swapna narla

Any update on this please ?

Yes, it does, below is the statement from their official site "Juice Shop is written in Node.js, Express and Angular. It was the first application written entirely in JavaScript listed in the OWASP VWA Directory." -- https://www.owasp.org/index.php/OWASP_Juice_Shop_Project So, does it have any limitation with JS or any other techonology ? Please clarify if it doesn't support any technology. Also, how does it accepts any client certs ? few of my applications require client cert to acces it.

Hi, Thanks for looking into it, let me know if you need any more details. Except for http://testphp.vulnweb.com/ this, for any other application I try either it is not reporting any vulnerability or it is throwing error after scanning urls.

I am not sure why it is throwing it as an invalid url, I tried with other vulnerable app too, same problem $ wapiti -u http://zero.webappsecurity.com/index.html --scope domain Wapiti-3.0.1 (wapiti.sourceforge.net) [*] You are lucky! Full moon tonight. Traceback (most recent call last): File "/Users/XXX/.pyenv/versions/3.4.0/bin/wapiti", line 9, in <module> load_entry_point('wapiti3==3.0.1', 'console_scripts', 'wapiti')() File "/Users/XXX/.pyenv/versions/3.4.0/lib/python3.4/site-packages/wapiti3-3.0.1-py3.4.egg/wapitiCore/main/wapiti.py",...

I tried to use Wapiti against logged in session of Juice Shop also, I could see it found few urls as part of scanning, but it is not repoting even a single vulnerability.

Error with domain scope

Wapiti not reporting any vulnerabilities of OWASP JuiceShop