bkimminich
released this
This release brings significant changes to existing challenges (
⚡ ) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! This release also contains experimental or prototype features (🔬 ) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.
🎨 Frontend
- #1276: Applied facelifted design to Accounting screen
- #1276: Hamonized design of Challenge Solved and Server Restarted notifications with
MatSnackBar
toasts
🎯 Challenges
- Changed default promotion video used in the Video XSS challenge to OWASP Membership ad video made by @nanzggits (
⚡ )
⚙️ DevOps Automation
- CI/CD pipeline now uses timeouts and retries for some test steps to compensate for flakiness of tests, race conditions or other occasional irregularities
- Unit tests step (in
test
job) times out after 10 minutes and is retried twice - Integration tests step (in
test
job) times out after 5 minutes and is retried twice - End-to-end step (in
e2e
job) times out after 20 minutes and is retried once - No timeouts or retries are configured for the
smoke
anddocker-smoke
jobs
- Unit tests step (in
- Added WebAppDefn specification
.config/webapp.yml
as proposed by the OSSF Security Tooling working group (🔬 )
🐛 Bugfixes
- #1562: Charging of digital wallet without or with another user's credit card is now prevented on server side
🧹 Code Style/Linting
- Included
stylelint
module for linting and auto-fixing frontend SCSS files
🌐 I18N
- Extended
🇫🇮 ,🇷🇴 ,🇹🇷 and🇨🇳 translations
🛄 Miscellaneous
- Marked both Juice Shop Adversary Trading Card products as deleted due to discontinuation of the "Adversary Trading Cards" CCG
Assets
20
bkimminich
released this
🎨 Frontend
- #1542: Migrated Angular frontend from version 10 to 11
🧹 Code Style/Linting
- Migrated frontend code linter from TSLint to ESLint based on
standard-with-typescript
configuration - Migrated backend code linter from Standard to ESLint based on
standard
configuration - Refactored code to comply with additional ESLint rules not present in previous TSLint/Standard linters
🐛 Bugfixes
- #1527: Fixed race condition between creation of PDF confirmation and wallet payment during checkout process
- #1525: Fixed memory leak in Score Board tutorial when waiting for DevTools
🛄 Miscellaneous
- #1547: Added distinct default user profile image for all admin accounts to set them apart from regular user accounts
- Rotated Juice Shop Artwork out of the available product inventory replacing it with Best Juice Shop Salesman Artwork
- Added new user
stan@juice-sh.op
to userbase prepopulated on startup - #1440: Updated
file-types
dependency to latest major version (kudos to @cigar-galaxy82)
Assets
20
bkimminich
released this
🚀 Features
- The
security.txt
is now accessible from both URLs officially defined in the corresponding RFC draft - The
security.txt
now also contains thePreferred-Languages
andExpires
properties
🎒 Tutorials
- #1524: Added option to helper functions allowing case insensitive input checks (kudos to @cnotin)
- #1524: Fixed skipped steps in Login Bender and Login Jim tutorials (kudos to @cnotin)
- #1526: Hint speech bubbles can now be placed after the fixture element with
fixtureAfter: true
(kudos to @cnotin) - #1526: Reduce frequency of hint speech bubbles blocking input elements or menu items by using
fixtureAfter
(kudos to @cnotin)
🐛 Bugfixes
- #1516, #1517: User session residue is now cleaned up properly (kudos to @cnotin)
- #1519: Fix items counter being displayed as zero after login even when basket contained items (kudos to @cnotin)
- #1533: Product quantity limit is now applied on a per-order basis instead of a per-user basis (kudos to @cnotin)
- #1538: Delay search for security question by 1sec after last keystroke in Forgot Password screen
- #1536: Fixed visual glitch with horizontal dividers on My Payment Options screen (kudos to @MarcRler)
Assets
20
bkimminich
released this
⚙️ DevOps Automation
- Swap out GitHub Action for uploading release assets with one that works with existing
draft
releases in matrix builds - Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) has been restored
Assets
20
bkimminich
released this
⚙️ DevOps Automation
- #1530: Replaced Travis-CI with GitHub Actions based CI/CD pipeline
- Docker
latest
,snapshot
andv*.*.*
images are now published for platformslinux/amd64
,linux/arm/v7
andlinux/arm64
- Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) is no longer available (
⚠️ ) - Packaged
.tgz
archives forlinux/arm64
are no longer provided (⚠️ ) in favor oflinux/arm64
Docker images
🗣️ Chatbot
- Added new chatbot utterances (e.g. for the official theme song of the shop)
- Reduced threshold for fuzzy matching of product price requests to produce hits earlier and make multi-match results occur at all
🐛 Bugfixes
- #1514: Fixed server crash upon notifying an unreachable
SOLUTIONS_WEBHOOK
URL - #1512: Avoid accidental solve of View Basket challenge for Basket IDs that became
NaN
(kudos to @cnotin)
🛅 Miscellaneous
Assets
20
🎯 Challenges
- a0feeb8: Rephrased White-/Blacklist into Allow-/Blocklist in all affected challenges, corresponding hints as well as in entire code base
🔒 Security
- #1471: Payments from wallets with insufficient funds for purchase are now rejected on client- and server-side (kudos to @grijul)
- #1498: Credit card numbers are now returned in masked form by the API instead of masking on the client (kudos to @PranjalAgni)
🎨 User Interface
- #1496: Slightly improved responsiveness of Score Board to have less off-screen elements and not hide columns prematurely
Assets
26
⚙️ DevOps Automation
- #1470: Added startup time metrics to Prometheus endpoint and Grafana dashboard template in
monitoring/grafana-dashboard.json
- #1478: Added customization time metrics to Prometheus endpoint
- Failing
Arm64
-based build jobs will now break the CI/CD build again
🎯 Challenges
- Seal accidental leakage of 2FA secret via some admininstrative API endpoint (now handled identical to password)
- #1469: Close loophole that allowed a too easy solve of the "Deluxe Fraud" challenge
🐛 Bugfixes
- #1466: Fix typo in DB property preventing retrieval of existing shopping baskets
- f95cb15: Hide "Show tutorials only" button on Score Board if Hacking Instructor is not even enabled
- #1478: Refactored various startup preparations into
async
/await
code and parallelize as much as possible - #1474: Fixed contrast issues for captions on Photo Wall in all light-background themes
- Fixed issue with sold-out/quantity-left ribbon preventing clicks to open Product Details dialogs
🐳 Docker
- #1467: Update Docker container user to work properly with the
runAsNonRoot
flag in Kubernetes
🌐 I18N
- Removed languages with no translations at all:
🇵🇰 ,🇱🇹 and🇦🇲
Assets
26
🐛 Bugfixes
- Changed order of startup validations so that failed frontend compilation becomes obvious earlier
- Fixed file downloads for custom themes causing potential
Error: ENOENT: no such file or directory, copyfile
issues
Assets
26
This release brings significant changes to existing challenges (
⚡ ) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️ ) which might require migrating to a newer Node.js version or updating existing customization files. This release also contains experimental or prototype features (🔬 ) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.
🎨 User Interface
- Performed upgrade to Angular 10 and Angular Material 10 (
⚠️ ) - Added Support Chat page where a smart bot will answer all important customer questions (kudos to our GSoC student @Scar26)
- #1413: Replace
BarRating
component withMatSlider
for feedback rating on Customer Feedback screen - #1413: Replace all read-only instances of
BarRating
component withMatIcon
s on Score Board and admin dashboard
🏪 Convenience
- #1423: Added local backup save/restore support to the Score Board for challenge progress and client-side application settings (
🔬 )
🎯 Challenges
- Added Bully Chatbot (
⭐ ) challenge - Added Kill Chatbot (
⭐ ⭐ ⭐ ⭐ ⭐ ) challenge (kudos to our GSoC student @Scar26) - #1347: Added Meta Geo Stalking (
⭐ ⭐ ) challenge - #1347: Added Visual Geo Stalking (
⭐ ⭐ ) challenge - Added Poison Null Byte (
⭐ ⭐ ⭐ ⭐ ) challenge - #1413: Swapped
ng2-bar-rating
with another typosquatted frontend component due to removal ofBarRating
from all screens (⚡ ) - Where applicable a Vulnerability Mitigation link is now shown on the Score Board after solving the corresponding hacking challenge
- Links currently point to the best matching OWASP Cheat Sheet for each challenge (
🔬 )
- Links currently point to the best matching OWASP Cheat Sheet for each challenge (
- For solved challenges the Hacking Instructor button on the Score Board will now be removed instead of disabled
- Added a Tags column to the Score Board to mark special challenges (
🔬 )- "Shenanigans" marks challenges which are not considered serious and/or realistic but exist more for entertainment
- "Contraption" indicates that a challenge is not exactly part of a realistic scenario but might be a bit forced or crafted
- "OSINT" marks challenges which require some Internet research or "social stalking" actvitiy outside the application
- "Good Practice" highlights challenges which are less about vulnerabilities but promoting good (security) practices
- "Danger Zone" marks potentially dangerous challenges which are disabled on Docker/Heroku by default due to RCE or other risks
- "Good for Demos" highlights challenges which are suitable for live demos or awareness trainings
- "Prerequisite" marks challenges which need to be solved before one or more other challenges can be (realistically) solved
- "Brute Force" marks challenges where automation of some security tool or custom script is an option or even prerequisite
- "Tutorial" marks challenges for which a Hacking Instructor script exists to assist newcomers
- "Code Analysis" marks challenges where it can be helpful to rummage through some source code of the application or a third party
- Added a tooltip describing each challenge category to their corresponding filter button on the Score Board
- #1452: Accept an additional possible solution for Manipulate Basket challenge
🎭 Customization
- Added
geoStalkingMetaSecurityQuestion
andgeoStalkingMetaSecurityAnswer
as mandatory properties of onememories
entry (⚠️ ) - Added
geoStalkingVisualSecurityQuestion
andgeoStalkingVisualSecurityAnswer
as mandatory properties of onememories
entry (⚠️ ) - Enforce minimum number of two
memories
entries (⚠️ ) - Added
challenges.showMitigations
property (defaults totrue
) to show or hide Vulnerability Mitigation links from the Score Board - Added new
application.chatbot
subsection to configurename
,greeting
,trainingData
,defaultResponse
andavatar
(kudos to our GSoC student @Scar26)
🎣 Solution Webhook
- Added
ctfFlag
property to webhook payload containing the flag code of the solved challenge (based on theCTF_KEY
of the server instance)
🛍️ Products
- Added Juice Shop "Permafrost" 2020 Edition product
🗺️ I18N
- Challenge categories can now be translated and are shown in the selected language on the Score Board
- Added support for
🇹🇼 language