Home / juice-shop / juice-shop
Repository Analysis

juice-shop/juice-shop

OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

1.3 Likely human-written View on GitHub
1.3
Adjusted Score
1.3
Raw Score
100%
Time Factor
2026-05-26
Last Push
13,234
Stars
TypeScript
Language
182,641
Lines of Code
1052
Files
186
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 1HIGH 2MEDIUM 2LOW 181

Pattern Findings

186 matches across 6 categories. Click a row to expand file-level details.

Fake / Example Data133 hits · 160 pts
SeverityFileLineSnippet
LOWftp/acquisitions.md9Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy
LOWftp/acquisitions.md9Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy
LOWftp/acquisitions.md12clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit
LOWftp/acquisitions.md13amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
LOWftp/acquisitions.md13amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
LOWftp/acquisitions.md17ipsum dolor sit amet.
LOWfrontend/src/app/app.guard.spec.ts49 name: 'John Doe',
LOWfrontend/src/app/oauth/oauth.component.spec.ts89 userService.oauthLogin.mockReturnValue(of({ email: 'test@test.com' }))
LOWfrontend/src/app/oauth/oauth.component.spec.ts91 expect(userService.save).toHaveBeenCalledWith({ email: 'test@test.com', password: 'bW9jLnRzZXRAdHNldA==', passwo
LOWfrontend/src/app/oauth/oauth.component.spec.ts95 userService.oauthLogin.mockReturnValue(of({ email: 'test@test.com' }))
LOWfrontend/src/app/oauth/oauth.component.spec.ts98 expect(userService.login).toHaveBeenCalledWith({ email: 'test@test.com', password: 'bW9jLnRzZXRAdHNldA==', oauth
LOW…onents/challenge-card/challenge-card.component.spec.ts19 description: 'lorem ipsum',
LOW…l-mode-warning/tutorial-mode-warning.component.spec.ts28 description: 'lorem ipsum',
LOW…l-mode-warning/tutorial-mode-warning.component.spec.ts69 description: 'lorem ipsum',
LOW…rning/challenges-unavailable-warning.component.spec.ts26 description: 'lorem ipsum',
LOW…rning/challenges-unavailable-warning.component.spec.ts35 description: 'lorem ipsum',
LOW…rning/challenges-unavailable-warning.component.spec.ts60 description: 'lorem ipsum',
LOW…rning/challenges-unavailable-warning.component.spec.ts79 description: 'lorem ipsum',
LOW…rning/challenges-unavailable-warning.component.spec.ts88 description: 'lorem ipsum',
LOW…rc/app/score-board/helpers/challenge-filtering.spec.ts7 description: 'lorem ipsum',
LOW…rc/app/score-board/helpers/challenge-filtering.spec.ts8 originalDescription: 'lorem ipsum',
LOW…rc/app/score-board/helpers/challenge-filtering.spec.ts24 description: 'lorem ipsum',
LOW…rc/app/score-board/helpers/challenge-filtering.spec.ts25 originalDescription: 'lorem ipsum',
LOW…rc/app/score-board/helpers/challenge-filtering.spec.ts41 description: 'lorem ipsum',
LOW…rc/app/score-board/helpers/challenge-filtering.spec.ts42 originalDescription: 'lorem ipsum',
LOW…/src/app/score-board/helpers/challenge-sorting.spec.ts6 description: 'lorem ipsum',
LOW…/src/app/score-board/helpers/challenge-sorting.spec.ts7 originalDescription: 'lorem ipsum',
LOW…/src/app/score-board/helpers/challenge-sorting.spec.ts23 description: 'lorem ipsum',
LOW…/src/app/score-board/helpers/challenge-sorting.spec.ts24 originalDescription: 'lorem ipsum',
LOW…/src/app/score-board/helpers/challenge-sorting.spec.ts40 description: 'lorem ipsum',
LOW…/src/app/score-board/helpers/challenge-sorting.spec.ts41 originalDescription: 'lorem ipsum',
LOWfrontend/src/app/recycle/recycle.component.html67 <small>Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut
LOWfrontend/src/app/recycle/recycle.component.html67 <small>Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut
LOWfrontend/src/app/recycle/recycle.component.html79 <small>Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
LOWfrontend/src/app/recycle/recycle.component.html79 <small>Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor
LOWfrontend/src/app/about/about.component.html16 Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et
LOWfrontend/src/app/about/about.component.html16 Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et
LOWfrontend/src/app/about/about.component.html18 clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,
LOWfrontend/src/app/about/about.component.html18 clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet,
LOWfrontend/src/app/about/about.component.html21 takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed
LOWfrontend/src/app/about/about.component.html21 takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed
LOWfrontend/src/app/about/about.component.html26 delenit augue duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet, consectetuer adipiscing elit,
LOWfrontend/src/app/about/about.component.html26 delenit augue duis dolore te feugait nulla facilisi. Lorem ipsum dolor sit amet, consectetuer adipiscing elit,
LOWfrontend/src/app/about/about.component.html32 Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod
LOWfrontend/src/app/about/about.component.html32 Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod
LOWfrontend/src/app/about/about.component.html34 dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem
LOWfrontend/src/app/about/about.component.html34 dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem
LOWfrontend/src/app/about/about.component.html35 ipsum dolor sit amet, consetetur sadipscing elitr, At accusam aliquyam diam diam dolore dolores duo eirmod eos
LOWfrontend/src/app/token-sale/token-sale.component.html28 Lorem ipsum dolor sit amet <strong><i class='fab fa-bitcoin'></i> {{altcoinName}}</strong>, consetetur sadipsc
LOWfrontend/src/app/token-sale/token-sale.component.html28 Lorem ipsum dolor sit amet <strong><i class='fab fa-bitcoin'></i> {{altcoinName}}</strong>, consetetur sadipsc
LOWfrontend/src/app/token-sale/token-sale.component.html32 Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu f
LOWfrontend/src/app/token-sale/token-sale.component.html32 Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu f
LOWfrontend/src/app/token-sale/token-sale.component.html40 Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer p
LOWfrontend/src/app/token-sale/token-sale.component.html40 Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer p
LOWfrontend/src/app/token-sale/token-sale.component.html48 At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus es
LOWfrontend/src/app/token-sale/token-sale.component.html48 At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus es
LOWfrontend/src/app/token-sale/token-sale.component.html62 Stet clita kasd gubergren, no <strong><i class='fab fa-bitcoin'></i> {{altcoinName}}</strong> sea takimata s
LOWfrontend/src/app/token-sale/token-sale.component.html62 Stet clita kasd gubergren, no <strong><i class='fab fa-bitcoin'></i> {{altcoinName}}</strong> sea takimata s
LOWfrontend/src/app/token-sale/token-sale.component.html71 Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed <strong><i class='fab fa-bitcoin'></i> {{altcoi
LOWfrontend/src/app/token-sale/token-sale.component.html71 Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed <strong><i class='fab fa-bitcoin'></i> {{altcoi
73 more matches not shown…
Hyper-Verbose Identifiers39 hits · 39 pts
SeverityFileLineSnippet
LOWfrontend/src/hacking-instructor/index.ts190export async function startHackingInstructorFor (challengeName: string): Promise<void> {
LOWfrontend/src/hacking-instructor/helpers/helpers.ts65export function waitForInputToNotHaveValue (inputSelector: string, value: string, options = { ignoreCase: true }) {
LOWfrontend/src/hacking-instructor/helpers/helpers.ts82export function waitForInputToNotHaveValueAndNotBeEmpty (inputSelector: string, value: string, options = { ignoreCase: t
LOWfrontend/src/hacking-instructor/helpers/helpers.ts116export function waitForElementToGetClicked (elementSelector: string) {
LOWfrontend/src/hacking-instructor/helpers/helpers.ts131export function waitForElementsInnerHtmlToBe (elementSelector: string, value: string) {
LOWfrontend/src/hacking-instructor/helpers/helpers.ts159export function waitForAngularRouteToBeVisited (route: string) {
LOWfrontend/src/hacking-instructor/helpers/helpers.ts244export function waitForSelectToNotHaveValue (selectSelector: string, value: string) {
LOWfrontend/src/hacking-instructor/helpers/helpers.ts259export function waitForRightUriQueryParamPair (key: string, value: string) {
LOW…er-settings/pipes/difficulty-selection-summary.pipe.ts27function breakDifficultiesIntoNeighboringGroups (difficulties: (1 | 2 | 3 | 4 | 5 | 6)[]): DifficultyGroup[] {
LOW…er-settings/pipes/difficulty-selection-summary.pipe.ts46function convertDifficultyGroupsToString (difficultyGroups: DifficultyGroup[]): string {
LOW…end/src/app/score-board/helpers/challenge-filtering.ts100function getCompleteChallengeStatus (
LOWfrontend/src/assets/private/three.js21805 function materialNeedsSmoothNormals ( material ) {
LOWfrontend/src/assets/private/three.js21833 function bufferGuessVertexColorType( material ) {
LOWfrontend/src/assets/private/three.js24365 function unrollImmediateBufferMaterial ( globject ) {
LOWlib/antiCheat.ts148function isLooselyCoupledToPreviouslySolved (challenge: Challenge) {
LOWlib/utils.ts154export function getChallengeEnablementStatus (challenge: Challenge,
LOWlib/codingChallenges.ts46function getCodeChallengesFromFile (file: FileMatch) {
LOWlib/codingChallenges.ts58function getCodingChallengeFromFileContent (source: string, challengeKey: string) {
LOWdata/staticData.ts93export async function loadStaticSecurityQuestionsData (): Promise<StaticSecurityQuestions[]> {
LOWdata/datacreator.ts295 function getGeneratedRandomFakeUserEmail () {
LOWdata/datacreator.ts471 function customizeChangeProductChallenge (description: string, customUrl: string, customProduct: Product) {
LOWdata/datacache.ts35export function setRetrieveBlueprintChallengeFile (retrieveBlueprintChallengeFileArg: string) {
LOWdata/static/codefixes/xssBonusChallenge.info.yml7 explanation: 'Using bypassSecurityTrustSoundCloud() instead of bypassSecurityTrustHtml() supposedly bypasses sanitiz
LOWroutes/login.ts69 function verifyPostLoginChallenges (user: { data: User }) {
LOWroutes/verify.ts138async function checkPatternInFeedbackAndComplaints (
LOWroutes/verify.ts231function knownVulnerableComponentChallenge () {
LOWroutes/verify.ts238function knownVulnerableComponents () {
LOWroutes/verify.ts272function typosquattingNpmChallenge () {
LOWroutes/verify.ts279function typosquattingAngularChallenge () {
LOWroutes/verify.ts293function supplyChainAttackChallenge () {
LOWroutes/verify.ts307function dlpPastebinDataLeakChallenge () {
LOWroutes/resetPassword.ts57function verifySecurityAnswerChallenges (user: UserModel, answer: string) {
LOWroutes/basketItems.ts58export function quantityCheckBeforeBasketItemAddition () {
LOWroutes/basketItems.ts65export function quantityCheckBeforeBasketItemUpdate () {
LOWroutes/order.ts184function calculateApplicableDiscount (basket: BasketModel, req: Request) {
LOWroutes/fileServer.ts40 function verifySuccessfulPoisonNullByteExploit (file: string) {
LOWroutes/fileServer.ts52 function endsWithAllowlistedFileType (param: string) {
LOWroutes/metrics.ts45export function observeRequestMetricsMiddleware () {
LOWroutes/metrics.ts55export function observeFileUploadMetricsMiddleware () {
Synthetic Comment Markers2 hits · 10 pts
SeverityFileLineSnippet
HIGHCONTRIBUTING.md196. Noise (e.g. unnecessary comments) generated by AI tools _must_ be removed before opening a PR.
HIGHAGENTS.md63**Required** per CONTRIBUTING.md rule #6: Remove unnecessary AI-generated content before submitting PRs.
Hallucination Indicators1 hit · 10 pts
SeverityFileLineSnippet
CRITICALfrontend/src/app/oauth/oauth.component.ts71 const hash = this.route.snapshot.data.params.substr(1)
Over-Commented Block9 hits · 9 pts
SeverityFileLineSnippet
LOWfrontend/src/assets/private/three.js30161 points.push( points[ 0 ] );
LOWfrontend/src/assets/private/three.js30501//
LOWfrontend/src/assets/private/three.js31321// var c = [];
LOWfrontend/src/assets/private/OrbitControls.js1/**
LOW…efixes/resetPasswordBjoernOwaspChallenge_2_correct.yml1# Provide password reset option via a one-time link with
LOW…c/codefixes/resetPasswordBjoernChallenge_1_correct.yml1# Provide password reset option via a one-time link with
LOW…c/codefixes/resetPasswordBenderChallenge_2_correct.yml1# Provide password reset option via a one-time link with
LOW…c/codefixes/resetPasswordUvoginChallenge_3_correct.yml1# Provide password reset option via a one-time link with
LOW…atic/codefixes/resetPasswordJimChallenge_3_correct.yml1# Provide password reset option via a one-time link with
AI Slop Vocabulary2 hits · 6 pts
SeverityFileLineSnippet
MEDIUMfrontend/src/assets/private/three.js3514 // this is a more robust check for empty than ( volume <= 0 ) because volume can get positive with two negative axes
MEDIUMfrontend/src/assets/private/three.js3838 // this is a more robust check for empty than ( volume <= 0 ) because volume can get positive with two negative axes