ZAP – ZAP vs OWASP Juice Shop

OWASP Juice Shop is “probably the most modern and sophisticated insecure web application!”.

The main project page is https://owasp.org/www-project-juice-shop/

It is actively maintained.

In this case we use it to check that the AJAX Spider finds all of the expected pages. Juice Shop was manually explored using a browser - if you find a new URL in Juice Shop that can be discovered by ’normal' exploration but which is not listed then please raise an issue.

Section			Score
All URLs			91%
Individual Tests	Standard	Ajax	Client
Top Level: https://OWASP Juice Shop
GET http://cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.css		✓ Pass
GET http://cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js		✓ Pass
GET http://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js		✓ Pass
GET http://localhost:3000/		✓ Pass
GET http://localhost:3000/MaterialIcons-Regular.woff2		✓ Pass
GET http://localhost:3000/ae.svg		❌ FAIL
GET http://localhost:3000/api/Challenges/(name)		✓ Pass
GET http://localhost:3000/api/Feedbacks/		✓ Pass
GET http://localhost:3000/api/Quantitys/		✓ Pass
GET http://localhost:3000/assets/i18n/en.json		✓ Pass
GET http://localhost:3000/assets/public/favicon_js.ico		✓ Pass
GET http://localhost:3000/assets/public/images/JuiceShop_Logo.png		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/1.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/2.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/3.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/4.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/5.png		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/6.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/carousel/7.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/hackingInstructor.png		✓ Pass
GET http://localhost:3000/assets/public/images/products/apple_juice.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/apple_pressings.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/artwork2.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/banana_juice.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/carrot_juice.jpeg		✓ Pass
GET http://localhost:3000/assets/public/images/products/eggfruit_juice.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/fan_facemask.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/fan_girlie.jpg		❌ FAIL
GET http://localhost:3000/assets/public/images/products/fruit_press.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/green_smoothie.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/lemon_juice.jpg		✓ Pass
GET http://localhost:3000/assets/public/images/products/melon_bike.jpeg		✓ Pass
GET http://localhost:3000/assets/public/images/products/permafrost.jpg		✓ Pass
GET http://localhost:3000/az.svg		❌ FAIL
GET http://localhost:3000/font-mfizz.woff		✓ Pass
GET http://localhost:3000/ftp/legal.md		❌ FAIL
GET http://localhost:3000/main.js		✓ Pass
GET http://localhost:3000/polyfills.js		✓ Pass
GET http://localhost:3000/rest/admin/application-configuration		✓ Pass
GET http://localhost:3000/rest/admin/application-version		✓ Pass
GET http://localhost:3000/rest/captcha/		✓ Pass
GET http://localhost:3000/rest/languages		✓ Pass
GET http://localhost:3000/rest/products/1/reviews		❌ FAIL
GET http://localhost:3000/rest/products/search(q)		✓ Pass
GET http://localhost:3000/rest/user/whoami		✓ Pass
GET http://localhost:3000/runtime.js		✓ Pass
GET http://localhost:3000/socket.io/(EIO,sid,t,transport)		✓ Pass
GET http://localhost:3000/socket.io/(EIO,sid,transport)		✓ Pass
GET http://localhost:3000/socket.io/(EIO,t,transport)		✓ Pass
GET http://localhost:3000/styles.css		✓ Pass
GET http://localhost:3000/tutorial.js		✓ Pass
GET http://localhost:3000/vendor.js		✓ Pass
POST http://localhost:3000/socket.io/(EIO,sid,t,transport)(40)		✓ Pass

Configuration

Config	Details
Frequency	Daily
Scripts	https://github.com/zapbot/zap-mgmt-scripts/blob/master/scans/juiceshop/
Action	https://github.com/zapbot/zap-mgmt-scripts/actions/workflows/zap-vs-juiceshop.yml

Settings

The latest Nightly ZAP Docker image is run with the default settings against this app with no exceptions.

ZAP vs OWASP Juice Shop

All URLs

91%

Configuration

Settings