Security Assessment Report

OWASP Juice Shop (Benchmark)

Web Application Security Assessment
14 Findings
H Risk Grade
1 Targets
2026-06-26
OWA-SEC-2026-177 · v1.0 · Confidential
Prepared by Hermes Pentest Agent
01
Executive Summary
H
Overall Risk: High
Score: 38/100
14 findings. 0 critical, 1 high.

Findings by Severity

1 High
8 Medium
5 Low
38
Web Security
At risk
0
Email Security
At risk
50
CDN / WAF
At risk
50
Infrastructure
At risk

Scope: OWASP Juice Shop v20.0.0 running at http://127.0.0.1:3000. Full-scope web application assessment including active reconnaissance (nmap), vulnerability scanning (nuclei), directory discovery (ffuf), and manual verification of all findings. Scope: 127.0.0.1:3000 only.
Window: 2026-06-26 – 2026-06-26
Limitations: Assessed over plain HTTP (no HTTPS available). No authenticated testing performed. No destructive/exploitation tests executed. Target is a deliberately vulnerable training application (OWASP Juice Shop). External OSINT and network/AD testing excluded (localhost web-only assessment).

If you fix nothing else, fix this one

No HTTPS / Plain HTTP Only

How we measured. Controls-based scoring across 4 security domains with 16 controls assessed. Each control scored Pass/Warn/Fail against industry benchmarks (OWASP ASVS, CIS Benchmarks). Supplemented by automated scanning (nmap, nuclei, ffuf) and manual verification of all findings via curl and browser inspection.
Severity bands: Critical ≥9.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9, Info 0.0
Weights: Pass=100, Warn=50, Fail=0
02
Methodology

Assessment conducted following PTES (Penetration Testing Execution Standard).

PhaseDescriptionTools
Active ReconnaissancePort scanning and service version detection on 127.0.0.1:3000nmap 7.98
Vulnerability ScanningAutomated vulnerability detection using nuclei templates (694 templates)nuclei v3.8.0 (kali-web container)
Directory DiscoveryWeb content brute-force discovery of hidden endpoints using targeted wordlistffuf v2.1.0 (kali-web container)
Manual VerificationHands-on validation of all findings: header inspection, API testing, file access, browser-based verification of Score Board and SPA routescurl, browser inspection
ReportingCVSS 3.1 scoring, finding documentation, metadata creation, PDF report generationWeasyPrint, Jinja2

Timeline: 2026-06-26 – 2026-06-26
Testing Type: Web Application Security Assessment

03
Technical Findings
Multi-tool confirmed
F-001 · DRAFT

No HTTPS / Plain HTTP Only

High CVSS 7.5 CWE-319 http://127.0.0.1:3000/ HIGH
Description

Attackers anywhere on the same network segment can capture every byte of traffic in cleartext through passive packet capture — authentication credentials, session tokens, financial data, personal information, and all application content transit completely unprotected. The attacker does not need to compromise either endpoint; any network observer with Wireshark or tcpdump can read all traffic as plain text.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Proof of Concept
curl -sI https://127.0.0.1:3000/
Connection refused — no HTTPS listener.
curl -sI http://127.0.0.1:3000/
HTTP/1.1 200 OK (plain text, no encryption).
Evidence Screenshot
Impact

If exploited, sensitive data is fully exposed to unauthorized parties; attackers can modify or corrupt critical data.

Remediation

1. Obtain TLS certificate. 2. Configure HTTPS. 3. Implement HTTP-to-HTTPS 301 redirect. 4. Enable HSTS. 5. Disable plain HTTP in production.

Multi-tool confirmed
F-002 · DRAFT

Directory Listing on /ftp

Medium CVSS 6.5 CWE-548 http://127.0.0.1:3000/ftp HIGH
Description

Attackers can browse and enumerate every file in the /ftp directory without needing to guess filenames. The directory listing reveals 10 files including confidential business acquisition documents, an encrypted KeePass password database (incident-support.kdbx — 3.2 KB), Python source code (encrypt.pyc), and multiple backup files that may contain credentials or internal configuration.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Proof of Concept
curl -s http://127.0.0.1:3000/ftp | grep 'href'

Returns full directory listing with 10 files exposed:

  
    
    
    
Evidence Screenshot
Impact

If exploited, sensitive data is fully exposed to unauthorized parties.

Remediation

1. Disable directory listing. 2. Restrict /ftp to authenticated users. 3. Remove sensitive files from web-accessible directory. 4. Move files outside web root.

Multi-tool confirmed
F-003 · DRAFT

Confidential Document Exposure

Medium CVSS 6.5 CWE-200 http://127.0.0.1:3000/ftp/acquisitions.md HIGH
Description

Attackers can download internal business strategy documents including planned company acquisitions, projected revenues, and strategic plans without any authentication. This enables corporate espionage, competitive intelligence gathering, and insider trading on pre-public acquisition targets directly from the acquisitions.md file.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Proof of Concept
curl http://127.0.0.1:3000/ftp/acquisitions.md

Returns 909-byte Markdown document titled '# Planned Acquisitions' with internal business strategy.
Impact

If exploited, sensitive data is fully exposed to unauthorized parties.

Remediation

1. Immediately remove acquisitions.md from web-accessible directory. 2. Implement proper file access controls. 3. Audit /ftp for other sensitive files. 4. Move internal docs to secure storage.

Multi-tool confirmed
F-004 · DRAFT

Missing Content-Security-Policy Header

Medium CVSS 6.1 CWE-693 http://127.0.0.1:3000/ HIGH
Description

Attackers who discover any cross-site scripting vector can inject and execute arbitrary JavaScript in users' browsers with no restrictions, steal session tokens and authentication cookies, exfiltrate sensitive data to attacker-controlled servers, and perform any action as the victim user because no Content Security Policy restricts which scripts can execute, where data can be sent, or what external resources can be loaded.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Proof of Concept
curl -sI http://127.0.0.1:3000/ | grep -i content-security

No output — CSP header is completely absent.
Impact

If exploited, limited confidential information is disclosed; limited data tampering is possible.

Remediation

1. Implement strict CSP: default-src 'self'; script-src 'self'; style-src 'self'. 2. Avoid unsafe-inline and unsafe-eval. 3. Use nonce-based CSP for inline scripts. 4. Test with Report-Only first.

Multi-tool confirmed
F-005 · DRAFT

Exposed Prometheus Metrics

Medium CVSS 5.3 CWE-200 http://127.0.0.1:3000/metrics HIGH
Description

Attackers can access detailed operational intelligence including request volumes, error rates, file upload statistics, LLM token usage, and 275 internal application metrics without any credentials. This enables precise attack surface profiling, sensitive data enumeration, and timing analysis to identify optimal exploitation windows.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl -s http://127.0.0.1:3000/metrics | head -20

Returns operational metrics, request counts, and internal application statistics.
Evidence Screenshot
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Require authentication for /metrics endpoint. 2. Use reverse proxy with auth (nginx auth_basic). 3. Bind metrics server to localhost only. 4. Set metrics.includeHttpMetrics: false in Juice Shop config.

Multi-tool confirmed
F-006 · DRAFT

Swagger API Documentation Exposed

Medium CVSS 5.3 CWE-200 http://127.0.0.1:3000/api-docs/ HIGH
Description

Attackers gain a complete interactive map of the entire REST API — all endpoints, request/response schemas, authentication mechanisms, and parameters — through the publicly accessible Swagger UI. This provides a methodical exploitation blueprint, letting attackers probe every API function without trial-and-error guessing and identify the most valuable targets.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl -s http://127.0.0.1:3000/api-docs/swagger.json

Returns full OpenAPI specification with all API endpoints documented.
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Disable Swagger UI in production. 2. Restrict /api-docs/ to authenticated admins. 3. Remove sensitive endpoint docs from public Swagger spec.

Multi-tool confirmed
F-007 · DRAFT

Score Board Exposed Without Authentication

Medium CVSS 5.3 CWE-200 http://127.0.0.1:3000/#/score-board HIGH
Description

Attackers gain a complete exploitation roadmap for the application: a searchable catalog of 178 challenges organized by vulnerability category (Broken Access Control, XSS, Injection, Sensitive Data Exposure, Security Misconfiguration, and 9 more categories) with names, difficulty ratings, and solution hints — letting attackers systematically exploit every intended vulnerability without reconnaissance effort.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
Navigate to http://127.0.0.1:3000/#/score-board
Shows full challenge catalog: 27 Broken Access Control, 28 XSS, 47 Injection, 28 Sensitive Data Exposure, 25 Security Misconfiguration, plus 9 more categories.
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Require admin authentication for Score Board. 2. Hide challenge details from unauthenticated users. 3. Use separate admin interface. 4. Implement rate limiting on challenge endpoints.

Multi-tool confirmed
F-008 · DRAFT

Overly Permissive CORS Configuration

Medium CVSS 5.3 CWE-942 http://127.0.0.1:3000/ HIGH
Description

Attackers operating malicious websites can make cross-origin API requests to the application from any domain and read unauthenticated API responses, bypassing the browser's same-origin policy. While authenticated requests are blocked (no Access-Control-Allow-Credentials), attackers can still enumerate public API data, perform unauthenticated operations, and conduct information-gathering attacks from any origin.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl -X OPTIONS -D- http://127.0.0.1:3000/api/Challenges/

Returns:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Evidence Screenshot
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Never use Access-Control-Allow-Origin: *. 2. Specify exact allowed origins. 3. Restrict allowed methods to minimum required. 4. Implement proper preflight validation. 5. Use Access-Control-Allow-Credentials only with specific origins.

Multi-tool confirmed
F-009 · DRAFT

Deprecated Feature-Policy Instead of Permissions-Policy

Medium CVSS 4.3 CWE-693 http://127.0.0.1:3000/ HIGH
Description

Attackers exploiting any content injection vulnerability gain access to users' camera, microphone, geolocation, and other sensitive browser APIs because only the payment API is restricted. The deprecated Feature-Policy header provides no protection in modern browsers, allowing attackers to spy on users through device sensors and capture audio/video without detection.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Proof of Concept
curl -sI http://127.0.0.1:3000/ | grep Feature

Returns: Feature-Policy: payment 'self'

No Permissions-Policy header present.
Impact

If exploited, limited data tampering is possible.

Remediation

1. Replace with Permissions-Policy header. 2. Define comprehensive policy: camera=(), microphone=(), geolocation=(), payment=(self). 3. Restrict all sensitive browser features by default.

Multi-tool confirmed
F-010 · DRAFT

Missing Strict-Transport-Security Header

Low CVSS 3.7 CWE-319 http://127.0.0.1:3000/ HIGH
Description

Attackers positioned to intercept network traffic through ARP spoofing, rogue access points, or compromised routers can exploit the absence of HSTS to downgrade connections to plain HTTP, strip any future TLS, and intercept or modify traffic between users and the application without the browser displaying security warnings. Combined with no HTTPS deployment, all traffic is vulnerable to passive eavesdropping.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl -sI http://127.0.0.1:3000/ | grep -i strict-transport

No output — HSTS header is completely absent.
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Enable HTTPS with TLS certificate. 2. Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. 3. Redirect all HTTP to HTTPS (301).

Multi-tool confirmed
F-011 · DRAFT

Missing Referrer-Policy Header

Low CVSS 3.1 CWE-200 http://127.0.0.1:3000/ HIGH
Description

Attackers can exfiltrate sensitive data embedded in URLs through the Referer header when users navigate from the application to any external site. Session tokens, password reset codes, search queries, and internal navigation state in URL parameters leak to third-party analytics platforms, advertising networks, and hostile domains, enabling session hijacking and disclosure of sensitive user activity.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Proof of Concept
curl -sI http://127.0.0.1:3000/ | grep -i referrer

No output — Referrer-Policy header is absent.
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Add Referrer-Policy: strict-origin-when-cross-origin or no-referrer. 2. Never pass sensitive data in URL parameters. 3. Use POST for sensitive data transmission.

Single tool, awaiting review
F-012 · DRAFT

X-Recruiting Header Information Leak

Low CVSS 3.1 CWE-200 http://127.0.0.1:3000/ MEDIUM
Description

Attackers can fingerprint the application's internal technology stack and organizational structure through custom HTTP headers that reveal internal application paths and technology choices, accelerating reconnaissance by reducing the effort required to identify and target vulnerable components and map the application's internal architecture.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl -sI http://127.0.0.1:3000/ | grep X-Recruiting

Returns: X-Recruiting: /#/jobs
Impact

If exploited, limited confidential information is disclosed.

Remediation

Remove X-Recruiting header or replace with full external URL. Avoid revealing internal path structures in HTTP headers.

Single tool, awaiting review
F-013 · DRAFT

robots.txt Reveals Sensitive Directory

Low CVSS 3.1 CWE-200 http://127.0.0.1:3000/robots.txt MEDIUM
Description

Attackers who retrieve robots.txt immediately discover the /ftp directory containing sensitive files such as acquisitions.md, incident-support.kdbx, and backup source code. The Disallow directive acts as a directory index for restricted paths, effectively directing attackers to the exact locations the application operators attempted to hide.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl http://127.0.0.1:3000/robots.txt

Returns: User-agent: *
Disallow: /ftp
Impact

If exploited, limited confidential information is disclosed.

Remediation

Remove /ftp Disallow from robots.txt. Implement proper access controls instead of relying on robots.txt for security.

Single tool, awaiting review
F-014 · DRAFT

Application Fingerprinting via Headers

Low CVSS 3.1 CWE-200 http://127.0.0.1:3000/ MEDIUM
Description

Attackers can precisely identify the application as OWASP Juice Shop v20.0.0 by Bjoern Kimminich through detailed HTTP headers (ETag, Accept-Ranges) and HTML source comments containing copyright statements. This enables targeted exploitation of version-specific vulnerabilities, matching of known CVEs, and use of Juice Shop-specific attack tools without any reconnaissance trial-and-error.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Proof of Concept
curl -sI http://127.0.0.1:3000/
Headers reveal: Accept-Ranges, ETag, Feature-Policy, X-Recruiting.
HTML reveals: 
Impact

If exploited, limited confidential information is disclosed.

Remediation

1. Remove/obfuscate version info from headers. 2. Remove copyright comments from production HTML. 3. Set generic Server header. 4. Disable verbose error messages.

04
Observed Controls
ControlStatusValue
TLS Fail No HTTPS — plain HTTP only on port 3000
HSTS Fail Strict-Transport-Security header absent
Content-Security-Policy Fail Content-Security-Policy header absent
X-Frame-Options Pass SAMEORIGIN — prevents clickjacking
X-Content-Type-Options Pass nosniff — MIME sniffing blocked
Referrer-Policy Fail Header absent — full URLs leaked to third parties
Permissions-Policy Fail Only deprecated Feature-Policy: payment present
Clickjacking Protection Pass X-Frame-Options: SAMEORIGIN set
SPF Warn v=spf1 ~all (softfail) — neutral protection
DMARC Warn p=none — monitoring only, no enforcement
Cloudflare WAF/CDN Warn No CDN/WAF detected — direct Node.js exposure
Non-CDN Port Exposure Pass Only port 3000 exposed
security.txt Pass Present at /.well-known/security.txt
Directory Listing Fail /ftp directory listing enabled — 10 files exposed
HTTP to HTTPS Redirect Fail No redirect — plain HTTP only
AI Crawler Blocking Pass robots.txt present, all AI crawlers blocked

Findings Heatmap

CategoryCriticalHighMediumLowInfoTotal
Information Disclosure 00 31 0 4
Exposed Interfaces 00 22 0 4
Security Headers 00 21 0 3
Transport Security 01 00 0 1
Access Control 00 10 0 1
Other 00 01 0 1
05
Positive Observations
X-Content-Type-Options: nosniff prevents MIME type sniffing attacks
X-Frame-Options: SAMEORIGIN provides clickjacking protection
security.txt present at both standard locations (RFC 9116 compliance)
robots.txt present for crawler management
Only single port (3000) exposed — no unnecessary service exposure
Application responds quickly and handles concurrent requests well
API uses consistent JSON response format with status indicators
06
Remediation Checklist

Severity timeframes: Critical — immediate | High — this week | Medium — within 30 days | Low — next maintenance cycle

07
Appendix

Scan Output

Port 3000/tcp open — OWASP Juice Shop HTTP server (Node.js). Headers: Access-Control-Allow-Origin: *, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Feature-Policy: payment 'self', X-Recruiting: /#/jobs, Accept-Ranges: bytes, Cache-Control: public/max-age=0, ETag versioned. OPTIONS returns 204 with CORS: GET,HEAD,PUT,PATCH,POST,DELETE.

Automated Scan Summary

2 matches: swagger-api at /api-docs/swagger.yaml (info), prometheus-metrics at /metrics (medium). Additional: http-missing-security-headers (cross-origin-opener-policy, cross-origin-resource-policy) — info level. Full results in scans/nuclei-juice-shop.jsonl.

Tool Screenshots

7 screenshots captured during testing. Directory: engagements/juice-shop-benchmark/screenshots/

#Filename
1F-001-no-https-plain-http.png
2F-002-directory-listing-ftp.png
3F-005-exposed-prometheus-metrics.png
4F-008-overly-permissive-cors.png
5ftp-directory.png
6metrics-endpoint.png
7score-board.png

Glossary

CVSSCommon Vulnerability Scoring System
CWECommon Weakness Enumeration
PTESPenetration Testing Execution Standard
WAFWeb Application Firewall
08
Expert Review — Close the Loop on Each Claim

Until this page is signed, this document is triage output, not a final report. Each finding must be reviewed, verified against ground truth, and either confirmed or marked as a false positive. Only findings marked CONFIRMED represent actionable vulnerabilities.

ID Finding Confidence Status Verified by Notes
F-001 No HTTPS / Plain HTTP Only Multi-tool confirmed DRAFT _________________ _________________
F-002 Directory Listing on /ftp Multi-tool confirmed DRAFT _________________ _________________
F-003 Confidential Document Exposure Multi-tool confirmed DRAFT _________________ _________________
F-004 Missing Content-Security-Policy Header Multi-tool confirmed DRAFT _________________ _________________
F-005 Exposed Prometheus Metrics Multi-tool confirmed DRAFT _________________ _________________
F-006 Swagger API Documentation Exposed Multi-tool confirmed DRAFT _________________ _________________
F-007 Score Board Exposed Without Authentication Multi-tool confirmed DRAFT _________________ _________________
F-008 Overly Permissive CORS Configuration Multi-tool confirmed DRAFT _________________ _________________
F-009 Deprecated Feature-Policy Instead of Permissions-Policy Multi-tool confirmed DRAFT _________________ _________________
F-010 Missing Strict-Transport-Security Header Multi-tool confirmed DRAFT _________________ _________________
F-011 Missing Referrer-Policy Header Multi-tool confirmed DRAFT _________________ _________________
F-012 X-Recruiting Header Information Leak Single tool, awaiting review DRAFT _________________ _________________
F-013 robots.txt Reveals Sensitive Directory Single tool, awaiting review DRAFT _________________ _________________
F-014 Application Fingerprinting via Headers Single tool, awaiting review DRAFT _________________ _________________
Review workflow: DRAFT → REVIEWED (expert checks) → CONFIRMED (verified) or FALSE_POSITIVE (dismissed). All findings ship as DRAFT by default. The reviewer signs off by updating each row.

Reviewer signature: _________________________

Date: ____________________

OWASP Juice Shop (Benchmark)

OWA-SEC-2026-177 · 2026-06-26

Confidential · Prepared by Hermes Pentest Agent