This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!
🎯 Challenges
- #1245: (:zap:) Refactored Classic Stored XSS (:star::star:) challenge into CSP Bypass (:star::star::star::star:) challenge (kudos to @Scar26)
- #1325: Added Deluxe Fraud challenge (:star::star::star:) where a Deluxe Membership must be obtained surreptitiously (kudos to @Scar26)
- #902: Added CSRF challenge (:star::star::star:) where a username change must be triggered via an online HTML editor (kudos to @dnull)
- Added Bonus Payload challenge (:star:) which (by default) makes you listen to the OWASP Juice Shop Jingle
- Doubled the length of data leaked during XXE Data Access attacks before truncating
- #1295: (⚡️) The Forged JWT challenge is now always disabled on Windows - see #1310 (comment)
🤖 Hacking Instructor
- #1331: Any tutorial can now be launched via direct link to
/#/hacking-instructor?challenge=<challenge name>(kudos to @Scar26)- e.g. http://demo.owasp-juice.shop/#/hacking-instructor?challenge=Score%20Board
- Added
waitForDevTools()helper function for Score Board, View Basket and Forged Feedback tutorials
🎭 Customization
- Added
challenges.xssBonusPayloadproperty to define a custom payload for the Bonus Payload challenge
🚔 Start-up validations
- An inventory of at least 4 products is now explicitly expected (instead of implicitly via unique/unambiguous special products checks)
📟 Operations
- #1353: Replaced all absolute with relative links to allow serving Juice Shop from a sub directory (kudos to @JamesCullum)
- When running in a sub directory its name must be passed in via the
BASE_PATHenvironment variable
- When running in a sub directory its name must be passed in via the
⚙️ DevOps Automation
- Added Automatic Rebase action triggering on
/rebasecomments in PRs - #1355: Added workflow for automatic update of
challenges.ymlin https://github.com/OWASP/www-project-juice-shop - Added workflow to automatically add release notes to
tab_news.mdin https://github.com/OWASP/www-project-juice-shop
🐛 Fixes
- #1295: Repaired the JWT behavior so that the related challenges actually produce working tokens (kudos to @Scar26)
- #1343: Fixed Vagrant provisioning by switching to official Docker CE and APT repository (kudos to @adamczi)
- #1351: Fixed issues with customization of Photo Wall memories (kudos to @nickmurison)
- a082f62: Added missing
idfields and populated fromproduct.idin pre-defined orders - XSS end-to-end tests are now less likely to fail from alerts showing up at the wrong time (kudos to @JamesCullum)
🌐 I18N
- Added translation strings for new or changed challenges