OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.

Juice Shop is written in Node.js, Express and AngularJS. The application contains more than 30 challenges of varying difficulty where the user is supposed to exploit the underlying vulnerabilities. The hacking progress is tracked on a score board. Finding this score board is actually one of the (easy) challenges!

Apart from the hacker and awareness training use case, pentesting proxies or security scanners can use Juice Shop as a “guinea pig”-application to check how well their tools cope with Javascript-heavy application frontends and REST APIs. Here is the the official companion guide to the OWASP Juice Shop application.
Here are some of its key features:

• Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux
• Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically
• Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup
• Gamification: On a Score Board the application keeps track of successfully exploited vulnerabilities
• Free and Open source: Licensed under the MIT license with no hidden costs or caveats