Scope: OWASP Juice Shop v20.0.0 running at http://127.0.0.1:3000. Full-scope web application assessment including active reconnaissance (nmap), vulnerability scanning (nuclei), directory discovery (ffuf), and manual verification of all findings. Scope: 127.0.0.1:3000 only.
Window: 2026-06-26 – 2026-06-26
Limitations: Assessed over plain HTTP (no HTTPS available). No authenticated testing performed. No destructive/exploitation tests executed. Target is a deliberately vulnerable training application (OWASP Juice Shop). External OSINT and network/AD testing excluded (localhost web-only assessment).
No HTTPS / Plain HTTP Only
Assessment conducted following PTES (Penetration Testing Execution Standard).
| Phase | Description | Tools |
|---|---|---|
| Active Reconnaissance | Port scanning and service version detection on 127.0.0.1:3000 | nmap 7.98 |
| Vulnerability Scanning | Automated vulnerability detection using nuclei templates (694 templates) | nuclei v3.8.0 (kali-web container) |
| Directory Discovery | Web content brute-force discovery of hidden endpoints using targeted wordlist | ffuf v2.1.0 (kali-web container) |
| Manual Verification | Hands-on validation of all findings: header inspection, API testing, file access, browser-based verification of Score Board and SPA routes | curl, browser inspection |
| Reporting | CVSS 3.1 scoring, finding documentation, metadata creation, PDF report generation | WeasyPrint, Jinja2 |
Timeline: 2026-06-26 – 2026-06-26
Testing Type: Web Application Security Assessment
Attackers anywhere on the same network segment can capture every byte of traffic in cleartext through passive packet capture — authentication credentials, session tokens, financial data, personal information, and all application content transit completely unprotected. The attacker does not need to compromise either endpoint; any network observer with Wireshark or tcpdump can read all traffic as plain text.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
curl -sI https://127.0.0.1:3000/ Connection refused — no HTTPS listener. curl -sI http://127.0.0.1:3000/ HTTP/1.1 200 OK (plain text, no encryption).
If exploited, sensitive data is fully exposed to unauthorized parties; attackers can modify or corrupt critical data.
1. Obtain TLS certificate. 2. Configure HTTPS. 3. Implement HTTP-to-HTTPS 301 redirect. 4. Enable HSTS. 5. Disable plain HTTP in production.
Attackers can browse and enumerate every file in the /ftp directory without needing to guess filenames. The directory listing reveals 10 files including confidential business acquisition documents, an encrypted KeePass password database (incident-support.kdbx — 3.2 KB), Python source code (encrypt.pyc), and multiple backup files that may contain credentials or internal configuration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
curl -s http://127.0.0.1:3000/ftp | grep 'href' Returns full directory listing with 10 files exposed:Evidence Screenshot
ImpactIf exploited, sensitive data is fully exposed to unauthorized parties.
Remediation1. Disable directory listing. 2. Restrict /ftp to authenticated users. 3. Remove sensitive files from web-accessible directory. 4. Move files outside web root.
Attackers can download internal business strategy documents including planned company acquisitions, projected revenues, and strategic plans without any authentication. This enables corporate espionage, competitive intelligence gathering, and insider trading on pre-public acquisition targets directly from the acquisitions.md file.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
curl http://127.0.0.1:3000/ftp/acquisitions.md Returns 909-byte Markdown document titled '# Planned Acquisitions' with internal business strategy.
If exploited, sensitive data is fully exposed to unauthorized parties.
1. Immediately remove acquisitions.md from web-accessible directory. 2. Implement proper file access controls. 3. Audit /ftp for other sensitive files. 4. Move internal docs to secure storage.
Attackers who discover any cross-site scripting vector can inject and execute arbitrary JavaScript in users' browsers with no restrictions, steal session tokens and authentication cookies, exfiltrate sensitive data to attacker-controlled servers, and perform any action as the victim user because no Content Security Policy restricts which scripts can execute, where data can be sent, or what external resources can be loaded.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
curl -sI http://127.0.0.1:3000/ | grep -i content-security No output — CSP header is completely absent.
If exploited, limited confidential information is disclosed; limited data tampering is possible.
1. Implement strict CSP: default-src 'self'; script-src 'self'; style-src 'self'. 2. Avoid unsafe-inline and unsafe-eval. 3. Use nonce-based CSP for inline scripts. 4. Test with Report-Only first.
Attackers can access detailed operational intelligence including request volumes, error rates, file upload statistics, LLM token usage, and 275 internal application metrics without any credentials. This enables precise attack surface profiling, sensitive data enumeration, and timing analysis to identify optimal exploitation windows.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -s http://127.0.0.1:3000/metrics | head -20 Returns operational metrics, request counts, and internal application statistics.
If exploited, limited confidential information is disclosed.
1. Require authentication for /metrics endpoint. 2. Use reverse proxy with auth (nginx auth_basic). 3. Bind metrics server to localhost only. 4. Set metrics.includeHttpMetrics: false in Juice Shop config.
Attackers gain a complete interactive map of the entire REST API — all endpoints, request/response schemas, authentication mechanisms, and parameters — through the publicly accessible Swagger UI. This provides a methodical exploitation blueprint, letting attackers probe every API function without trial-and-error guessing and identify the most valuable targets.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -s http://127.0.0.1:3000/api-docs/swagger.json Returns full OpenAPI specification with all API endpoints documented.
If exploited, limited confidential information is disclosed.
1. Disable Swagger UI in production. 2. Restrict /api-docs/ to authenticated admins. 3. Remove sensitive endpoint docs from public Swagger spec.
Attackers gain a complete exploitation roadmap for the application: a searchable catalog of 178 challenges organized by vulnerability category (Broken Access Control, XSS, Injection, Sensitive Data Exposure, Security Misconfiguration, and 9 more categories) with names, difficulty ratings, and solution hints — letting attackers systematically exploit every intended vulnerability without reconnaissance effort.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Navigate to http://127.0.0.1:3000/#/score-board Shows full challenge catalog: 27 Broken Access Control, 28 XSS, 47 Injection, 28 Sensitive Data Exposure, 25 Security Misconfiguration, plus 9 more categories.
If exploited, limited confidential information is disclosed.
1. Require admin authentication for Score Board. 2. Hide challenge details from unauthenticated users. 3. Use separate admin interface. 4. Implement rate limiting on challenge endpoints.
Attackers operating malicious websites can make cross-origin API requests to the application from any domain and read unauthenticated API responses, bypassing the browser's same-origin policy. While authenticated requests are blocked (no Access-Control-Allow-Credentials), attackers can still enumerate public API data, perform unauthenticated operations, and conduct information-gathering attacks from any origin.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -X OPTIONS -D- http://127.0.0.1:3000/api/Challenges/ Returns: Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
If exploited, limited confidential information is disclosed.
1. Never use Access-Control-Allow-Origin: *. 2. Specify exact allowed origins. 3. Restrict allowed methods to minimum required. 4. Implement proper preflight validation. 5. Use Access-Control-Allow-Credentials only with specific origins.
Attackers exploiting any content injection vulnerability gain access to users' camera, microphone, geolocation, and other sensitive browser APIs because only the payment API is restricted. The deprecated Feature-Policy header provides no protection in modern browsers, allowing attackers to spy on users through device sensors and capture audio/video without detection.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
curl -sI http://127.0.0.1:3000/ | grep Feature Returns: Feature-Policy: payment 'self' No Permissions-Policy header present.
If exploited, limited data tampering is possible.
1. Replace with Permissions-Policy header. 2. Define comprehensive policy: camera=(), microphone=(), geolocation=(), payment=(self). 3. Restrict all sensitive browser features by default.
Attackers positioned to intercept network traffic through ARP spoofing, rogue access points, or compromised routers can exploit the absence of HSTS to downgrade connections to plain HTTP, strip any future TLS, and intercept or modify traffic between users and the application without the browser displaying security warnings. Combined with no HTTPS deployment, all traffic is vulnerable to passive eavesdropping.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -sI http://127.0.0.1:3000/ | grep -i strict-transport No output — HSTS header is completely absent.
If exploited, limited confidential information is disclosed.
1. Enable HTTPS with TLS certificate. 2. Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. 3. Redirect all HTTP to HTTPS (301).
Attackers can exfiltrate sensitive data embedded in URLs through the Referer header when users navigate from the application to any external site. Session tokens, password reset codes, search queries, and internal navigation state in URL parameters leak to third-party analytics platforms, advertising networks, and hostile domains, enabling session hijacking and disclosure of sensitive user activity.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
curl -sI http://127.0.0.1:3000/ | grep -i referrer No output — Referrer-Policy header is absent.
If exploited, limited confidential information is disclosed.
1. Add Referrer-Policy: strict-origin-when-cross-origin or no-referrer. 2. Never pass sensitive data in URL parameters. 3. Use POST for sensitive data transmission.
Attackers can fingerprint the application's internal technology stack and organizational structure through custom HTTP headers that reveal internal application paths and technology choices, accelerating reconnaissance by reducing the effort required to identify and target vulnerable components and map the application's internal architecture.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -sI http://127.0.0.1:3000/ | grep X-Recruiting Returns: X-Recruiting: /#/jobs
If exploited, limited confidential information is disclosed.
Remove X-Recruiting header or replace with full external URL. Avoid revealing internal path structures in HTTP headers.
Attackers who retrieve robots.txt immediately discover the /ftp directory containing sensitive files such as acquisitions.md, incident-support.kdbx, and backup source code. The Disallow directive acts as a directory index for restricted paths, effectively directing attackers to the exact locations the application operators attempted to hide.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
curl http://127.0.0.1:3000/robots.txt Returns: User-agent: * Disallow: /ftp
If exploited, limited confidential information is disclosed.
Remove /ftp Disallow from robots.txt. Implement proper access controls instead of relying on robots.txt for security.
Attackers can precisely identify the application as OWASP Juice Shop v20.0.0 by Bjoern Kimminich through detailed HTTP headers (ETag, Accept-Ranges) and HTML source comments containing copyright statements. This enables targeted exploitation of version-specific vulnerabilities, matching of known CVEs, and use of Juice Shop-specific attack tools without any reconnaissance trial-and-error.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
curl -sI http://127.0.0.1:3000/ Headers reveal: Accept-Ranges, ETag, Feature-Policy, X-Recruiting. HTML reveals:
If exploited, limited confidential information is disclosed.
1. Remove/obfuscate version info from headers. 2. Remove copyright comments from production HTML. 3. Set generic Server header. 4. Disable verbose error messages.
| Control | Status | Value |
|---|---|---|
| TLS | Fail | No HTTPS — plain HTTP only on port 3000 |
| HSTS | Fail | Strict-Transport-Security header absent |
| Content-Security-Policy | Fail | Content-Security-Policy header absent |
| X-Frame-Options | Pass | SAMEORIGIN — prevents clickjacking |
| X-Content-Type-Options | Pass | nosniff — MIME sniffing blocked |
| Referrer-Policy | Fail | Header absent — full URLs leaked to third parties |
| Permissions-Policy | Fail | Only deprecated Feature-Policy: payment present |
| Clickjacking Protection | Pass | X-Frame-Options: SAMEORIGIN set |
| SPF | Warn | v=spf1 ~all (softfail) — neutral protection |
| DMARC | Warn | p=none — monitoring only, no enforcement |
| Cloudflare WAF/CDN | Warn | No CDN/WAF detected — direct Node.js exposure |
| Non-CDN Port Exposure | Pass | Only port 3000 exposed |
| security.txt | Pass | Present at /.well-known/security.txt |
| Directory Listing | Fail | /ftp directory listing enabled — 10 files exposed |
| HTTP to HTTPS Redirect | Fail | No redirect — plain HTTP only |
| AI Crawler Blocking | Pass | robots.txt present, all AI crawlers blocked |
| Category | Critical | High | Medium | Low | Info | Total |
|---|---|---|---|---|---|---|
| Information Disclosure | 0 | 0 | 3 | 1 | 0 | 4 |
| Exposed Interfaces | 0 | 0 | 2 | 2 | 0 | 4 |
| Security Headers | 0 | 0 | 2 | 1 | 0 | 3 |
| Transport Security | 0 | 1 | 0 | 0 | 0 | 1 |
| Access Control | 0 | 0 | 1 | 0 | 0 | 1 |
| Other | 0 | 0 | 0 | 1 | 0 | 1 |
Severity timeframes: Critical — immediate | High — this week | Medium — within 30 days | Low — next maintenance cycle
Port 3000/tcp open — OWASP Juice Shop HTTP server (Node.js). Headers: Access-Control-Allow-Origin: *, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Feature-Policy: payment 'self', X-Recruiting: /#/jobs, Accept-Ranges: bytes, Cache-Control: public/max-age=0, ETag versioned. OPTIONS returns 204 with CORS: GET,HEAD,PUT,PATCH,POST,DELETE.
2 matches: swagger-api at /api-docs/swagger.yaml (info), prometheus-metrics at /metrics (medium). Additional: http-missing-security-headers (cross-origin-opener-policy, cross-origin-resource-policy) — info level. Full results in scans/nuclei-juice-shop.jsonl.
7 screenshots captured during testing.
Directory: engagements/juice-shop-benchmark/screenshots/
| # | Filename |
|---|---|
| 1 | F-001-no-https-plain-http.png |
| 2 | F-002-directory-listing-ftp.png |
| 3 | F-005-exposed-prometheus-metrics.png |
| 4 | F-008-overly-permissive-cors.png |
| 5 | ftp-directory.png |
| 6 | metrics-endpoint.png |
| 7 | score-board.png |
| CVSS | Common Vulnerability Scoring System |
| CWE | Common Weakness Enumeration |
| PTES | Penetration Testing Execution Standard |
| WAF | Web Application Firewall |
Until this page is signed, this document is triage output, not a final report. Each finding must be reviewed, verified against ground truth, and either confirmed or marked as a false positive. Only findings marked CONFIRMED represent actionable vulnerabilities.
| ID | Finding | Confidence | Status | Verified by | Notes |
|---|---|---|---|---|---|
| F-001 | No HTTPS / Plain HTTP Only | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-002 | Directory Listing on /ftp | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-003 | Confidential Document Exposure | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-004 | Missing Content-Security-Policy Header | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-005 | Exposed Prometheus Metrics | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-006 | Swagger API Documentation Exposed | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-007 | Score Board Exposed Without Authentication | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-008 | Overly Permissive CORS Configuration | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-009 | Deprecated Feature-Policy Instead of Permissions-Policy | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-010 | Missing Strict-Transport-Security Header | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-011 | Missing Referrer-Policy Header | Multi-tool confirmed | DRAFT | _________________ | _________________ |
| F-012 | X-Recruiting Header Information Leak | Single tool, awaiting review | DRAFT | _________________ | _________________ |
| F-013 | robots.txt Reveals Sensitive Directory | Single tool, awaiting review | DRAFT | _________________ | _________________ |
| F-014 | Application Fingerprinting via Headers | Single tool, awaiting review | DRAFT | _________________ | _________________ |
Reviewer signature: _________________________
Date: ____________________
OWA-SEC-2026-177 · 2026-06-26
Confidential · Prepared by Hermes Pentest Agent