How to Run OWASP Juice Shop Locally: Setup, Configuration, and Common Pitfalls

Written by: Abigail Ivy
Published on:

What OWASP Juice Shop Is and Why Run It Locally

OWASP Juice Shop is a deliberately vulnerable web application used for security training, penetration testing practice, and secure coding exercises.

Running it locally gives you a controlled environment where you can explore issues such as injection, authentication flaws, and broken access control without exposing a public server.

If you want a fast, repeatable lab for web security learning, knowing how to run OWASP Juice Shop locally is the first step.

The setup is simple, but a few configuration choices determine whether the app starts cleanly and stays isolated from the rest of your system.

Recommended Ways to Run OWASP Juice Shop Locally

The easiest local deployment method is Docker because it reduces dependency conflicts and works consistently across Linux, macOS, and Windows.

A second option is running the application from source with Node.js, which is useful when you want to inspect code, customize the build, or debug issues.

  • Docker: best for quick setup and minimal system changes.
  • Node.js from source: best for development, code review, and troubleshooting.
  • Virtual machine or isolated host: best when you want stronger separation from your main workstation.

Prerequisites Before You Start

Before installing Juice Shop, make sure your machine has enough resources and the right tooling.

The application is lightweight, but it still needs a modern runtime and an available port.

  • Docker Engine and Docker Compose, if you plan to use containers.
  • Node.js and npm, if you plan to run from source.
  • Git, if you want to clone the repository.
  • A free port, typically 3000 or another custom port.

It is also wise to run the app in a local-only environment.

Juice Shop is intentionally insecure and should not be exposed to the internet unless you fully understand the risks and have strict network controls in place.

How to Run OWASP Juice Shop Locally with Docker

Docker is the most common answer to how to run OWASP Juice Shop locally because it is fast and avoids dependency drift.

The exact image name may vary by distribution channel, but the process is generally consistent.

Step 1: Pull the container image

Start by downloading the Juice Shop image from the official source or registry you trust.

Using the official OWASP image helps reduce the risk of pulling a modified or outdated build.

docker pull bkimminich/juice-shop

Step 2: Run the container

Map the container port to a local port so you can open the app in your browser.

The standard port inside the container is usually 3000.

docker run --rm -p 3000:3000 bkimminich/juice-shop

After the container starts, open http://localhost:3000 in your browser.

You should see the Juice Shop landing page and be able to navigate the app immediately.

Step 3: Keep the container local

For a safe lab, bind the service only to localhost when possible.

That limits access to your machine and prevents other devices on the network from connecting.

docker run --rm -p 127.0.0.1:3000:3000 bkimminich/juice-shop

This pattern is especially important on shared networks, laptops used for demos, and systems that have broader firewall exceptions.

How to Run OWASP Juice Shop Locally from Source

Running from source is useful when you want to study the application structure or make changes to the front end and back end.

This approach requires Node.js, npm, and the project repository.

Step 1: Clone the repository

git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop

Step 2: Install dependencies

Use npm to install the required packages.

On large projects, this step can take a little longer the first time because it fetches the full dependency tree.

npm install

Step 3: Start the application

Use the start command defined by the project.

The app usually launches on port 3000 unless you override it.

npm start

Then visit http://localhost:3000 and verify that the interface loads correctly.

How to Change the Port and Host

Sometimes port 3000 is already in use by another local service such as a development server, database dashboard, or container.

In that case, switching ports avoids conflicts.

With Docker, map the container to a different host port:

docker run --rm -p 4000:3000 bkimminich/juice-shop

With a source build, many Node.js apps accept environment variables for host and port.

If the project configuration supports it, you can set the port before starting the app.

PORT=4000 npm start

When you run locally, binding to 127.0.0.1 is preferable to binding to 0.0.0.0 unless you specifically need access from another device on the same network.

How to Verify the Installation

After startup, confirm three things: the application loads in the browser, the UI responds to clicks, and the server logs show normal activity.

These checks help you catch port conflicts, missing dependencies, and container startup failures early.

  • Open the homepage at localhost and confirm the Juice Shop interface appears.
  • Click a few navigation elements to ensure the app is responsive.
  • Check the terminal or Docker logs for errors, stack traces, or missing asset messages.

If the app does not load, verify that no other service is using the same port and that your local firewall is not blocking the connection.

Common Problems When Running OWASP Juice Shop Locally

Most setup issues are straightforward, but they can still slow you down if you are not expecting them.

Knowing the common failure points makes local deployment much smoother.

Port already in use?

If another process is bound to the selected port, Juice Shop will fail to start or will start on a different port than expected.

Choose a free port or stop the conflicting service.

Docker image pulls but the app never loads?

Container startup can fail if your local Docker configuration has resource limits, networking issues, or permission restrictions.

Review the container logs with docker logs and confirm Docker Desktop or the Docker daemon is healthy.

npm install fails?

Source installs can fail because of mismatched Node.js versions, proxy restrictions, or a stale lockfile.

Use a current LTS version of Node.js, clear the npm cache if needed, and reinstall dependencies in a clean working directory.

Browser cannot connect?

Check whether the application is listening on the right host and port.

If you bound the app to localhost, external devices will not be able to reach it, which is expected behavior for a local lab.

Security Best Practices for Local Labs

Because Juice Shop is intentionally vulnerable, keep it contained.

Treat it like a training target, not a normal web app.

  • Run it on a development machine or isolated virtual machine.
  • Avoid exposing the port to public interfaces unless you have a controlled lab network.
  • Do not connect it to production services, sensitive data, or real authentication systems.
  • Use snapshots or disposable containers so you can reset the environment quickly.

If you are demonstrating attacks or testing tools such as Burp Suite, OWASP ZAP, or browser developer tools, a local installation gives you repeatability and makes cleanup much easier.

Why Docker Is Usually the Best Choice

For most users, Docker offers the cleanest path for how to run OWASP Juice Shop locally.

It avoids dependency mismatches, makes upgrades simple, and lets you recreate the same lab on multiple machines with nearly identical behavior.

Source-based installation is still valuable when you need to modify code, inspect internals, or teach application security from a developer perspective.

The best choice depends on whether your priority is speed, flexibility, or transparency.

Helpful Next Steps After Installation

Once Juice Shop is running, you can begin exploring the application’s security training challenges and observe how modern browsers, proxies, and scanners interact with a deliberately weak target.

Pair the lab with documentation from OWASP, practice using interception proxies, and keep notes on each weakness you discover.

  • Review OWASP Top 10 categories alongside the challenge list.
  • Use a proxy such as Burp Suite or OWASP ZAP to inspect requests.
  • Experiment with browser storage, session handling, and access control paths.
  • Reset the environment whenever you want a fresh start.