Skip to content

@bkimminich bkimminich released this Nov 6, 2019

👟 Runtime

  • Added support for Node.js 13.x while remaining on 12.x LTS for recommended version

🎯 Challenges

  • Added Missing Encoding challenge (⭐️) asking to retrieve a photo of @bkimminich's cat

🎨 User Interface

  • Added password strength indicator and advice on screens User Registration and Forgot Password

🎭 Customization

  • Added memories section to define initial Photo Wall entries
  • Added new demo theme addo.yml to run Juice Shop in an All Day DevOps conference look & feel
  • Improved auto-download of files to ignore URL query (?) parameters

🐛 Bugfixes

  • #1241: Fixed incident-support.kdbx to be impossible to unlock (kudos to @jamiemcgregor)
  • Fixed wrong port being displayed upon startup when PORT environment variable was set
  • Harmonized texts about bonus points on #/track-result and in order confirmation PDF
  • Changed links in Pwning OWASP Juice Shop product description into https://pwning.owasp-juice.shop

🛅 Miscellaneous

  • Added new user demo (Password: demo) with an address, credit card and wallet balance for speeding up shopping demos

Download OWASP Juice Shop

Assets 20

@bkimminich bkimminich released this Oct 18, 2019

🐛 Bugfixes

  • Disabled Reflected XSS challenge on Docker/Heroku as it became unsolvable along with #1229

🌐 I18N

  • Completed translation of all backend strings for 🇩🇪 language

🛅 Miscellaneous

Download OWASP Juice Shop

Assets 14

@bkimminich bkimminich released this Oct 14, 2019

🐛 Bugfixes

  • #1233: Added permission to allow copying language files to i18n/ folder within Docker containers
  • Fixed issue with i18n for backend strings sometimes to be loaded before copying resource files

🎭 Customization

  • 9a0eee8: Added config/unsafe.yml which enables safety override for potentially dangerous challenges

Download OWASP Juice Shop

Assets 14

@bkimminich bkimminich released this Oct 12, 2019

🎨 User Interface

  • User drop-down menu in navbar on big screens now shows same menus as sidenav on small screens
  • Improved tweet text templates offered during checkout on order completion
  • #1196: Fixed responsiveness of Accounting screen
  • #1197: Fixed redirect issues between Wallet payments and prefilling it from other payment sources

🎯 Challenges

  • #1216, #1229: Challenges NoSQL DoS and NoSQL Extraction are now disabled on Docker/Heroku

🌐 I18N

  • Added i18n to backend to provide translations (in default.yml configuration only) of
    • Product names and descriptions
    • Challenge descriptions and hints
    • Security questions

🏰 Security

  • Pre-packaged archives are now accompanied by a .md checksum file to verify them against

🛅 Miscellaneous

Download OWASP Juice Shop

Assets 14

@bkimminich bkimminich released this Aug 29, 2019

🌶 Hotfix

  • #1199: Fixed /log folder ownership in Docker which crashed containers

🛅 Miscellaneous

🚭 Test Automation

  • Added smoke test for Docker images (runs during image auto-build on DockerHub)
  • Added smoke test for packaged distributions (runs as distinct build stage on Travis CI)

Download OWASP Juice Shop

Assets 8

@bkimminich bkimminich released this Aug 26, 2019

This release brings significant changes to existing challenges (⚡️) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

🧩 Compatibility

  • Dropped support of for Node.js 8.x and 9.x (⚠️)
  • Building client-side JavaScript for current and legacy browsers seperately now (⚠️)

🎨 User Interface

  • Major refactoring of UI to Material Design standards and UX best practices (kudos to @MarcRler)
  • Migrated frontend to to Angular 8
  • Introduced additional accessability and usability features on all facelifted dialogs
  • Fixed icon for challenges that are disabled when run on Heroku
  • #1140: Fixed favicon not being displayed or customized any longer
  • Generic currency symbol (¤) is now shown on prices in UI and order confirmation PDFs
  • Order tracking screen now highlights actual delivery status in green color
  • Application name in navigation bar now works as home button like the logo does

🛒 GSoC Feature Pack 2019 by @agrawalarpit14

  • Extended realism by adding delivery addresses, payment options and delivery methods during Checkout
  • Products can now go out of stock and indicate so in the UI
  • Added Order Summary and Order Confirmation screens
  • Added accountant user role which is permitted to maintain inventory stock
  • Users can now add their juciest memories to new Photo Wall
  • Added Deluxe Membership option for premium customers and corresponding special offers

🎯 Challenges

  • #1093: Refactored challenge names, descriptions and hints for better consistency and solvability (⚡️)
  • Added Database Schema challenge (⭐️⭐️⭐️) asking do exfiltrate the DB schema via SQLi
  • #1194: Added Ephemeral Accountant challenge (⭐️⭐️⭐️⭐️) demanding to log in a non-existing user
  • Both Blocked RCE DoS and Successful RCE DoS are disabled in containerized environments now (⚡️)
  • Renamed account email required for Login Bjoern challenge to match primary account email (⚡️)
  • Fixed HTTP-Header XSS challenge which could be solved but payload was not actually executed
  • Added tutorial button to welcome banner to help beginners find the Score Board

🎭 Customization

  • Renamed application.gitHubRibbon into application.showGitHubLinks (⚠️)
  • Replaced application.hideWelcomeBanner with subsection application.welcomeBanner (⚠️)
    • application.welcomeBanner.showOnFirstStart configures visibility of the banner
    • application.welcomeBanner.title and .message define the content of the banner
  • Now uses custom application name in TOTP name for 2FA

🎛 API

  • Renamed endpoint rest/data-export into rest/user/data-export to improve API consistency (⚡️)

🛅 Miscellaneous

  • #1188: Reduced Docker image size by optimizing layers
  • #1173: Safeguard intended NoSQL vuln against malicious exploits by allowing only 40 char payload
  • #535: Expiration of cookie-submitted auth tokens is now validated by /rest/whoami endpoint
  • #822: Fixed issue with cookie removal on logout

Download OWASP Juice Shop

Assets 8

@bkimminich bkimminich released this Aug 5, 2019

🐌 Performance

  • #789: Fixed Score Board rendering performance by replacing FontAwesome with Angular Material icons

Download OWASP Juice Shop

Assets 11

@bkimminich bkimminich released this Jun 7, 2019

🐛 Bugfixes

  • Fixed waiting animation on Score Board not appearing due to issue in ngx-spinner dependency chain

Download OWASP Juice Shop

Assets 11
You can’t perform that action at this time.