# OWASP Juice Shop — Web and API Lab > **Intro:** OWASP Juice Shop is still one of the fastest ways to build real AppSec intuition. It is ideal for newcomers because it is easy to run, but it stays useful for senior engineers because it covers modern web, API, frontend, session, and business-logic issues. > > **What this page includes** > > * why Juice Shop is worth keeping in a Product Security training track; > * multiple setup options; > * how to use it for AppSec and API review practice; > * how to avoid turning it into a pure CTF exercise. ## What it is OWASP Juice Shop is a deliberately insecure web application used for: * security training; * awareness demos; * CTF-style learning; * testing proxies and security tools. It covers vulnerabilities from the OWASP Top 10 and many other real-world flaw categories. It is especially good because it includes: * web issues; * frontend and browser issues; * REST/API issues; * coding challenges; * a scoreboard and guided hints for beginners. ## Why it is valuable Juice Shop is one of the best “first serious labs” because it is: * easy to install; * self-contained; * beginner-friendly; * broad enough to stay relevant after the beginner stage. It is also useful for Product Security because you can use it to practice: * security review notes; * release-gate ideas; * API and frontend hardening recommendations; * scanner validation and false-positive reasoning. ## Best fit | Persona | Fit | Why | | ------------------------- | --------- | ----------------------------------------------------- | | Newcomer | Very high | Fast setup and clear challenge structure | | AppSec engineer | Very high | Broad vulnerability coverage | | API reviewer | High | Useful for API abuse, auth, and object access lessons | | Product Security engineer | High | Good for review checklists and teaching developers | ## Run models ### Docker container ```bash docker pull bkimminich/juice-shop docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop ``` Then open `http://localhost:3000`. ### From source ```bash git clone https://github.com/juice-shop/juice-shop.git --depth 1 cd juice-shop npm install npm start ``` ### Vagrant ```bash git clone https://github.com/juice-shop/juice-shop.git cd juice-shop/vagrant vagrant up ``` ## Why Docker is the best default For most people, the Docker mode is the best starting point because: * setup is quick; * teardown is trivial; * you can rerun from a clean state easily; * the lab stays isolated from your day-to-day development environment. ## How to study Juice Shop well ### Don’t chase only challenge completion A better study sequence is: 1. identify the entry point; 2. describe the flawed trust assumption; 3. identify the missing control; 4. identify the detection or logging opportunity; 5. write the engineering recommendation. ### Use it for review discipline For each challenge or issue type, write: * what the insecure assumption was; * how you would spot it in code review or architecture review; * what test, lint, gate, or checklist could catch it earlier. ## High-value topic clusters to practice * authentication and session flows; * authorization and object access; * XSS and browser behavior; * API-only attack paths; * sensitive data exposure; * insecure components and dependency trust; * observability and logging failures. ## Pair it with these KB pages * [Frontend Security Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/18-frontend-and-browser-security/frontend-security-review-playbook.md) * [Browser Security Foundations: CSP, CORS, Cookies, and Sessions](/application-security-and-secure-sdlc/index-2/browser-security-foundations-csp-cors-cookies-and-sessions.md) * [API Design and Contract Security](/architecture-api-crypto-and-identity/index/api-design-and-contract-security.md) * [API Authentication and Authorization](/architecture-api-crypto-and-identity/index/api-authentication-and-authorization.md) * [Business Logic Abuse Review Playbook](https://github.com/D3One/Product-Security-Gitbook/blob/main/19-business-logic-abuse-and-product-abuse/business-logic-abuse-review-playbook.md) * [Worked Example API Review Lab](https://github.com/D3One/Product-Security-Gitbook/blob/main/22-learning-paths-and-labs/worked-example-api-review-lab.md) ## Good ways to use Juice Shop with a team * assign one challenge category per engineer and have them explain the control failure; * run a “review-first” session where nobody exploits anything until they describe the risk; * compare scanner output to manual findings; * use it as a secure coding training environment before writing internal code-review checklists. ## Common mistakes * treating it only as a hacking game; * skipping the API and frontend perspective; * ignoring what logs or alerts would have helped; * using the public demo for unauthorized testing instead of your own instance. ## Cleanup If you used the container path, stopping the container is usually enough: ```bash docker ps docker stop ``` Or just end the `docker run --rm ...` session if it was interactive. ## References * Official project page: * Official repository: * Official companion guide: \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-2/owasp-juice-shop-web-and-api-lab.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.