Security Assessment

Discovered Vulnerabilities

Comprehensive analysis of security flaws identified in OWASP Juice Shop

CRITICAL RISK
SQL Injection

Login Admin Bypass

SQL Injection STRIDE: Spoofing

Allows attackers to log in as Administrator without a password by exploiting unvalidated SQL queries.

Impact: Complete account takeover, unauthorized access to sensitive data
Show Exploit
HIGH RISK
Weak Password

Weak Admin Password

Broken Authentication STRIDE: Spoofing

The admin account uses a common, easily guessable password that can be cracked through brute force attacks.

Impact: Unauthorized administrative access, system compromise
Show Exploit
HIGH RISK
Reflected XSS

Reflected XSS

Cross‑Site Scripting STRIDE: Tampering

Malicious scripts can be injected via the search bar and executed in victim browsers, enabling session hijacking.

Impact: Session theft, credential harvesting, malicious redirects
Show Exploit
MEDIUM RISK
Confidential Document

Confidential Document

Sensitive Data Exposure STRIDE: Information Disclosure

Legal documents are accessible via direct URL manipulation without proper access controls.

Impact: Exposure of confidential business information
Show Exploit
MEDIUM RISK
FTP Directory

FTP Directory Listing

Sensitive Data Exposure STRIDE: Information Disclosure

The server reveals backup files via the /ftp directory, exposing sensitive system information.

Impact: Disclosure of backup files, potential credential exposure
Show Exploit
MEDIUM RISK
Scoreboard Access

Scoreboard Access

Broken Access Control STRIDE: Elevation of Privilege

Unauthorised access to the hidden admin page /score-board without proper authentication.

Impact: Access to administrative features, information disclosure
Show Exploit
MEDIUM RISK
DOM-based XSS

DOM‑based XSS

Cross‑Site Scripting STRIDE: Tampering

The search function executes HTML locally in the browser without proper sanitization.

Impact: Client-side code execution, data manipulation
Show Exploit
LOW RISK
Stack Trace Leak

Stack Trace Leak

Security Misconfiguration STRIDE: Information Disclosure

Error messages reveal server technologies such as SQLite and Node.js, aiding reconnaissance.

Impact: Information leakage for targeted attacks
Show Exploit