OWASP 2025 Global AppSec EU

In this 100% slide-free demo session you will embark on a journey through the popular OWASP Juice Shop vulnerable web application!

You will experience firsthand how easy it is to set up, get started, and solve your first hacking & coding challenges. In a quick mob-hacking session, you will gain your first points on Juice Shop's extensive score board!

The demo also includes a glimpse into Juice Shop's CTF tool and its multi-user hosting environment MultiJuicer! You will witness how fast a CTF event can be launched with OWASP Juice Shop, how great documentation really makes a difference, and even how to make
the application look like an in-house app of your own company.

Due to the nature of this small group demo session, you are welcome to ask questions during and between the different topics - ad libitum! There is time for clarification and dipping into special topics.

If time permits, this session can also cover interesting behind-the-scenes topics, such as cheat detection, start-up validations, webhook integrations, and a pro-level Grafana dashboard for observability!

Even if you know and have used OWASP Juice Shop yourself already, there's no chance you've already seen everything that will be covered in this session!

How often have you heard developers ask, "Where is Race Condition in OWASP?" or "Why aren’t business workflows part of the Top 10?"

These questions highlight a glaring gap: the OWASP lists often focus on technical implementation vulnerabilities while overlooking the fundamental flaws in business logic—the very backbone of applications. This is why we started the OWASP Business Logic Abuse Top 10 Project: to address the workflow bypasses, logic flaws, and design vulnerabilities that attackers exploit, regardless of whether you’re building a web app, API, firmware, or supply chain system.

This project's foundation in Turing machine principles makes it unique, where business logic is modeled as finite states, transitions, and memory operations. By breaking down vulnerabilities into their computational roots—data handling (tape), access mechanisms (head), workflows (states), and transitions—we not only classify these issues but also provide a clear framework for identifying and mitigating them. Whether it’s race conditions in financial systems or workflow skips in authentication processes, this approach brings business logic vulnerabilities to the forefront.

This Top 10 isn’t just another list; it’s a cross-domain framework that bridges gaps between OWASP categories and provides clarity for developers, architects, and security professionals. If you’ve ever wondered why logic abuse isn’t explicitly addressed in web apps, APIs, or mobile security, this project is your answer. Join us to explore real-world examples, understand the unique methodology, and discover how you can contribute to this open, repeatable framework that empowers teams to tame business logic abuse in any system.