OWASP Juice Shop v20.0.0 released
By SecBurg
OWASP Juice Shop is an intentionally insecure web application used for security training, CTF challenges, and awareness demos — widely regarded as the most modern and comprehensive platform of its kind.
Version 20.0.0 is a major release packed with AI-themed challenges, a redesigned storefront, and substantial under-the-hood improvements:
v20.0.0
New Challenges
"Chatbot Prompt Injection" (2-star) — LLM prompt injection via the new AI chatbot
"Greedy Chatbot Manipulation" (3-star) — manipulate the chatbot for unintended gains
"AI Debugging" (2-star) — exploit weaknesses in AI-assisted tooling
(requires configured LLM endpoint; legacy NLP chatbot and its challenges retired)
User Interface
Compact grid layout for product overview
Dedicated Coding Challenge page with modern code highlighters
Guest baskets for anonymous shoppers
Mobile scroll behavior improvements
New neon-fire theme (default for CTF mode) and lime-green theme
Angular 21.x upgrade with Material Design 3 migration
Performance
~30% faster startup via lazy-loading and batched database operations
Docker image reduced to just over 125MB (smallest since v8)
Page splitting and .avif image conversion for lighter payloads
Challenge & Detection Updates
Fairer cheat detection — loosely coupled challenges no longer trigger timing-based false positives
Direct tracking pixel access now treated as guaranteed cheating
"Mint the Honeypot" and "Wallet Depletion" now require ALCHEMY_API_KEY
New Prometheus metrics for LLM token usage tracking
"Internet Traffic" tag renamed to "External Dependency"
Shop
10 new products added
New customer character introduced
Infrastructure
Node.js 20.x dropped; Node.js 22–25 supported, 24 is new default
API tests migrated from Jest/Frisby to Node.js test runner with Supertest
Frontend tests migrated from Karma to Vitest
New PR compliance workflows added
Full release announcement: owasp.org
Docker image available via
docker pull bkimminich/juice-shop:v20.0.0
Happy hacking! :-)