Skip to content

Releases: juice-shop/juice-shop

v18.0.0

17 Jun 05:08
v18.0.0
Compare
Choose a tag to compare

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

  • Removed support for Node.js 18.x and no longer provide packaged distributions for this version (⚠️)
  • Removed inofficial support for Node.js 19.x
  • Switched from libxmljs to libxmljs2 as XML parser where binaries are available for up to at least Node.js 24

🐳 Docker

  • Official Docker image now uses Node.js 22.x base images
  • Removed pre-build step specific to libxmljs

🎭 Customization

  • Added full-conversion DEF CON 33 theme that can be used with NODE_ENV=defcon33 npm start
  • #2625: Added a metricsIgnoredUserAgents config option to configure uncommon metric collector user-agents for challenge tracking. Support for more common metric collectors have been added too, see bugfixes. (kudos to @SvenKirschbaum)

🎯 Challenges

  • Added new Leaked API Key ⭐⭐⭐⭐⭐-challenge
  • #2602: Added accompanying ftp/package-lock.json to make several Vulnerable Components category challenges more accessible
  • Cross-Site Imaging challenge now uses https://cataas.com/ instead of frequently unavailable http://placecats.com/ service (⚡)

🐛 Bugfixes

  • #2631: Fixed discount validation for "Forged Coupon" challenge to only trigger for 80%+ as intended
  • #2625: Fixed metric challenge getting solved by non-prometheus monitoring agents. e.g. OpenTelemetry collector. (kudos to @SvenKirschbaum)

v17.3.0

22 Apr 22:13
v17.3.0
Compare
Choose a tag to compare

🅰️ Frontend

  • Updated frontend to Angular 19.x and Angular Material 19.x (kudos to @logz254)

🎨 User Interface

  • #2541: Language selection dropdown is now searchable to make finding your preferred language even faster! (kudos to @AnvitaPrasad)

🐛 Bug Fixes

  • Fixed issue causing colors from themes not getting displayed correctly

🧹 Technical Debt Reduction

  • Migrated all server code to use ESM syntax for imports and exports
  • Replaced node-fetch and request with the new built-in fetch HTTP client in Node.js

🐳 Docker

  • Update base image from debian 11 to debian 12

v17.2.0

14 Mar 21:04
Compare
Choose a tag to compare

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!

🅰️ Frontend

🎯 Challenges

🔧 Configuration

  • Added blueSkyUrl and mastodonUrl to social section of configuration

🎨 User Interface

  • Added BlueSky and Mastodon links to About Us screen

🐛 Bugfixes

  • #2341: Fixed "Product Tampering" challenge verification to work in any selected language
  • #2365: Restored prevention of unintentional RCE in NoSQL challenges (kudos to @KapilSareen)
  • #2384: Now checking challenge continue code for invalid characters before processing (kudos to @drwtsn95)
  • #2404: Fixed "Upload Size" challenge verification to trigger properly in all situations (kudos to @criticic)
  • #2317: Hacking Instructor script is now again lazy-loaded into the browser (kudos to @alekszivko)

v17.1.1

09 Sep 16:06
v17.1.1
Compare
Choose a tag to compare

🛒 Product Inventory

v17.1.0

05 Aug 15:07
v17.1.0
Compare
Choose a tag to compare

👟 Runtime

  • Added support for Node.js 22.x

🎨 User Interface

  • #2261: Improved visuals of scrollbars on Score Board challenge panels with longer description text (kudos to @ThReinecke)

👨‍🏫 Tutorials

  • #2273: Added tutorial script for "Admin Section" ⭐⭐-challenge (kudos to @ThReinecke)
  • #2278: Added tutorial script for "Reflected XSS" ⭐⭐-challenge (kudos to @ThReinecke)
  • #2286: Helper function now better recognizes when DevTools have been opened during a tutorial (kudos to @ThReinecke)

🐛 Bugfixes

  • #2303: Reverted dependency optimization resulting in build/ artifacts missing for production builds
  • #2266: Fixed long name of OWASP in Welcome Banner text (kudos to @stuebingerb)
  • #2279: Hiding button to launch hacking instructor from Score Board when hackingInstructor.isEnabled is false
  • #2279: Hiding or disabling button to launch coding challenge from Score Board according to challenges.codingChallengesEnabled being never, always or solved

v17.0.0

24 May 21:08
v17.0.0
Compare
Choose a tag to compare

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

🎯 Challenges

  • #2198: Added new Security Advisory ⭐⭐⭐-challenge

🎨 UI

  • Removed legacy Score Board and all related settings and services (⚠️)
  • Removed re-routing of legacy challenge=<name> parameter obsoleted by OWASP/OpenCRE#467 (⚠️)

🧹 Housekeeping

  • Changed back to libxmljs because libxmljs2 is no longer maintained
    • Installation from source on Node.js 18-20 will download pre-built binaries for the underlying C++ library as in libxmljs2
    • Installation from source code on Node.js >20 currently requires C++ binaries to be built during installation (⚠️)

💾 Local Backup

  • Removed scoreBoard subsection from backup format along with removal of legacy Score Board (compatible with the version: 1 backup format as the subsection from older exports would now simply be ignored during import)

🕵️ Cheat Detection

  • Further pre-solve interactions after the first with the same expected URL will no longer be counted
  • Cheat score is increased by half the percentage of missing expected pre-solve interactions with the server

🎭 Custom Theming

  • Adjusted image URLs in 7ms theme and extended with photo wall entries and new products

🐳 Docker

  • #2447: Significantly reduce Docker image size by omitting unneeded dependencies

v16.0.1

22 Apr 13:36
v16.0.1
Compare
Choose a tag to compare

🐛 Bugfixes

  • #2236: Updated links to Authorization Cheat Sheet as successor of deprecated Access Control Cheat Sheet (kudos to @bceylan)
  • 992780c: Fixed null-unsafe property access during JWT decoding

v16.0.0

19 Dec 15:35
v16.0.0
Compare
Choose a tag to compare

This release brings technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

  • Added support for Node.js 21.x
  • Removed support for Node.js 16.x and no longer provide packaged distributions for this version (⚠️)
  • Removed inofficial support for Node.js 17.x

🎨 UI

  • 1946f2e: The new Score Board introduced with v15.1.0 is now the default
  • Inverted banners and option to switch layouts to allow setting the legacy Score Board as default
  • #2152: Enchanced scrolling behavior in Coding Challenge modal to keep buttons always visible (kudos to @bogminic)

🕵️ Cheat Detection

  • #2150: Switched to median instead of average to calculate total cheat score
  • Monitor and report on expected URL interactions to happen before related challenges are solved (no score impact yet)

🔙 Backward compatibility

  • #2149: Links to /#/score-board?challenge=<name> will now be rewritten into /#/score-board?searchQuery= to keep existing OpenCRE links working

⚙️ DevOps Automation

  • Update default Node.js version for non-matrix build jobs to 20.x
  • Update Node.js version in base Docker images to 20.x

v15.3.0

03 Nov 20:11
v15.3.0
Compare
Choose a tag to compare

🎨 User Interface

  • #2116: Introduced full responsiveness to Digital Wallet, Crypto Wallet, Token Sale, Juicy Chatbot SBT, Web3 Code Sandbox, and Bee Haven screens (kudos to @rishabhkeshan)

👮 Startup Validations

  • 98c1941: Added warning-only startup check for domains (on Internet) being reachable from the server
    • https://www.alchemy.com/ is needed for the "Mint the Honeypot" and "Wallet Depletion" challenges

💾 Local Backup

  • Added optional scoreBoard.scoreBoardVersion property to persist/restore score-board-version property from/to browser local storage

🐛 Bugfixes

  • #2120: Replaced all references github.com/bkimminich/juice-shop with github.com/juice-shop/juice-shop

⚙️ DevOps Automation

  • #2115: Unstuck Angular installation in configuration for GitHub Codespaces (kudos to @MatteoGheza)

🌐 I18N

  • #2105: Add translation support for Crypto Wallet screen
  • Add translation support for Web3 Code Sandbox screen
  • Add translation support for Bee Haven and Juicy Chatbot SBT screen (kudos to @MatteoGheza)
  • Extended 🇨🇳, 🇹🇷 and 🇩🇪 translations
  • Added 🇧🇩 to language dropdown

v15.2.1

03 Oct 21:17
v15.2.1
Compare
Choose a tag to compare

🐛 Bugfixes