Vulnerability Categories

The vulnerabilities found in the OWASP Juice Shop are categorized into several different classes. Most of them cover different risk or vulnerability types from well-known lists or documents, such as OWASP Top 10, OWASP ASVS, OWASP Automated Threat Handbook, OWASP API Security Top 10 and OWASP Top 10 Privacy Risks or MITRE’s Common Weakness Enumeration. The following table presents a mapping of the Juice Shop’s categories to OWASP, CWE and WASC threats, risks and attacks (without claiming to be complete).

Category breakdown

Category Mappings

Category OWASP CWE WASC

Broken Access Control

A1:2021, API1:2019, API5:2019

CWE-22, CWE-285, CWE-639, CWE-918

WASC-02, WASC-09, WASC-16

Broken Anti-Automation

OWASP-AT-004, API4:2019, OWASP-AT-010, OAT-009, OAT-015, OAT-008

CWE-362

WASC-11, WASC-21

Broken Authentication

A7:2021, API2:2019, P6:2021

CWE-287, CWE-352

WASC-01, WASC-49

Cross Site Scripting (XSS)

A3:2021, A7:2017

CWE-79

WASC-8

Cryptographic Issues

A2:2021

CWE-326, CWE-327, CWE-328, CWE-950

-

Improper Input Validation

ASVS V5, API6:2019

CWE-20

WASC-20

Injection

A3:2021, API8:2019, P1:2021

CWE-74, CWE-89

WASC-19, WASC-28, WASC-31

Insecure Deserialization

A8:2021, A8:2017

CWE-502

-

Miscellaneous

P5:2021

-

-

Security Misconfiguration

A5:2021, A9:2021, API7:2019, API9:2019, API10:2019

CWE-209

WASC-14, WASC-15

Security through Obscurity

A4:2021, P5:2021

CWE-656

-

Sensitive Data Exposure

A3:2017, API3:2019, OTG-CONFIG-004, P2:2021

CWE-200, CWE-530, CWE-548

WASC-13

Unvalidated Redirects

A10:2013

CWE-601

WASC-38

Vulnerable Components

A6:2021

CWE-829, CWE-506, CWE-1104

-

XML External Entities (XXE)

A5:2021, A4:2017

CWE-611

WASC-43