bkimminich / juice-shop

🎨 Frontend

• #1542: Migrated Angular frontend from version 10 to 11

🧹 Code Style/Linting

• Migrated frontend code linter from TSLint to ESLint based on standard-with-typescript configuration
• Migrated backend code linter from Standard to ESLint based on standard configuration
• Refactored code to comply with additional ESLint rules not present in previous TSLint/Standard linters

🐛 Bugfixes

• #1527: Fixed race condition between creation of PDF confirmation and wallet payment during checkout process
• #1525: Fixed memory leak in Score Board tutorial when waiting for DevTools

🛄 Miscellaneous

• #1547: Added distinct default user profile image for all admin accounts to set them apart from regular user accounts
• Rotated Juice Shop Artwork out of the available product inventory replacing it with Best Juice Shop Salesman Artwork
• Added new user stan@juice-sh.op to userbase prepopulated on startup
• #1440: Updated file-types dependency to latest major version (kudos to @cigar-galaxy82)

🚀 Features

• The security.txt is now accessible from both URLs officially defined in the corresponding RFC draft
• The security.txt now also contains the Preferred-Languages and Expires properties

🎒 Tutorials

• #1524: Added option to helper functions allowing case insensitive input checks (kudos to @cnotin)
• #1524: Fixed skipped steps in Login Bender and Login Jim tutorials (kudos to @cnotin)
• #1526: Hint speech bubbles can now be placed after the fixture element with fixtureAfter: true (kudos to @cnotin)
• #1526: Reduce frequency of hint speech bubbles blocking input elements or menu items by using fixtureAfter (kudos to @cnotin)

🐛 Bugfixes

• #1516, #1517: User session residue is now cleaned up properly (kudos to @cnotin)
• #1519: Fix items counter being displayed as zero after login even when basket contained items (kudos to @cnotin)
• #1533: Product quantity limit is now applied on a per-order basis instead of a per-user basis (kudos to @cnotin)
• #1538: Delay search for security question by 1sec after last keystroke in Forgot Password screen
• #1536: Fixed visual glitch with horizontal dividers on My Payment Options screen (kudos to @MarcRler)

⚙️ DevOps Automation

• Swap out GitHub Action for uploading release assets with one that works with existing draft releases in matrix builds
• Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) has been restored

⚙️ DevOps Automation

• #1530: Replaced Travis-CI with GitHub Actions based CI/CD pipeline
• Docker latest, snapshot and v*.*.* images are now published for platforms linux/amd64, linux/arm/v7 and linux/arm64
• Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) is no longer available (⚠️)
• Packaged .tgz archives for linux/arm64 are no longer provided (⚠️) in favor of linux/arm64 Docker images

🗣️ Chatbot

• Added new chatbot utterances (e.g. for the official theme song of the shop)
• Reduced threshold for fuzzy matching of product price requests to produce hits earlier and make multi-match results occur at all

🐛 Bugfixes

• #1514: Fixed server crash upon notifying an unreachable SOLUTIONS_WEBHOOK URL
• #1512: Avoid accidental solve of View Basket challenge for Basket IDs that became NaN (kudos to @cnotin)

🛅 Miscellaneous

• Reduced RAM and disk usage by updating to optimized juicy-chat-bot version
• #1515: Pre-existing orders now have a bonus point value corresponding with their total order amount (kudos to @cnotin)

🎯 Challenges

• a0feeb8: Rephrased White-/Blacklist into Allow-/Blocklist in all affected challenges, corresponding hints as well as in entire code base

🔒 Security

• #1471: Payments from wallets with insufficient funds for purchase are now rejected on client- and server-side (kudos to @grijul)
• #1498: Credit card numbers are now returned in masked form by the API instead of masking on the client (kudos to @PranjalAgni)

🎨 User Interface

• #1496: Slightly improved responsiveness of Score Board to have less off-screen elements and not hide columns prematurely

⚙️ DevOps Automation

• #1470: Added startup time metrics to Prometheus endpoint and Grafana dashboard template in monitoring/grafana-dashboard.json
• #1478: Added customization time metrics to Prometheus endpoint
• Failing Arm64-based build jobs will now break the CI/CD build again

🎯 Challenges

• Seal accidental leakage of 2FA secret via some admininstrative API endpoint (now handled identical to password)
• #1469: Close loophole that allowed a too easy solve of the "Deluxe Fraud" challenge

🐛 Bugfixes

• #1466: Fix typo in DB property preventing retrieval of existing shopping baskets
• f95cb15: Hide "Show tutorials only" button on Score Board if Hacking Instructor is not even enabled
• #1478: Refactored various startup preparations into async/await code and parallelize as much as possible
• #1474: Fixed contrast issues for captions on Photo Wall in all light-background themes
• Fixed issue with sold-out/quantity-left ribbon preventing clicks to open Product Details dialogs

🐳 Docker

• #1467: Update Docker container user to work properly with the runAsNonRoot flag in Kubernetes

🌐 I18N

• Removed languages with no translations at all: 🇵🇰, 🇱🇹 and 🇦🇲

🐛 Bugfixes

• Changed order of startup validations so that failed frontend compilation becomes obvious earlier
• Fixed file downloads for custom themes causing potential Error: ENOENT: no such file or directory, copyfile issues

🐛 Bugfixes

• f5bfd10: Fixed assertion of configurable security answer for Meta Geo Stalking challenge
• f5bfd10: Fixed assertion of configurable security answer for Visual Geo Stalking challenge

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files. This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.

🎨 User Interface

• Performed upgrade to Angular 10 and Angular Material 10 (⚠️)
• Added Support Chat page where a smart bot will answer all important customer questions (kudos to our GSoC student @Scar26)
• #1413: Replace BarRating component with MatSlider for feedback rating on Customer Feedback screen
• #1413: Replace all read-only instances of BarRating component with MatIcons on Score Board and admin dashboard

🏪 Convenience

• #1423: Added local backup save/restore support to the Score Board for challenge progress and client-side application settings (🔬)

🎯 Challenges

• Added Bully Chatbot (⭐) challenge
• Added Kill Chatbot (⭐⭐⭐⭐⭐) challenge (kudos to our GSoC student @Scar26)
• #1347: Added Meta Geo Stalking (⭐⭐) challenge
• #1347: Added Visual Geo Stalking (⭐⭐) challenge
• Added Poison Null Byte (⭐⭐⭐⭐) challenge
• #1413: Swapped ng2-bar-rating with another typosquatted frontend component due to removal of BarRating from all screens (⚡)
• Where applicable a Vulnerability Mitigation link is now shown on the Score Board after solving the corresponding hacking challenge
  • Links currently point to the best matching OWASP Cheat Sheet for each challenge (🔬)
• For solved challenges the Hacking Instructor button on the Score Board will now be removed instead of disabled
• Added a Tags column to the Score Board to mark special challenges (🔬)
  • "Shenanigans" marks challenges which are not considered serious and/or realistic but exist more for entertainment
  • "Contraption" indicates that a challenge is not exactly part of a realistic scenario but might be a bit forced or crafted
  • "OSINT" marks challenges which require some Internet research or "social stalking" actvitiy outside the application
  • "Good Practice" highlights challenges which are less about vulnerabilities but promoting good (security) practices
  • "Danger Zone" marks potentially dangerous challenges which are disabled on Docker/Heroku by default due to RCE or other risks
  • "Good for Demos" highlights challenges which are suitable for live demos or awareness trainings
  • "Prerequisite" marks challenges which need to be solved before one or more other challenges can be (realistically) solved
  • "Brute Force" marks challenges where automation of some security tool or custom script is an option or even prerequisite
  • "Tutorial" marks challenges for which a Hacking Instructor script exists to assist newcomers
  • "Code Analysis" marks challenges where it can be helpful to rummage through some source code of the application or a third party
• Added a tooltip describing each challenge category to their corresponding filter button on the Score Board
• #1452: Accept an additional possible solution for Manipulate Basket challenge

🎭 Customization

• Added geoStalkingMetaSecurityQuestion and geoStalkingMetaSecurityAnswer as mandatory properties of one memories entry (⚠️)
• Added geoStalkingVisualSecurityQuestion and geoStalkingVisualSecurityAnswer as mandatory properties of one memories entry (⚠️)
• Enforce minimum number of two memories entries (⚠️)
• Added challenges.showMitigations property (defaults to true) to show or hide Vulnerability Mitigation links from the Score Board
• Added new application.chatbot subsection to configure name, greeting, trainingData, defaultResponse and avatar (kudos to our GSoC student @Scar26)

🎣 Solution Webhook

• Added ctfFlag property to webhook payload containing the flag code of the solved challenge (based on the CTF_KEY of the server instance)

🛍️ Products

• Added Juice Shop "Permafrost" 2020 Edition product

🗺️ I18N

• Challenge categories can now be translated and are shown in the selected language on the Score Board
• Added support for 🇹🇼 language