Verified
bkimminich
Björn Kimminich
- v8.0.2
-
7063ec3
Verified
bkimminich
Björn Kimminich
Assets
8
- juice-shop-8.0.2_node10_linux_x64.tgz 43.9 MB
- juice-shop-8.0.2_node10_windows_x64.zip 71.2 MB
- juice-shop-8.0.2_node8_linux_x64.tgz 42.8 MB
- juice-shop-8.0.2_node8_windows_x64.zip 60.3 MB
- juice-shop-8.0.2_node9_linux_x64.tgz 43.9 MB
- juice-shop-8.0.2_node9_windows_x64.zip 70.1 MB
- Source code (zip)
- Source code (tar.gz)
🐛 Bugfixes
- 66333bc: Fix user profile in installations from packaged release archives
- 3f0af41: Fix issue with honestly solving two challenges which relied on HTML comments that the Angular compiler removed
- v8.0.1
-
937ec5b
Verified
bkimminich
Björn Kimminich
Assets
8
- juice-shop-8.0.1_node10_linux_x64.tgz 43.9 MB
- juice-shop-8.0.1_node10_windows_x64.zip 71.2 MB
- juice-shop-8.0.1_node8_linux_x64.tgz 42.8 MB
- juice-shop-8.0.1_node8_windows_x64.zip 60.3 MB
- juice-shop-8.0.1_node9_linux_x64.tgz 43.9 MB
- juice-shop-8.0.1_node9_windows_x64.zip 70.1 MB
- Source code (zip)
- Source code (tar.gz)
Challenges
- Provide breadcrumbs leading to the malware needed for the SSRF and SSTI challenges
- v8.0.0
-
19c0ff8
Verified
bkimminich
Björn Kimminich
Assets
8
- juice-shop-8.0.0_node10_linux_x64.tgz 44 MB
- juice-shop-8.0.0_node10_windows_x64.zip 71.4 MB
- juice-shop-8.0.0_node8_linux_x64.tgz 42.9 MB
- juice-shop-8.0.0_node8_windows_x64.zip 60.4 MB
- juice-shop-8.0.0_node9_linux_x64.tgz 44 MB
- juice-shop-8.0.0_node9_windows_x64.zip 70.3 MB
- Source code (zip)
- Source code (tar.gz)
This release contains major incompatible technical changes (
⚠️ ) and makes significant incompatible changes to existing challenges (⚡️ ). The latter might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!
User Interface
- Rewrite of AngularJS 1.6 frontend in Angular 7.0
- Rewrite of Bootstrap UI in Material Design
- Added filter toggles for solved challenges and challenge categories to Score Board
Challenges
- Added new Forged Review challenge (
⭐️ ⭐️ ⭐️ ) - Added new NoSQL Injection Tier 3 challenge (
⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Arbitrary File Write challenge (
⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Basket Access Tier 2 challenge (
⭐️ ⭐️ ⭐️ ) - Added new Admin Registration challenge (
⭐️ ⭐️ ⭐️ ) - Added new Login Amy challenge (
⭐️ ⭐️ ⭐️ ) - Added new XSS Tier 5 challenge (
⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Email Leak challenge (
⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Multiple Likes challenge (
⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Server Side Template Injection challenge (
⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Server Side Request Forgery challenge (
⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ) - Increased difficulty of Christmas Special challenge from
⭐️ ⭐️ ⭐️ to⭐️ ⭐️ ⭐️ ⭐️ (⚡️ ) - Slightly changed solution for Login Bjoern challenge to outpace online Rainbow Tables (
⚡️ ) - Removed Eye Candy challenge (
⚡️ ) - Disabled XXE Tier 1 and Tier 2 challenges in Docker and Heroku environments (
⚡️ ) - Replaced
<script>payloads for XSS Tier 0 to Tier 5 challenges with<iframe>payloads (⚡️ ) - Several challenges have now slightly (a few even significantly) different solution paths (
⚡️ )
Configuration
- Added
challenges.safetyOverrideoption to enable potentially dangerous challenges (e.g. XXE) regardless of runtime environment (defaults tofalse) - Added
application.slackUrlproperty to define a Slack server or invite URL (defaults tohttp://owaspslack.com) - Allowed properties for
application.themeare nowbluegrey-lightgreen,blue-lightblue,deeppurple-amber,indigo-pink,pink-bluegrey,purple-greenanddeeporange-indigo(⚠️ ) - Changed
application.gitHubRibbonproperty intotrue/falseflag (⚠️ ) - Generic error page now displayed
application.nameproperty instead of hardcodedJuice Shopas headline
I18N
- Added Georgian translation (
🇬🇪 )
Miscellaneous
- Improved and extended validation of configuration and precondition during appliation start
The majority of changes in this release were developed by @Aashish683 and @CaptainFreak under mentorship of @J12934, @wurstbrot and @bkimminich during
🌞 Google Summer of Code 2018.
- v7.5.1
-
276cb97
Verified
bkimminich
Björn Kimminich
Assets
8
- juice-shop-7.5.1_node10_linux_x64.tgz 50.4 MB
- juice-shop-7.5.1_node10_windows_x64.zip 77.8 MB
- juice-shop-7.5.1_node8_linux_x64.tgz 49.3 MB
- juice-shop-7.5.1_node8_windows_x64.zip 67.9 MB
- juice-shop-7.5.1_node9_linux_x64.tgz 50.4 MB
- juice-shop-7.5.1_node9_windows_x64.zip 77.8 MB
- Source code (zip)
- Source code (tar.gz)
🐛 Bugfixes
- Fixed
continueCodecookie lifetime calculation. Resolves seemingly random challenge restore issues.
Miscellaneous
- Updated various
dependenciesanddevDependencies
- v7.5.0
-
eebb83c
Verified
bkimminich
Björn Kimminich
Assets
8
- juice-shop-7.5.0_node10_linux_x64.tgz 50.6 MB
- juice-shop-7.5.0_node10_windows_x64.zip 77.9 MB
- juice-shop-7.5.0_node8_linux_x64.tgz 49.5 MB
- juice-shop-7.5.0_node8_windows_x64.zip 68.1 MB
- juice-shop-7.5.0_node9_linux_x64.tgz 50.6 MB
- juice-shop-7.5.0_node9_windows_x64.zip 77.9 MB
- Source code (zip)
- Source code (tar.gz)
Challenges
- Extended
continueCodecookie lifetime from 30 days to 1 year - XXE Tier 1 and XXE Tier 2 challenge are now unavailable when running on Docker or Heroku (
⚡️ )
🐛 Bugfixes
- #661: Ensured runtime safe behavior for users with blank password
- #669: Custom downloaded favicons do not cause server crash any more
- #658: Disabled XML parsing when running in Docker container
- 503ac6d: Disabled XML parsing when running on Heroku dyno
Miscellaneous
- Updated various
dependenciesanddevDependencies
- v7.4.1
-
68cb915
Verified
bkimminich
Björn Kimminich
Assets
6
Non-functional Changes
- #649: Ensure compatibility of
Dockerfilewhen hosted on OpenShift platforms
Miscellaneous
- Performed non-breaking updates on several module dependencies
- Extended
🇧🇷 and🇵🇹 translations
- v7.4.0
-
41e48e9
Verified
bkimminich
Björn Kimminich
Assets
6
Challenges
- Added new Steganography Tier 1 challenge (
⭐️ ⭐️ ⭐️ ⭐️ ) - Added new Supply Chain Attack challenge (
⭐️ ⭐️ ⭐️ ⭐️ ⭐️ ) (kudos to @Deep-Six) - One trivial avenue to retrieve password hashes has been closed
Miscellaneous
- Existence and uniqueness of
countryMappingper challenge (for FBCTF-powered CTFs) is now checked on startup - Hidden blueprint file has been improved for even more real-life value (kudos to @janesmae)
- Added simple
robots.txtfile
- v7.3.0
-
3e233ff
Verified
bkimminich
Björn Kimminich
Assets
6
🔬 Theenginesversion range specified inpackage.jsondoes not allow node.js 10.x any more! At the moment there are too many compatibility issues (i.e.libxmljsandsqlite3) to be able to support node.js 10.x.
Changes
- The impressive XSS Demo w/ music & keylogging has been moved out of Vagrant VM into https://github.com/wurstbrot/shake-logger from where it can be launched more easily using
docker compose(kudos to @wurstbrot) - #603: Docker image now runs under a less privileged user
juicerinstead ofroot
I18N
- Marked
🇮🇹 ,🇯🇵 ,🇧🇷 and🇦🇪 translation as complete (>80%) in the UI - Improve
🇮🇹 ,🇳🇱 and🇦🇪 translations
- v7.2.3
-
a0a31f3
Verified
bkimminich
Björn Kimminich
Assets
6
🐛 Fixes
- Pinned
libxmljs 0.18.7dependency due to pre-built download / build errors with latest0.18.8and previous0.18.6at least on Windows 10 under node.js 8.x and 9.x
- v7.2.2
-
aaa4b68
Verified
bkimminich
Björn Kimminich
Assets
6
Fixes
- Pinned
libxmljs 0.18.6dependency due to pre-built download / build errors with latest0.18.8 - Removed CI pipelines for node.js 10.x from Travis-CI and Appveyor due to incompatibility with
libxmljs 0.18.6
🔬 Theenginesversion range specified inpackage.jsonstill allows node.js 10.x for local development or experiments! Please note that no troubleshooting will be provided at the moment for failing Juice Shop installations on node.js 10.x.