Setting up JuiceShop in Heroku

The purpose of this post is to provide information about setting up a free instance of JuiceShop in Heroku for use with a CTF. Please read the steps below carefully.


If you create a new account, you will be required to supply a valid credit card number. The Heroku service is free to use, but it is still a business that wants to make money. If you use the free tier, your card will not be charged. If you add options outside of what is spelled out in this document, you are liable for any expenses that you incur. Please don’t go past the ropes unless you know how to swim. OWASP is not responsible for any charges that you may incur from the use of the Heroku service. More information about Heroku’s free tier and pricing can be found here.


This event is a simple web application capture the flag. There should be no need for you to use denial of service tactics or network attack tools as part of this event. Technically, everything you need is right in your browser and between your ears. Intercept proxy’s like Burp Suite are fine, but there should be no need to run any of the automated attack or scan features found in those tools. Please read Heroku’s acceptable use policy here for more details.

Remember, you are using our host’s internet services. Bad behavior on the Internet can come back to them, so be a good guest. Also, no attacking your opponents' systems. Your focus should be your own Heroku Juice Shop instance. If we see you engaging in bad behavior, we will ask you to leave.


  1. A laptop with wireless capabilities and equipped a modern browser.
  2. A basic understanding of web design, SQL, JavaScript, or at least a willingness to learn.
  3. If you have an intercept proxy such as OWASP's Zed Attack Proxy (ZAP) or Burp Suite, you may find it helpful. Technically, most of the work can be done with the developer tools native to the browser, but an intercept proxy is useful. ZAP can be downloaded for free from Burp Suite Community Edition is also a free application that can be downloaded from 

  1. Create a Heroku account and log in, or log in with an existing account if you have one.

  2. In a new tab, go to the JuiceShop Github repository and deploy JuiceShop to your Heroku account. Give your new instance a name, using only lower case letters, numbers, and dashes. Spaces are not allowed, and you might have to get creative to come up with an original name!
  3. When you are done, click the Deploy App button. Be patient - this can take a few minutes.
  4. When the deployment is complete, click the purple Manage App button at the bottom of the screen.

  5. In the management interface, click on the Settings link at the top-right side of the screen.
  6. In the Settings screen, click the Reveal Config Vars button to reveal the application’s configuration variables (there shouldn’t be any).

  7. Under the Config Vars section, add the following configuration variable and value to put Juice Shop in CTF mode:


  8. Scroll to the top of the screen and click Open App to view your newly-deployed JuiceShop web application!
  9. Bookmark this page so you can get back to it easily!
You now should have a fully functional JuiceShop instance in Heroku!


  1. Note: If you wish to just set up JuiceShop for your own personal use (i.e. not part of a CTF event), then just skip step 7!


Post a Comment

Popular posts from this blog

OWASP ZAP Tutorial - Part 2: Crawling

OWASP ZAP Tutorial - Part 1: Intercepting Traffic

OWASP ZAP Tutorial - Part 3: Scanning