juice-shop-vapt

πŸ” OWASP Juice Shop – Vulnerability Assessment & Penetration Testing (VAPT)

Welcome to my Vulnerability Assessment & Penetration Testing (VAPT) project focused on OWASP Juice Shop β€” one of the most popular intentionally vulnerable web applications. This repository demonstrates how common web security vulnerabilities can be discovered and exploited in a controlled environment using ethical hacking practices.

πŸ“ Project Structure

juice-shop-vapt/
β”œβ”€β”€ Findings/
β”‚   β”œβ”€β”€ injection/
β”‚   β”‚   β”œβ”€β”€ admin-login-sqli.md
β”‚   β”‚   β”œβ”€β”€ no-sql-manipulation.md
β”‚   β”‚   └── union-sqli.md
β”‚   β”œβ”€β”€ xss/
β”‚   β”‚   β”œβ”€β”€ dom-xss.md
β”‚   β”‚   β”œβ”€β”€ reflected-xss.md
β”‚   β”‚   └── bonus-paylaod.md
β”‚   β”œβ”€β”€ broken-access-control/
β”‚   β”‚   β”œβ”€β”€ Forged-Feedback.md
β”‚   β”‚   β”œβ”€β”€ View-Another-User-Basket.md
β”‚   β”‚   └── review-edit.md
β”‚   β”œβ”€β”€ idor/
β”‚   β”‚   β”œβ”€β”€ order-access.md
β”‚   β”‚   β”œβ”€β”€ invoice-download.md
β”‚   β”‚   └── order-modify.md
β”‚   β”œβ”€β”€ sensitive-data-exposure/
β”‚   β”‚   β”œβ”€β”€ confidentail-document.md
β”‚   β”‚   β”œβ”€β”€ login-MCsafesearch.md
β”‚   β”‚   └── NFT-Takeover.md
β”‚   β”œβ”€β”€ security-misconfiguration/
β”‚   β”‚   β”œβ”€β”€ Error-Handling.md
β”‚   β”‚   β”œβ”€β”€ Deprecated-Interface.md
β”‚   β”‚   └── cors.md
β”‚   └── auth-session/
β”‚       β”œβ”€β”€ sql-bypass-login.md
β”‚       β”œβ”€β”€ reset-token-abuse.md
β”‚       └── persistent-session.md
β”œβ”€β”€ Reports/
β”‚   └── Screenshots/
β”‚       β”œβ”€β”€ Injection/
β”‚       β”œβ”€β”€ XSS/
β”‚       β”‚   β”œβ”€β”€ DOM/
β”‚       β”‚   β”œβ”€β”€ Reflected/
β”‚       β”‚   └── Bonus/
β”‚       β”œβ”€β”€ BrokenAccessControl/
β”‚       β”œβ”€β”€ IDOR/
β”‚       β”œβ”€β”€ SensitiveDataExposure/
β”‚       β”œβ”€β”€ SecurityMisconfiguration/
β”‚       └── AuthSession/
β”œβ”€β”€ Tools_Used.md
└── README.md

βœ… Vulnerabilities Covered (with Categories)

# Category Sample Labs Screenshot Folder
1 Injection Admin Login via SQLi, No-Sql-Manipulation, Union SQLi Screenshots/Injection/
2 Cross-Site Scripting DOM XSS, Reflected XSS in Order Tracking, Bonus Payload Screenshots/XSS/DOM, Reflected, Stored
3 Broken Access Control Forged Feedback, View Other’s Basket, Modify/Delete Review Screenshots/BrokenAccessControl/
4 IDOR View Other’s Orders, Download Invoice, Modify Order via URL Screenshots/IDOR/
5 Sensitive Data Exposure Confidentail-Document, Login-MCsafesearch, NFT-TAkeover Screenshots/SensitiveDataExposure/
6 Security Misconfiguration Error-Handling, Deprecated-Interface, Insecure CORS Screenshots/SecurityMisconfiguration/
7 Auth & Session Issues SQL Login Bypass, Tokenless Password Reset, Persistent Session Screenshots/AuthSession/

Each report contains payloads, Burp Suite steps, screenshots, vulnerability impact, and suggested mitigations.

πŸ“Έ Screenshot Integration

Screenshots for each vulnerability are stored under:

```markdown Proof-of-Concept

πŸš€ How to Use This Repository

  1. Clone the repository: git clone https://github.com/lucky-cyber3008/juice-shop-vapt.git

  2. Read vulnerability write-ups under the Findings/ folder organized by category.

  3. Explore screenshots under Reports/Screenshots/ for PoC images.

  4. Use this as a reference for learning, bug bounty prep, or VAPT methodology.

πŸ™‹β€β™‚οΈ Author Lucky GitHub: @lucky-cyber3008 Cybersecurity Enthusiast | Bug Bounty Learner | Ethical Hacker in Training

πŸ“œ Disclaimer This repository is intended for educational and ethical use only. All vulnerabilities demonstrated are part of OWASP Juice Shop β€” an intentionally vulnerable web application. Do not attempt these techniques on unauthorized systems. Always act responsibly and legally.

πŸš€ Want to dive into the code?
πŸ‘‰ Check out the GitHub Repository