@bkimminich bkimminich released this Nov 15, 2018

Assets 8

🐛 Bugfixes

  • 66333bc: Fix user profile in installations from packaged release archives
  • 3f0af41: Fix issue with honestly solving two challenges which relied on HTML comments that the Angular compiler removed

Download OWASP Juice Shop

@bkimminich bkimminich released this Nov 10, 2018 · 17 commits to master since this release

Assets 8

This release contains major incompatible technical changes (⚠️) and makes significant incompatible changes to existing challenges (⚡️). The latter might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!

User Interface

  • Rewrite of AngularJS 1.6 frontend in Angular 7.0
  • Rewrite of Bootstrap UI in Material Design
  • Added filter toggles for solved challenges and challenge categories to Score Board

image

Challenges

  • Added new Forged Review challenge (⭐️⭐️⭐️)
  • Added new NoSQL Injection Tier 3 challenge (⭐️⭐️⭐️⭐️)
  • Added new Arbitrary File Write challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Added new Basket Access Tier 2 challenge (⭐️⭐️⭐️)
  • Added new Admin Registration challenge (⭐️⭐️⭐️)
  • Added new Login Amy challenge (⭐️⭐️⭐️)
  • Added new XSS Tier 5 challenge (⭐️⭐️⭐️⭐️)
  • Added new Email Leak challenge (⭐️⭐️⭐️⭐️⭐️)
  • Added new Multiple Likes challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Added new Server Side Template Injection challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Added new Server Side Request Forgery challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Increased difficulty of Christmas Special challenge from ⭐️⭐️⭐️ to ⭐️⭐️⭐️⭐️ (⚡️)
  • Slightly changed solution for Login Bjoern challenge to outpace online Rainbow Tables (⚡️)
  • Removed Eye Candy challenge (⚡️)
  • Disabled XXE Tier 1 and Tier 2 challenges in Docker and Heroku environments (⚡️)
  • Replaced <script> payloads for XSS Tier 0 to Tier 5 challenges with <iframe> payloads (⚡️)
  • Several challenges have now slightly (a few even significantly) different solution paths (⚡️)

Configuration

  • Added challenges.safetyOverride option to enable potentially dangerous challenges (e.g. XXE) regardless of runtime environment (defaults to false)
  • Added application.slackUrl property to define a Slack server or invite URL (defaults to http://owaspslack.com)
  • Allowed properties for application.theme are now bluegrey-lightgreen, blue-lightblue, deeppurple-amber, indigo-pink, pink-bluegrey, purple-green and deeporange-indigo (⚠️)
  • Changed application.gitHubRibbon property into true/false flag (⚠️)
  • Generic error page now displayed application.name property instead of hardcoded Juice Shop as headline

I18N

  • Added Georgian translation (🇬🇪)

Miscellaneous

  • Improved and extended validation of configuration and precondition during appliation start

image

The majority of changes in this release were developed by @Aashish683 and @CaptainFreak under mentorship of @J12934, @wurstbrot and @bkimminich during 🌞 Google Summer of Code 2018.

Download OWASP Juice Shop

@bkimminich bkimminich released this Sep 23, 2018 · 1115 commits to master since this release

Assets 8

🐛 Bugfixes

  • Fixed continueCode cookie lifetime calculation. Resolves seemingly random challenge restore issues.

Miscellaneous

  • Updated various dependencies and devDependencies

Download OWASP Juice Shop

@bkimminich bkimminich released this Sep 6, 2018 · 1172 commits to master since this release

Assets 8

Challenges

  • Extended continueCode cookie lifetime from 30 days to 1 year
  • XXE Tier 1 and XXE Tier 2 challenge are now unavailable when running on Docker or Heroku (⚡️)

image

🐛 Bugfixes

  • #661: Ensured runtime safe behavior for users with blank password
  • #669: Custom downloaded favicons do not cause server crash any more
  • #658: Disabled XML parsing when running in Docker container
  • 503ac6d: Disabled XML parsing when running on Heroku dyno

Miscellaneous

  • Updated various dependencies and devDependencies

Download OWASP Juice Shop

@bkimminich bkimminich released this Jul 25, 2018 · 1295 commits to master since this release

Assets 6

Non-functional Changes

  • #649: Ensure compatibility of Dockerfile when hosted on OpenShift platforms

Miscellaneous

  • Performed non-breaking updates on several module dependencies
  • Extended 🇧🇷 and 🇵🇹 translations

Download OWASP Juice Shop

@bkimminich bkimminich released this Jul 12, 2018

Assets 6

Challenges

  • Added new Steganography Tier 1 challenge (⭐️⭐️⭐️⭐️)
  • Added new Supply Chain Attack challenge (⭐️⭐️⭐️⭐️⭐️) (kudos to @Deep-Six)
  • One trivial avenue to retrieve password hashes has been closed

Miscellaneous

  • Existence and uniqueness of countryMapping per challenge (for FBCTF-powered CTFs) is now checked on startup
  • Hidden blueprint file has been improved for even more real-life value (kudos to @janesmae)
  • Added simple robots.txt file

Download OWASP Juice Shop

@bkimminich bkimminich released this Jun 15, 2018 · 1359 commits to master since this release

Assets 6

🔬 The engines version range specified in package.json does not allow node.js 10.x any more! At the moment there are too many compatibility issues (i.e. libxmljs and sqlite3) to be able to support node.js 10.x.

Changes

  • The impressive XSS Demo w/ music & keylogging has been moved out of Vagrant VM into https://github.com/wurstbrot/shake-logger from where it can be launched more easily using docker compose (kudos to @wurstbrot)
  • #603: Docker image now runs under a less privileged user juicer instead of root

I18N

  • Marked 🇮🇹, 🇯🇵, 🇧🇷 and 🇦🇪 translation as complete (>80%) in the UI
  • Improve 🇮🇹, 🇳🇱 and 🇦🇪 translations

Download OWASP Juice Shop

@bkimminich bkimminich released this Jun 6, 2018 · 1490 commits to master since this release

Assets 6

🐛 Fixes

  • Pinned libxmljs 0.18.7 dependency due to pre-built download / build errors with latest 0.18.8 and previous 0.18.6 at least on Windows 10 under node.js 8.x and 9.x

Download OWASP Juice Shop

@bkimminich bkimminich released this Jun 5, 2018

Assets 6

Fixes

  • Pinned libxmljs 0.18.6 dependency due to pre-built download / build errors with latest 0.18.8
  • Removed CI pipelines for node.js 10.x from Travis-CI and Appveyor due to incompatibility with libxmljs 0.18.6

🔬 The engines version range specified in package.json still allows node.js 10.x for local development or experiments! Please note that no troubleshooting will be provided at the moment for failing Juice Shop installations on node.js 10.x.

Download OWASP Juice Shop