This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files. This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.
🎨 User Interface
- Performed upgrade to Angular 10 and Angular Material 10 (⚠️)
- Added Support Chat page where a smart bot will answer all important customer questions (kudos to our GSoC student @Scar26)
- #1413: Replace
BarRating
component withMatSlider
for feedback rating on Customer Feedback screen - #1413: Replace all read-only instances of
BarRating
component withMatIcon
s on Score Board and admin dashboard
🏪 Convenience
- #1423: Added local backup save/restore support to the Score Board for challenge progress and client-side application settings (🔬)
🎯 Challenges
- Added Bully Chatbot (:star:) challenge
- Added Kill Chatbot (:star::star::star::star::star:) challenge (kudos to our GSoC student @Scar26)
- #1347: Added Meta Geo Stalking (:star::star:) challenge
- #1347: Added Visual Geo Stalking (:star::star:) challenge
- Added Poison Null Byte (:star::star::star::star:) challenge
- #1413: Swapped
ng2-bar-rating
with another typosquatted frontend component due to removal ofBarRating
from all screens (⚡) - Where applicable a Vulnerability Mitigation link is now shown on the Score Board after solving the corresponding hacking challenge
- Links currently point to the best matching OWASP Cheat Sheet for each challenge (🔬)
- For solved challenges the Hacking Instructor button on the Score Board will now be removed instead of disabled
- Added a Tags column to the Score Board to mark special challenges (🔬)
- "Shenanigans" marks challenges which are not considered serious and/or realistic but exist more for entertainment
- "Contraption" indicates that a challenge is not exactly part of a realistic scenario but might be a bit forced or crafted
- "OSINT" marks challenges which require some Internet research or "social stalking" actvitiy outside the application
- "Good Practice" highlights challenges which are less about vulnerabilities but promoting good (security) practices
- "Danger Zone" marks potentially dangerous challenges which are disabled on Docker/Heroku by default due to RCE or other risks
- "Good for Demos" highlights challenges which are suitable for live demos or awareness trainings
- "Prerequisite" marks challenges which need to be solved before one or more other challenges can be (realistically) solved
- "Brute Force" marks challenges where automation of some security tool or custom script is an option or even prerequisite
- "Tutorial" marks challenges for which a Hacking Instructor script exists to assist newcomers
- "Code Analysis" marks challenges where it can be helpful to rummage through some source code of the application or a third party
- Added a tooltip describing each challenge category to their corresponding filter button on the Score Board
- #1452: Accept an additional possible solution for Manipulate Basket challenge
🎭 Customization
- Added
geoStalkingMetaSecurityQuestion
andgeoStalkingMetaSecurityAnswer
as mandatory properties of onememories
entry (⚠️) - Added
geoStalkingVisualSecurityQuestion
andgeoStalkingVisualSecurityAnswer
as mandatory properties of onememories
entry (⚠️) - Enforce minimum number of two
memories
entries (⚠️) - Added
challenges.showMitigations
property (defaults totrue
) to show or hide Vulnerability Mitigation links from the Score Board - Added new
application.chatbot
subsection to configurename
,greeting
,trainingData
,defaultResponse
andavatar
(kudos to our GSoC student @Scar26)
🎣 Solution Webhook
- Added
ctfFlag
property to webhook payload containing the flag code of the solved challenge (based on theCTF_KEY
of the server instance)
🛍️ Products
- Added Juice Shop "Permafrost" 2020 Edition product
🗺️ I18N
- Challenge categories can now be translated and are shown in the selected language on the Score Board
- Added support for 🇹🇼 language