This release contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release. Feeback on these features is particularly welcome via Gitter, Slack or by opening a GitHub issue.
👟 Runtime
- 4201a98: Added support for Node.js 15.x
👨💻 Code Snippets (🔬)
- Introduced Vulnerable Code Snippets which show the actual underlying source code for many hacking challenges
- Added new Code Snippet button to all challenges on Score Board that opens snippet in modular dialog
- Introduced code comment markers under
vuln-code-snippetnamespace to assign actual source code to challenges - Added spoiler section to code snippet where the ultimately vulnerable/responsible line(s) of code for a challenge can be revealed
🎯 Challenges
- #1576: Converted deletion request form for data subject from Angular to HBS frontend for future use in hacking challenge (kudos to @cigar-galaxy82)
- #1592: CSRF challenge no longer requires a seriously outdated browser (like Firefox from 2017) to be exploitable (kudos to @dnull & @chinggg)
👨🏫 Hacking Instructor
- #1600: Added button to cancel an ongoing tutorial script without a Browser refresh (kudos to @the-pro)
☑️ Pre-start Validations
- #1613: Added (optional) config property
exifForBlueprintChallengeand corresponding checks during server startup for existence of EXIF data for "Retrieve Blueprint" challenge (kudos to @chinggg and @the-pro)
🐛 Bugfixes
- Fixed race condition during
node-i18ninitialization and copying of locale files that caused server startup failure (kudos to @adityaofficial10) - #1597: Added back lost EXIF data to image needed for "Retrieve Blueprint" challenge
- Fixed outdated Slack invite link on About Us page to new https://owasp.org/slack/invite self registration page
🟦 Codebase
- #1573: Backend code base has been converted from JavaScript into TypeScript (kudos to @paseaf)
- Backend code checks with
eslintare now based onstandard-with-typescript
- Backend code checks with
- #1612: Replaced cookie module in frontend with
ngx-cookieto make CSRF easier to exploit (kudos to @chinggg)