-
-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Geo Stalking challenges [⭐] #1347
Comments
If there are enough good ones to choose from, the two selected winners will receive a free Juice Shop t-shirt! https://twitter.com/owasp_juiceshop/status/1240213624704118784 (Disclaimer: While GitHub comment up-/downvotes might be considered, but final decision is made by the Project Core Team) |
Hey, we're a group of 6 it-students who would like to work on implementing this challenge in the juice shop for a school project. Would it be an issue to forego the competition you set out and start working on it with our own pictures? |
Sure, go ahead! Bonus task: Make both challenges configurable, i.e. so that you can configure the photos and ZIP / Dentist name. |
There are some privacy/copyright issues with the dentist option. I don't think we're going to find a real dentist who wants their name to be used for this challenge. A fictional dentist would be hard, the ony way to do that is to have the photo be doxxable without geodata and it's likely to be copyrighted material. |
We could change the Dentist bit in the question also to something else if that makes it less problematic from a privacy perspective. Like asking for a school or a store or something less personal. Ideas are welcome! |
Hey, I'm one of the members of the team that is working on this. We were wondering how you would like to be able to configure challenge. Currently, the photo's on the photo wall can be changed in the default.yml file in the config folder and the security question/answer can be changed users.yml file in data/static. Is this fine as it is? |
The security question/answer would have to be in the default.yml for this challenge because users.yml is not part of the customization (on purpose). |
@justinsmid I've moved the configuration of the geo stalking challenges into
Also the users John/Emma now use the configured email domain and not a static one. See https://github.com/bkimminich/juice-shop/tree/pull/1409 if you're interested in what was changed to get that. |
I'm not entirely sure if the Hacking Instructor scripts are a good idea, though. Researching the answers takes a bit of time, and there is not really much help coming from these tutorials other than what the hints on the Score Board already says. Essentially the user muast figure it out and it's not really easy, so it is likely they are just getting stuck and can never solve the tutorial. That'd be bad for the new tutorial mode then, because they'd be blocked from getting the entires Score Board unlocked. |
This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs. |
⭐ Challenge idea
Description
A clear and concise description of the new hacking challenge and why the Juice Shop needs it...This could actually become two challenges with two different user accounts and individual pictures on the Photo Wall. One with geo tags in the image, one without but enough hints in the photo itself to deduce the location. The secret questions with which these challenges could work are:
💡 Should be two out of these three, preferably the dentist story (because there is no challenge with that question yet) plus one of the other two.
❓ Which one is better for the geo-tag and which for the visual hints?
Underlying vulnerability/ies
Expected difficulty
Possible attack flow
The text was updated successfully, but these errors were encountered: