Skip to content

@bkimminich bkimminich released this Jan 16, 2021 · 2 commits to master since this release

This release brings significant changes to existing challenges () which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.

🎨 Frontend

  • #1276: Applied facelifted design to Accounting screen
  • #1276: Hamonized design of Challenge Solved and Server Restarted notifications with MatSnackBar toasts

🎯 Challenges

  • Changed default promotion video used in the Video XSS challenge to OWASP Membership ad video made by @nanzggits ()

⚙️ DevOps Automation

  • CI/CD pipeline now uses timeouts and retries for some test steps to compensate for flakiness of tests, race conditions or other occasional irregularities
    • Unit tests step (in test job) times out after 10 minutes and is retried twice
    • Integration tests step (in test job) times out after 5 minutes and is retried twice
    • End-to-end step (in e2e job) times out after 20 minutes and is retried once
    • No timeouts or retries are configured for the smoke and docker-smoke jobs
  • Added WebAppDefn specification .config/webapp.yml as proposed by the OSSF Security Tooling working group (🔬)

🐛 Bugfixes

  • #1562: Charging of digital wallet without or with another user's credit card is now prevented on server side

🧹 Code Style/Linting

  • Included stylelint module for linting and auto-fixing frontend SCSS files

🌐 I18N

  • Extended 🇫🇮, 🇷🇴, 🇹🇷 and 🇨🇳 translations

🛄 Miscellaneous

  • Marked both Juice Shop Adversary Trading Card products as deleted due to discontinuation of the "Adversary Trading Cards" CCG

Download OWASP Juice Shop

Assets 20

@bkimminich bkimminich released this Dec 30, 2020 · 64 commits to master since this release

🎨 Frontend

  • #1542: Migrated Angular frontend from version 10 to 11

🧹 Code Style/Linting

  • Migrated frontend code linter from TSLint to ESLint based on standard-with-typescript configuration
  • Migrated backend code linter from Standard to ESLint based on standard configuration
  • Refactored code to comply with additional ESLint rules not present in previous TSLint/Standard linters

🐛 Bugfixes

  • #1527: Fixed race condition between creation of PDF confirmation and wallet payment during checkout process
  • #1525: Fixed memory leak in Score Board tutorial when waiting for DevTools

🛄 Miscellaneous

  • #1547: Added distinct default user profile image for all admin accounts to set them apart from regular user accounts
  • Rotated Juice Shop Artwork out of the available product inventory replacing it with Best Juice Shop Salesman Artwork
  • Added new user stan@juice-sh.op to userbase prepopulated on startup
  • #1440: Updated file-types dependency to latest major version (kudos to @cigar-galaxy82)

Download OWASP Juice Shop

Assets 20

@bkimminich bkimminich released this Dec 19, 2020 · 134 commits to master since this release

🚀 Features

  • The security.txt is now accessible from both URLs officially defined in the corresponding RFC draft
  • The security.txt now also contains the Preferred-Languages and Expires properties

🎒 Tutorials

  • #1524: Added option to helper functions allowing case insensitive input checks (kudos to @cnotin)
  • #1524: Fixed skipped steps in Login Bender and Login Jim tutorials (kudos to @cnotin)
  • #1526: Hint speech bubbles can now be placed after the fixture element with fixtureAfter: true (kudos to @cnotin)
  • #1526: Reduce frequency of hint speech bubbles blocking input elements or menu items by using fixtureAfter (kudos to @cnotin)

🐛 Bugfixes

  • #1516, #1517: User session residue is now cleaned up properly (kudos to @cnotin)
  • #1519: Fix items counter being displayed as zero after login even when basket contained items (kudos to @cnotin)
  • #1533: Product quantity limit is now applied on a per-order basis instead of a per-user basis (kudos to @cnotin)
  • #1538: Delay search for security question by 1sec after last keystroke in Forgot Password screen
  • #1536: Fixed visual glitch with horizontal dividers on My Payment Options screen (kudos to @MarcRler)

Download OWASP Juice Shop

Assets 20

@bkimminich bkimminich released this Dec 10, 2020 · 196 commits to master since this release

⚙️ DevOps Automation

  • #1530: Replaced Travis-CI with GitHub Actions based CI/CD pipeline
  • Docker latest, snapshot and v*.*.* images are now published for platforms linux/amd64, linux/arm/v7 and linux/arm64
  • Automatic mirroring of release artifacts to SourceForge (https://sourceforge.net/projects/juice-shop) is no longer available (⚠️)
  • Packaged .tgz archives for linux/arm64 are no longer provided (⚠️) in favor of linux/arm64 Docker images

🗣️ Chatbot

  • Added new chatbot utterances (e.g. for the official theme song of the shop)
  • Reduced threshold for fuzzy matching of product price requests to produce hits earlier and make multi-match results occur at all

🐛 Bugfixes

  • #1514: Fixed server crash upon notifying an unreachable SOLUTIONS_WEBHOOK URL
  • #1512: Avoid accidental solve of View Basket challenge for Basket IDs that became NaN (kudos to @cnotin)

🛅 Miscellaneous

  • Reduced RAM and disk usage by updating to optimized juicy-chat-bot version
  • #1515: Pre-existing orders now have a bonus point value corresponding with their total order amount (kudos to @cnotin)
Assets 20

@bkimminich bkimminich released this Nov 5, 2020

🎯 Challenges

  • a0feeb8: Rephrased White-/Blacklist into Allow-/Blocklist in all affected challenges, corresponding hints as well as in entire code base

🔒 Security

  • #1471: Payments from wallets with insufficient funds for purchase are now rejected on client- and server-side (kudos to @grijul)
  • #1498: Credit card numbers are now returned in masked form by the API instead of masking on the client (kudos to @PranjalAgni)

🎨 User Interface

  • #1496: Slightly improved responsiveness of Score Board to have less off-screen elements and not hide columns prematurely

Download OWASP Juice Shop

Assets 26

@bkimminich bkimminich released this Oct 3, 2020

⚙️ DevOps Automation

  • #1470: Added startup time metrics to Prometheus endpoint and Grafana dashboard template in monitoring/grafana-dashboard.json
  • #1478: Added customization time metrics to Prometheus endpoint
  • Failing Arm64-based build jobs will now break the CI/CD build again

🎯 Challenges

  • Seal accidental leakage of 2FA secret via some admininstrative API endpoint (now handled identical to password)
  • #1469: Close loophole that allowed a too easy solve of the "Deluxe Fraud" challenge

🐛 Bugfixes

  • #1466: Fix typo in DB property preventing retrieval of existing shopping baskets
  • f95cb15: Hide "Show tutorials only" button on Score Board if Hacking Instructor is not even enabled
  • #1478: Refactored various startup preparations into async/await code and parallelize as much as possible
  • #1474: Fixed contrast issues for captions on Photo Wall in all light-background themes
  • Fixed issue with sold-out/quantity-left ribbon preventing clicks to open Product Details dialogs

🐳 Docker

  • #1467: Update Docker container user to work properly with the runAsNonRoot flag in Kubernetes

🌐 I18N

  • Removed languages with no translations at all: 🇵🇰, 🇱🇹 and 🇦🇲

Download OWASP Juice Shop

Assets 26

@bkimminich bkimminich released this Sep 14, 2020

🐛 Bugfixes

  • Changed order of startup validations so that failed frontend compilation becomes obvious earlier
  • Fixed file downloads for custom themes causing potential Error: ENOENT: no such file or directory, copyfile issues

Download OWASP Juice Shop

Assets 26

@bkimminich bkimminich released this Sep 10, 2020

🐛 Bugfixes

  • f5bfd10: Fixed assertion of configurable security answer for Meta Geo Stalking challenge
  • f5bfd10: Fixed assertion of configurable security answer for Visual Geo Stalking challenge

Download OWASP Juice Shop

Assets 26

@bkimminich bkimminich released this Sep 9, 2020

This release brings significant changes to existing challenges () which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files. This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.

🎨 User Interface

  • Performed upgrade to Angular 10 and Angular Material 10 (⚠️)
  • Added Support Chat page where a smart bot will answer all important customer questions (kudos to our GSoC student @Scar26)
  • #1413: Replace BarRating component with MatSlider for feedback rating on Customer Feedback screen
  • #1413: Replace all read-only instances of BarRating component with MatIcons on Score Board and admin dashboard

🏪 Convenience

  • #1423: Added local backup save/restore support to the Score Board for challenge progress and client-side application settings (🔬)

🎯 Challenges

  • Added Bully Chatbot () challenge
  • Added Kill Chatbot () challenge (kudos to our GSoC student @Scar26)
  • #1347: Added Meta Geo Stalking () challenge
  • #1347: Added Visual Geo Stalking () challenge
  • Added Poison Null Byte () challenge
  • #1413: Swapped ng2-bar-rating with another typosquatted frontend component due to removal of BarRating from all screens ()
  • Where applicable a Vulnerability Mitigation link is now shown on the Score Board after solving the corresponding hacking challenge
    • Links currently point to the best matching OWASP Cheat Sheet for each challenge (🔬)
  • For solved challenges the Hacking Instructor button on the Score Board will now be removed instead of disabled
  • Added a Tags column to the Score Board to mark special challenges (🔬)
    • "Shenanigans" marks challenges which are not considered serious and/or realistic but exist more for entertainment
    • "Contraption" indicates that a challenge is not exactly part of a realistic scenario but might be a bit forced or crafted
    • "OSINT" marks challenges which require some Internet research or "social stalking" actvitiy outside the application
    • "Good Practice" highlights challenges which are less about vulnerabilities but promoting good (security) practices
    • "Danger Zone" marks potentially dangerous challenges which are disabled on Docker/Heroku by default due to RCE or other risks
    • "Good for Demos" highlights challenges which are suitable for live demos or awareness trainings
    • "Prerequisite" marks challenges which need to be solved before one or more other challenges can be (realistically) solved
    • "Brute Force" marks challenges where automation of some security tool or custom script is an option or even prerequisite
    • "Tutorial" marks challenges for which a Hacking Instructor script exists to assist newcomers
    • "Code Analysis" marks challenges where it can be helpful to rummage through some source code of the application or a third party
  • Added a tooltip describing each challenge category to their corresponding filter button on the Score Board
  • #1452: Accept an additional possible solution for Manipulate Basket challenge

🎭 Customization

  • Added geoStalkingMetaSecurityQuestion and geoStalkingMetaSecurityAnswer as mandatory properties of one memories entry (⚠️)
  • Added geoStalkingVisualSecurityQuestion and geoStalkingVisualSecurityAnswer as mandatory properties of one memories entry (⚠️)
  • Enforce minimum number of two memories entries (⚠️)
  • Added challenges.showMitigations property (defaults to true) to show or hide Vulnerability Mitigation links from the Score Board
  • Added new application.chatbot subsection to configure name, greeting, trainingData, defaultResponse and avatar (kudos to our GSoC student @Scar26)

🎣 Solution Webhook

  • Added ctfFlag property to webhook payload containing the flag code of the solved challenge (based on the CTF_KEY of the server instance)

🛍️ Products

  • Added Juice Shop "Permafrost" 2020 Edition product

🗺️ I18N

  • Challenge categories can now be translated and are shown in the selected language on the Score Board
  • Added support for 🇹🇼 language

Download OWASP Juice Shop

Assets 26
You can’t perform that action at this time.