak hashing |
| Security Misconfiguration | Deprecated interfaces, error handling exposure |
Finding the Score Board — the Score Board is itself a challenge (finding it is your first task). Once discovered, it tracks all challenge completions with star ratings and optional hints. Use it to navigate the difficulty curve — start with one-star challenges and work up.
Resetting progress — since Juice Shop stores state in memory, redeploying the Railway service wipes all progress and resets the application to a clean state. Useful for CTF resets or restarting a training session.
Why Deploy OWASP Juice Shop on Railway?
Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically and horizontally scale it.
By deploying OWASP Juice Shop on Railway, you are one step closer to supporting a complete full-stack application with minimal burden. Host your servers, databases, AI agents, and more on Railway.
Template Content
juice-shop
bkimminich/juice-shop
