Skip to content

@bkimminich bkimminich released this Nov 10, 2018 · 4776 commits to master since this release

This release contains major incompatible technical changes (⚠️) and makes significant incompatible changes to existing challenges (⚡️). The latter might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!

User Interface

  • Rewrite of AngularJS 1.6 frontend in Angular 7.0
  • Rewrite of Bootstrap UI in Material Design
  • Added filter toggles for solved challenges and challenge categories to Score Board



  • Added new Forged Review challenge (⭐️⭐️⭐️)
  • Added new NoSQL Injection Tier 3 challenge (⭐️⭐️⭐️⭐️)
  • Added new Arbitrary File Write challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Added new Basket Access Tier 2 challenge (⭐️⭐️⭐️)
  • Added new Admin Registration challenge (⭐️⭐️⭐️)
  • Added new Login Amy challenge (⭐️⭐️⭐️)
  • Added new XSS Tier 5 challenge (⭐️⭐️⭐️⭐️)
  • Added new Email Leak challenge (⭐️⭐️⭐️⭐️⭐️)
  • Added new Multiple Likes challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Added new Server Side Template Injection challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Added new Server Side Request Forgery challenge (⭐️⭐️⭐️⭐️⭐️⭐️)
  • Increased difficulty of Christmas Special challenge from ⭐️⭐️⭐️ to ⭐️⭐️⭐️⭐️ (⚡️)
  • Slightly changed solution for Login Bjoern challenge to outpace online Rainbow Tables (⚡️)
  • Removed Eye Candy challenge (⚡️)
  • Disabled XXE Tier 1 and Tier 2 challenges in Docker and Heroku environments (⚡️)
  • Replaced <script> payloads for XSS Tier 0 to Tier 5 challenges with <iframe> payloads (⚡️)
  • Several challenges have now slightly (a few even significantly) different solution paths (⚡️)


  • Added challenges.safetyOverride option to enable potentially dangerous challenges (e.g. XXE) regardless of runtime environment (defaults to false)
  • Added application.slackUrl property to define a Slack server or invite URL (defaults to
  • Allowed properties for application.theme are now bluegrey-lightgreen, blue-lightblue, deeppurple-amber, indigo-pink, pink-bluegrey, purple-green and deeporange-indigo (⚠️)
  • Changed application.gitHubRibbon property into true/false flag (⚠️)
  • Generic error page now displayed property instead of hardcoded Juice Shop as headline


  • Added Georgian translation (🇬🇪)


  • Improved and extended validation of configuration and precondition during appliation start


The majority of changes in this release were developed by @Aashish683 and @CaptainFreak under mentorship of @J12934, @wurstbrot and @bkimminich during 🌞 Google Summer of Code 2018.

Download OWASP Juice Shop

Assets 8
You can’t perform that action at this time.