This release contains incompatible technical changes (⚠️) and/or makes incompatible changes to existing challenges (⚡️). The latter might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!
Changes
Challenges
- #401: Added ⭐⭐⭐ challenge to access a misplaced SIEM signature file
- #364: Added two new JWT challenges worth ⭐⭐⭐⭐ and ⭐⭐⭐⭐⭐ (kudos to @tghosth)
- #364: Removed JWT challenge that required reporting the ill-chosen HMAC secret (⚡️)
- Replaced
sequelize-restful
with a different library as possible solution for Vulnerable Component challenge (⚡️) - #397: Added
showVersionNumber
as configuration option. Defaults totrue
. Is overwritten withfalse
inctf.yml
configuration (thanks to @J12934) - #383: Challenges solved by submitting feedback via Contact Us can now equally be solved via the File Complaint form
Product Inventory
- Added Pwning OWASP Juice Shop eBook as a product
- Marked OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition) product as unavailable
- Fixed link in Apple Pomace description to now lead to the
#/recycle
page - Removed fallback default value in case
fileForRetrieveBlueprintChallenge
property was missing in a custom YML configuration (:warning:) - #414: Juice Shop server will now refuse to start if any of
useForProductTamperingChallenge
,useForChristmasSpecialChallenge
andfileForRetrieveBlueprintChallenge
are configured on more than one product (:warning:) (credits to @g-k)
Miscellaneous
- 9357e48: Added Credit Card payment option to Your Basket screen
Bugfixes
- 75999e9: Replace hard-coded application name on order confirmation PDFs with configured
application.name
values - #413: Fixed hard-coded reference to Juice Shop in NoSQL challenge test which failed for customizations (kudos to @g-k)
I18N
- achieved or restored 100% translation into 🇩🇪 , 🇸🇪, 🇳🇴, 🇹🇷 and 🇷🇴
- added Urdu (:pakistan:) language (You can help to translate here!)
Non-functional Changes
- Default and recommended node.js version is now 8.x (since this version went into LTS on 31.10.2017) including Docker and Heroku instances
- #167: Updated to
sequelize
v4.x - #167: Replaced
sequelize-restful
withepilogue-js
as RESTful API generator (kudos to @J12934) - Express now logs requests into file
access.log
instead of usingconsole.log()
- Disabled SQL query logging completely
- Replaced
<div>
tags with semantic HTML5 tags where appropriate - Replaced
<input type="text">
form elements with HTML5 form elements where appropriate - #404: Download size of the Docker image was further reduced from 126.8 MB to 64.8 MB (kudos to @battletux)
- Various function and test decomposition refactorings