Add new "Missing Encoding" challenge

data/static/challenges.yml

@@ -726,4 +726,12 @@
   hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.'
   hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#give-a-devastating-zero-star-feedback-to-the-store'
   key: zeroStarsChallenge
+-
+  name: 'Missing Encoding'
+  category: 'Improper Input Validation'
+  description: 'Retrieve the photo of Bjoern''s cat in "melee combat-mode".'
+  difficulty: 1
+  hint: 'Check the Photo Wall for an image that could not be loaded correctly.'
+  hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#retrieve-the-photo-of-bjoerns-cat-in-melee-combat-mode'
+  key: missingEncodingChallenge
 

routes/verify.js

@@ -67,6 +67,8 @@ exports.accessControlChallenges = () => ({ url }, res, next) => {
     utils.solve(challenges.retrieveBlueprintChallenge)
   } else if (utils.notSolved(challenges.securityPolicyChallenge) && utils.endsWith(url, '/security.txt')) {
     utils.solve(challenges.securityPolicyChallenge)
+  } else if (utils.notSolved(challenges.missingEncodingChallenge) && utils.endsWith(url, '/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg')) {
+    utils.solve(challenges.missingEncodingChallenge)
   } else if (utils.notSolved(challenges.accessLogDisclosureChallenge) && url.match(/access\.log(0-9-)*/)) {
     utils.solve(challenges.accessLogDisclosureChallenge)
   }

server.js

@@ -160,6 +160,7 @@ app.use(robots({ UserAgent: '*', Disallow: '/ftp' }))
 /* Checks for challenges solved by retrieving a file implicitly or explicitly */
 app.use('/assets/public/images/padding', verify.accessControlChallenges())
 app.use('/assets/public/images/products', verify.accessControlChallenges())
+app.use('/assets/public/images/uploads', verify.accessControlChallenges())
 app.use('/assets/i18n', verify.accessControlChallenges())
 
 /* Checks for challenges solved by abusing SSTi and SSRF bugs */

test/api/fileServingSpec.js

@@ -136,6 +136,11 @@ describe('Hidden URL', () => {
       .expect('status', 200)
   })
 
+  it('GET crazy cat photo for "Missing Encoding" challenge', () => {
+    return frisby.get(URL + '/assets/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg')
+      .expect('status', 200)
+  })
+
   it('GET folder containing access log files for "Access Log" challenge', () => {
     return frisby.get(URL + '/support/logs/access.log.' + utils.toISO8601(new Date()))
       .expect('status', 200)

test/e2e/directAccessSpec.js

@@ -50,6 +50,14 @@ describe('/', () => {
     protractor.expect.challengeSolved({ challenge: 'Retrieve Blueprint' })
   })
 
+  describe('challenge "missingEncoding"', () => {
+    it('should be able to access the crazy cat photo', () => {
+      browser.driver.get(browser.baseUrl + '/assets/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg')
+    })
+
+    protractor.expect.challengeSolved({ challenge: 'Missing Encoding' })
+  })
+
   describe('challenge "securityPolicy"', () => {
     it('should be able to access the security.txt file', () => {
       browser.driver.get(browser.baseUrl + '/.well-known/security.txt')

test/server/verifySpec.js

@@ -115,6 +115,15 @@ describe('verify', () => {
       expect(challenges.retrieveBlueprintChallenge.solved).to.equal(true)
     })
 
+    it('"missingEncodingChallenge" is solved when the crazy cat photo is requested', () => {
+      challenges.missingEncodingChallenge = { solved: false, save: this.save }
+      this.req.url = 'http://juice-sh.op/public/images/uploads/%F0%9F%98%BC-%23zatschi-%23whoneedsfourlegs-1572600969477.jpg'
+
+      verify.accessControlChallenges()(this.req, this.res, this.next)
+
+      expect(challenges.missingEncodingChallenge.solved).to.equal(true)
+    })
+
     it('"accessLogDisclosureChallenge" is solved when any server access log file is requested', () => {
       challenges.accessLogDisclosureChallenge = { solved: false, save: this.save }
       this.req.url = 'http://juice-sh.op/support/logs/access.log.2019-01-15'