This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.
🎨 User Interface
- Migrated application frontend to Angular 9
- #1276: Harmonized and refactored UI for many existing Angular components
address
,address-select
,address-create
andsaved-address
delivery-method
,basket
andpurchased-basket
wallet
,payment
,payment-method
andsaved-payment-methods
product-details
andproduct-review-edit
forgot-password
andphoto-wall
- #1276: More system messages above forms have been replaced by 5sec notifications at the bottom of the screen
- Improved overall responsiveness of Score Board, Payment and Welcome Banner screens
- Removed Track Orders screen as the order tracking is already reachable via Order Summary and Order History
- Tutorial button on Welcome Banner now clearly says "Help getting started"
- Added icons to several buttons which previously only had text
- #1290: Added an "Already a customer?"-link back from Registration to Log In screen (kudos to @ridhishjain)
🎭 Customization
- Extended schema validation of YAML configuration upon server startup
- Offer manual config schema validation via
npm run validate -- -f <path to config>
- #1281: Add new
application.googleOAuth
section to allow custom GCP apps to handle OAuth - #1301: Add new
application.customMetricsPrefix
property to customize prefix andapp
label in Prometheus endpoint - Add new
application.social.questionnaireUrl
property for a user questionnaire link - Refactored several properties of the
application
section (⚠️)planetName
now isapplication.easterEggPlanet.name
planetOverlayMap
now isapplication.easterEggPlanet.overlayMap
showChallengeSolvedNotifications
now ischallenges.showSolvedNotifications
showChallengeHints
now ischallenges.showHints
twitterUrl
,facebookUrl
,slackUrl
,redditUrl
andpressKitUrl
moved intoapplication.social
- Removed deprecated fallback option
application.showHackingInstructor
(⚠️) - Use
key
instead ofemail
fromdata/static/users.yml
asreviews.author
reference (⚠️) - Set
challenges.safetyOverride: true
by default inctf.yml
configuration - #1304: Legacy User Profile screen now shows custom logo instead of static Juice Shop logo (kudos to @Scar26)
🚔 Start-up validations
- Check for supported OS will now actually be performed (⚠️)
- Check for supported CPU will now actually be performed (⚠️)
🎯 Challenges
- Added challenge Exposed Metrics (:star:) to find an exposed Prometheus endpoint (kudos to @Scar26)
- Increased difficulty of Reflected XSS from ⭐ to ⭐⭐ due to slightly less obvious attack path
- Disabled challenges potentially harmful for innocent visitors on Docker and Heroku (⚡️)
- "Server-side XSS Protection"
- "Classic Stored XSS"
- "Client-side XSS Protection"
- "Video XSS"
- "HTTP-Header XSS"
- "API-only XSS"
- "Arbitrary File Write"
- Extended accepted solutions for "Supply Chain Attack" challenge
- #1274: Added encrypted announcement as additional "Blockchain Hype" attack vector (kudos to @jainendra)
- #1288: Unavailable challenges can now be hidden on the Score Board (kudos to @Scar26)
🤖 Hacking Instructor
- #1277: Added tutorials for Privacy Policy, Password Strength, Login Jim and Login Bender challenges as well as View Basket and Forged Feedback (kudos to @cldrn for the last two)
🛍 Products
- Added the Tabletop Simulator version of OWASP Snakes and Ladders - Web Applications
- Added the Tabletop Simulator version of OWASP Snakes and Ladders - Mobile Apps
- Added the OWASP Juice Shop Holographic Sticker
⚙️ DevOps Automation
- Added GitHub Action to automatically fix minor code style errors when possible by running
npm run lint:fix
(kudos to @JuiceShopBot) - #1275: Added endpoint to provide functional, hacking progress and application health metrics to a Prometheus monitor
🌐 I18N
- Bonus points messages on Track Order screen are now translatable
- Server-side error messages on multiple screens are now translatable
- Extended 🇷🇺, 🇨🇳, 🇪🇪, 🇳🇱, 🇪🇸, 🇦🇪, 🇷🇺 and 🇨🇭 translations
🛅 Miscellaneous
- Refactored APIs for
Memory
,Wallet
and deluxe memberships into proper endpoints under/rest
- Feedback comments now get the (anonymized) author's email appended
- Added Google login on
http://penguin.termina.linux.test:3000
for Chromebooks - Switched back to official
i18n-node
version after merge of fix for mashpie/i18n-node#419 - #1314: Wrapped all router navigation into
NgZone.run()
to keep unit test suite from spamming warnings