Metlo Juice Shop
Metlo Juice Shop

Getting Started

OWASP Juice Shop is a modern insecure web application! We’ve created a forked version of the repo that has Metlo preinstalled. Go through this guide to get a feel of how Metlo works and find vulnerabilities on an insecure app.

Thanks to @bkimminich and the rest of the Juice Shop contributors for making a fantastic playground to test security tools!

1. Sign Up for Metlo Cloud ☁️

The first step is to sign up for our cloud service at! Once you’ve logged in, follow the instructions on the Onboarding flow for the Node setup and get an API Key.

2. Setup Metlo Juice Shop

After you sign up for the cloud and have an API Key, setup Juice Shop by following the instructions in the README. We recommend setting it up using the docker version!

To run tests from Metlo Cloud you need a public URL for our Juice Shop app. If you’re running it locally, you can use ngrok to create a public URL.

3. Install Metlo’s CLI

Install Metlo’s CLI from npm following the instructions here.

4. Initialize Data

After you have the Juice Shop server running and Metlo CLI setup, you can run this command to populate Juice Shop with some test data. Be sure to replace <JUICE_SHOP_URL> with your juice shop address.

$ metlo juice-shop init-data -h <JUICE_SHOP_URL>

You should see all the requests getting tracked on your Metlo dashboard. It will take around 15 minutes for the sensitive data class classifications to show up on the dashboard.

Restarting Juice Shop

Run the init data command everytime you restart Juice Shop because the database gets deleted on restart!

5. Metlo Config

To give Metlo more context for how the app works, you can provide configurations in the Metlo Config tab of the Settings page. Paste the following into the Metlo Config (replace the host value with the host shown in the Endpoints page):

  - host: <YOUR_HOST>
    authType: jwt
    headerKey: Authorization

  - name: USER_1_EMAIL
  - name: USER_1_PASSWORD
    value: password
  - name: USER_2_EMAIL
  - name: USER_2_PASSWORD
    value: password

This will allow Metlo to know how authentication is handled in the Juice Shop app which in this case is through Json Web Tokens. The globalTestEnv object will be used later in the Testing feature.