{"target":{"id":"juiceshop","name":"OWASP Juice Shop","category":"Web App Pentest","difficulty":"Beginner → Advanced","vulns_known":100,"legal_notice":"Open-source deliberately-vulnerable web app by OWASP. MIT licensed. Public on GitHub.","docker":"bkimminich/juice-shop","url_demo":"http://localhost:3000","kills":["SQLi in product search → admin bypass","XSS in customer feedback → admin cookie theft","IDOR in basket API → view other users' baskets","Auth bypass via /rest/user/reset-password","Hidden /#/challenge solved: zero stars to five stars"]},"script":[{"ts":"00:00–00:05","shot":"Tarun logo slam, glitch transition, synth bass drop","voice":"target locked: OWASP Juice Shop.","screen":"Black → target logo → terminal opens"},{"ts":"00:05–00:15","shot":"Typing sequence: subfinder + httpx + nuclei","voice":"passive recon. mapped 100 live assets. one stands out.","screen":"Live terminal output streaming"},{"ts":"00:15–00:30","shot":"Vuln hypothesis + manual probe","voice":"this looks like a web app pentest playground. testing the obvious.","screen":"Curl → response with injection sink highlighted"},{"ts":"00:30–00:55","shot":"Exploit chain: finding → POC → proof","voice":"and we have a beginner → advanced-difficulty kill. root in 60 seconds.","screen":"shell pop. whoami. cat /etc/passwd. screenshot."},{"ts":"00:55–01:25","shot":"Tarun commentary + 'why this matters' overlay","voice":"the same bug class lives in production. here's what defenders miss.","screen":"Side-by-side: vulnerable training app vs real-world CVE"},{"ts":"01:25–01:30","shot":"Logo card, subscribe, 'next target: ___'","voice":"next target, in 24 hours. follow the build.","screen":"Tarun logo + social links + countdown to next show"}],"runtime_seconds":90,"render_assets":{"voice_needed":true,"music_track":"synthwave_90s.mp3 (royalty-free)","captions":"auto-generated, English, branded"}}