Change HTML-comment spoilers into persistent code

Fixes issue from Angular compiler removing all comments, thus making the "Redirect Tier 1" and "Login Support Team" challenge impossible to solve without cheating.
juice-shop · Nov 15, 2018 · 3f0af41 · 3f0af41
1 parent 66333bc
commit 3f0af41
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/frontend/src/app/basket/basket.component.html b/frontend/src/app/basket/basket.component.html
@@ -92,9 +92,9 @@
             </div>
         </form>
         <a href="https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part3/donations.html#credit-card-donation-step-by-step"><button mat-raised-button><i class="far fa-credit-card fa-lg"></i> Credit Card</button></a>
-        <!--<a href="https://gratipay.com/juice-shop">
-           <button color="warn" mat-raised-button><i class="fab fa-gratipay fa-lg"></i> Gratipay</button>
-        </a>-->
+        <a href="/redirect?to=https://gratipay.com/juice-shop" *ngIf="false">
+           <button mat-raised-button><i class="fab fa-gratipay fa-lg"></i> Gratipay</button>
+        </a>
         <button mat-raised-button (click)="showBitcoinQrCode()"><i class="fab fa-btc fa-lg"></i> Bitcoin</button>
         <button mat-raised-button (click)="showDashQrCode()"><i class="fa-lg">Ð</i> Dash</button>
         <button mat-raised-button (click)="showEtherQrCode()"><i class="fab fa-ethereum fa-lg"></i> Ether</button>

diff --git a/frontend/src/app/login/login.component.ts b/frontend/src/app/login/login.component.ts
@@ -80,6 +80,9 @@ export class LoginComponent implements OnInit {
       this.router.navigate(['/search'])
     }, (error) => {
       console.log(error)
+      if (this.user.email && this.user.email.matches(/support@.*/)) {
+        console.log('@echipa de suport: Secretul nostru comun este încă Caoimhe cu parola de master gol!')
+      }
       localStorage.removeItem('token')
       this.cookieService.remove('token', { domain: document.domain })
       sessionStorage.removeItem('bid')

diff --git a/test/api/angularDistSpec.js b/test/api/angularDistSpec.js
@@ -0,0 +1,17 @@
+const frisby = require('frisby')
+
+const URL = 'http://localhost:3000'
+
+describe('/api', () => {
+  it('GET main.js contains Gratipay URL', () => {
+    return frisby.get(URL + '/main.js')
+      .expect('status', 200)
+      .expect('bodyContains', '/redirect?to=https://gratipay.com/juice-shop')
+  })
+
+  it('GET main.js contains password hint for support team', () => {
+    return frisby.get(URL + '/main.js')
+      .expect('status', 200)
+      .expect('bodyContains', '@echipa de suport: Secretul nostru comun este \\xeenc\\u0103 Caoimhe cu parola de master gol!')
+  })
+})