juice-shop/juice-shop v10.0.0

on GitHub

This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

🎨 User Interface

• Migrated application frontend to Angular 9
• #1276: Harmonized and refactored UI for many existing Angular components
  • address, address-select, address-create and saved-address
  • delivery-method, basket and purchased-basket
  • wallet, payment, payment-method and saved-payment-methods
  • product-details and product-review-edit
  • forgot-password and photo-wall
• #1276: More system messages above forms have been replaced by 5sec notifications at the bottom of the screen
• Improved overall responsiveness of Score Board, Payment and Welcome Banner screens
• Removed Track Orders screen as the order tracking is already reachable via Order Summary and Order History
• Tutorial button on Welcome Banner now clearly says "Help getting started"
• Added icons to several buttons which previously only had text
• #1290: Added an "Already a customer?"-link back from Registration to Log In screen (kudos to @ridhishjain)

🎭 Customization

• Extended schema validation of YAML configuration upon server startup
• Offer manual config schema validation via npm run validate -- -f <path to config>
• #1281: Add new application.googleOAuth section to allow custom GCP apps to handle OAuth
• #1301: Add new application.customMetricsPrefix property to customize prefix and app label in Prometheus endpoint
• Add new application.social.questionnaireUrl property for a user questionnaire link
• Refactored several properties of the application section (⚠️)
  • planetName now is application.easterEggPlanet.name
  • planetOverlayMap now is application.easterEggPlanet.overlayMap
  • showChallengeSolvedNotifications now is challenges.showSolvedNotifications
  • showChallengeHints now is challenges.showHints
  • twitterUrl, facebookUrl, slackUrl, redditUrl and pressKitUrl moved into application.social
• Removed deprecated fallback option application.showHackingInstructor (⚠️)
• Use key instead of email from data/static/users.yml as reviews.author reference (⚠️)
• Set challenges.safetyOverride: true by default in ctf.yml configuration
• #1304: Legacy User Profile screen now shows custom logo instead of static Juice Shop logo (kudos to @Scar26)

🚔 Start-up validations

• Check for supported OS will now actually be performed (⚠️)
• Check for supported CPU will now actually be performed (⚠️)

🎯 Challenges

• Added challenge Exposed Metrics (:star:) to find an exposed Prometheus endpoint (kudos to @Scar26)
• Increased difficulty of Reflected XSS from ⭐ to ⭐⭐ due to slightly less obvious attack path
• Disabled challenges potentially harmful for innocent visitors on Docker and Heroku (⚡️)
  • "Server-side XSS Protection"
  • "Classic Stored XSS"
  • "Client-side XSS Protection"
  • "Video XSS"
  • "HTTP-Header XSS"
  • "API-only XSS"
  • "Arbitrary File Write"
• Extended accepted solutions for "Supply Chain Attack" challenge
• #1274: Added encrypted announcement as additional "Blockchain Hype" attack vector (kudos to @jainendra)
• #1288: Unavailable challenges can now be hidden on the Score Board (kudos to @Scar26)

🤖 Hacking Instructor

• #1277: Added tutorials for Privacy Policy, Password Strength, Login Jim and Login Bender challenges as well as View Basket and Forged Feedback (kudos to @cldrn for the last two)

🛍 Products

• Added the Tabletop Simulator version of OWASP Snakes and Ladders - Web Applications
• Added the Tabletop Simulator version of OWASP Snakes and Ladders - Mobile Apps
• Added the OWASP Juice Shop Holographic Sticker

⚙️ DevOps Automation

• Added GitHub Action to automatically fix minor code style errors when possible by running npm run lint:fix (kudos to @JuiceShopBot)
• #1275: Added endpoint to provide functional, hacking progress and application health metrics to a Prometheus monitor

🌐 I18N

• Bonus points messages on Track Order screen are now translatable
• Server-side error messages on multiple screens are now translatable
• Extended 🇷🇺, 🇨🇳, 🇪🇪, 🇳🇱, 🇪🇸, 🇦🇪, 🇷🇺 and 🇨🇭 translations

🛅 Miscellaneous

• Refactored APIs for Memory, Wallet and deluxe memberships into proper endpoints under /rest
• Feedback comments now get the (anonymized) author's email appended
• Added Google login on http://penguin.termina.linux.test:3000 for Chromebooks
• Switched back to official i18n-node version after merge of fix for mashpie/i18n-node#419
• #1314: Wrapped all router navigation into NgZone.run() to keep unit test suite from spamming warnings