1. Executive Summary
We tested OWASP Juice Shop on 19 May 2026 to find security weaknesses an attacker could exploit. The application is in a high vulnerable state: attackers can access protected data without logging in, extract the entire database through a simple search query, and permanently plant malicious scripts that run in every visitor's browser. All five major compliance frameworks tested — including GDPR, PCI DSS, and HIPAA — failed to meet compliance standards. Immediate action is required: the four High-severity findings (unauthenticated access, SQL injection, stored XSS, and CORS misconfiguration) must be remediated within 7 days, followed by a structured program to address the remaining medium and low findings over the next 30–90 days.
2. At a Glance
2.1 Scan Metrics & Risk Summary
| Metric | Result |
|---|---|
| Total Findings | 14 |
| Application Risk Rating | 🟠 High |
| Recommended Action | Patch High findings within 7 days |
2.2 Compliance Framework Evaluation
The scan identified findings mapped to control areas within GDPR, PCI DSS, HIPAA, OWASP Top 10, and ISO 27001 Annex A. These mappings indicate security gaps that may affect compliance posture.
| Framework | Result |
|---|---|
| OWASP Top 10 | Fail (13 checks failed) |
| HIPAA | Fail (11 checks failed) |
| GDPR | Fail (11 checks failed) |
| PCI DSS | Fail (11 checks failed) |
| ISO 27001-A | Fail (14 checks failed) |
2.3 Infrastructure & Transport Security Observations
| Item | Detail |
|---|---|
| SSL Certificate Score | ✅ A (Let's Encrypt, ECDSA P-256) |
| Supported Protocols | ✅ TLS 1.2, TLS 1.3 |
| Certificate Validity | ⚠️ Valid until 15 July 2026 (renew within 55 days) |
| Mail Configuration | ✅ SPF, DKIM, DMARC all pass; SMTP open relay blocked |
| Open Ports | ⚠️ 16 ports detected including SSH (22), FTP (21), PostgreSQL (5432), and numerous app ports |
| Vulnerable JavaScript Packages | ⚠️ jQuery 2.2.4 with 5 Medium CVEs; other observed packages include Zone.js, GSAP, Angular, lit-html, and React Router. |
| Vulnerable Server-Side Technologies | ✅ Nginx 1.24.0, Node.js, Ubuntu |
3. Business Impact
The findings show a high-risk exposure pattern across access control, input handling, browser security controls, and operational visibility. The highest business concern is that unauthenticated attackers can access protected order data, exploit SQL injection to retrieve sensitive database content, and use stored XSS to run malicious code in users' browsers. CORS misconfiguration and missing browser security headers increase the likelihood and blast radius of client-side attacks, while the exposed metrics endpoint and server banner disclosure provide useful reconnaissance data to attackers.
| Risk Area | Possible Impact |
|---|---|
| Account & Order Security | Anonymous access to authenticated endpoints can expose order details without valid credentials. |
| Data Protection | Error-based SQL injection can expose database structure and sensitive application records. |
| User Trust & Session Safety | Stored XSS can execute attacker-controlled scripts in users' browsers, enabling session theft, credential harvesting, and malicious redirects. |
| Browser-Side Attack Surface | CORS misconfiguration and missing CSP, HSTS, X-Frame-Options, Referrer-Policy, X-Content-Type-Options, and Permissions-Policy weaken browser-enforced protections. |
| Operational Exposure | The public Prometheus metrics endpoint and server version disclosure reveal internal runtime signals that can support targeted attacks. |
| Compliance Posture | Findings map to control gaps across OWASP Top 10, GDPR, PCI DSS, HIPAA, and ISO 27001-A control areas and should be reviewed by compliance owners. |
4. Scope & Methodology
4.1 Scan Information
| Type | Details |
|---|---|
| Target | https://juiceshop.zerothreat.ai/juiceshop |
| Environment | Stage |
| Scan Profile | Auth - Coverage |
| Scan Scope | Web App Scan |
| Test Type | Grey-box (automated + authenticated coverage) |
| Scan Server | Central India |
| Testing Window | 19 May 2026, 09:38 AM UTC |
| Time Taken | 13.79 minutes |
| Tech Stacks | React, Express.js, Node.js, MongoDB |
4.2 What We Tested
- 40,000+ Inbuilt Scanner Engine Test Cases
- Additional vulnerability coverage including 3,257 CVE-based templates, 253 Open Attack templates, and 72 Custom Attack templates.
- Application endpoints, including those identified via manual exploration and automated crawls (3 crawled requests, 14 web forms, 27 API requests, and 9 Playwright-driven browser interactions)
- Additionally configured allowed hosts were considered
- SSL/TLS configurations and transport layer security.
- Email server security policies (including SPF, DKIM, DMARC, and open relay verification).
- Secret detection mechanisms to identify exposed credentials, API keys, and sensitive tokens.
- External network footprint and active port scanning.
- Vulnerable third-party software dependencies and underlying infrastructure architecture.
4.3 What We Didn't Test
- Ignored URIs and unmapped external hosts.
5. Summary of Findings
See Appendix A for risk rating definitions and fix priority.
| No. | Title | Count | Fix Priority |
|---|---|---|---|
| 1 | 🟠 Anonymous Access to Authenticated Endpoints | 2 | 1 week |
| 2 | 🟠 CORS Misconfiguration | 1 | 1 week |
| 3 | 🟠 Error-Based SQL Injection | 4 | 1 week |
| 4 | 🟠 Stored Cross-Site Scripting | 1 | 1 week |
| 5 | 🟡 HTTP Parameter Pollution | 4 | 30 days |
| 6 | 🟡 Mass Assignment / Hidden Field Manipulation | 1 | 30 days |
| 7 | 🟡 Missing Security Header — Content-Security-Policy | 1 | 30 days |
| 8 | 🟡 Missing Security Header — Strict-Transport-Security | 1 | 30 days |
| 9 | 🟡 Missing Security Header — X-Frame-Options | 1 | 30 days |
| 10 | 🟡 Prometheus Metrics Endpoint Exposed | 1 | 30 days |
| 11 | 🟢 Missing Security Header — Referrer-Policy | 1 | 90 days |
| 12 | 🟢 Missing Security Header — X-Content-Type-Options | 1 | 90 days |
| 13 | ⚪ Information Exposure via Server Header | 1 | Best effort |
| 14 | ⚪ Missing Security Header — Permissions-Policy | 1 | Best effort |
Header-based findings and CORS are counted once per finding class, even where the same issue appears across multiple endpoints.
6. Appendices
Appendix A — Risk Rating Guide
Use this to understand how we score each finding.
| Rating | Score | What It Means | Fix Priority |
|---|---|---|---|
| 🔴 Critical | 9.0–10.0 | Immediate threat. Attacker gets full control or sensitive data with low effort. | 24–72 hours |
| 🟠 High | 7.0–8.9 | Serious impact. Significant data loss or system compromise possible. | 1 week |
| 🟡 Medium | 4.0–6.9 | Notable risk but harder to exploit or limited impact. | 30 days |
| 🟢 Low | 0.1–3.9 | Minor issue. Defence-in-depth improvement. | 90 days |
| ⚪ Info | — | Not a vulnerability, but worth knowing. | Best effort |
Scores follow CVSS v3.1.
Appendix B — Glossary
- CVSS — Common Vulnerability Scoring System; an industry-standard score from 0–10 reflecting the severity of a vulnerability.
- CWE — Common Weakness Enumeration; a catalogue of software and hardware weakness types.
- GDPR — General Data Protection Regulation; EU regulation governing the handling of personal data.
- HIPAA — Health Insurance Portability and Accountability Act; US regulation requiring protection of health information.
- ISO 27001-A — An international standard for information security management controls.
- OWASP — Open Web Application Security Project; a non-profit producing widely used web security standards and guidance.
- PCI DSS — Payment Card Industry Data Security Standard; requirements for systems that process card payments.
- PoC — Proof of Concept; a demonstration that a vulnerability is real and exploitable.
- Affected Instances — The specific endpoints, parameters, or unique locations within the application where a vulnerability was successfully detected. A single security flaw category can contain multiple distinct occurrences across the target environment.