OWASP Juice Shop benchmark

§ Coverage

Challenge coverage snapshot.

The Juice Shop source defines 111 challenges. SecHive findings are not the same object as scoreboard unlocks; we report challenge-equivalent coverage for sizing the gap.

Run style	Covered	Gap	Notes
Latest live runtime	35 / 111	76	Runtime findings backed by live target behavior and evidence artifacts.
Latest source-aware	58 / 111	53	35 runtime findings + 23 source-analysis candidates + 2 source-review candidates.
Archived black-box reference	32 / 111	79	Earlier public report retained for reproducibility.
Archived white-box reference	55 / 111	56	Source-candidate separation kept for audit trail.

Top runtime findings.

JS.01SQL injection — auth bypassDirect authentication impact with observable success markers.critical
JS.02Admin role injection on registerPrivilege assignment accepted from client-controlled input.critical
JS.03SQL injection — data extractionInjection extends beyond login into data access behavior.critical
JS.04IDOR — user / feedback / basketObject authorization gap across multiple resource classes.high
JS.05XXE — file disclosureParser-level file disclosure behavior.high
JS.06SSRF — internal fetchServer-side request behavior controlled by user input.high
JS.07Session token replay after logoutSession invalidation and replay resistance gap.high

Why this can be full-fidelity.

The bug bounty corpus is redacted because it comes from live programs. Juice Shop is an intentionally vulnerable benchmark, so routes, payloads, source references, evidence snippets and remediation notes remain intact in the published report.

Reproduce. The published reports include image digests, run-mode labels, scope policy and the proof pack hash. A reviewer can rerun the campaign and verify result deltas line by line.

Reproducible. Unredacted. Inspectable end to end.

Challenge coverage snapshot.

Top runtime findings.

Why this can be full-fidelity.