This release contains major incompatible technical changes (⚠️) and makes significant incompatible changes to existing challenges (⚡️). The latter might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!
User Interface
- Rewrite of AngularJS 1.6 frontend in Angular 7.0
- Rewrite of Bootstrap UI in Material Design
- Added filter toggles for solved challenges and challenge categories to Score Board
Challenges
- Added new Forged Review challenge (:star::star::star:)
- Added new NoSQL Injection Tier 3 challenge (:star::star::star::star:)
- Added new Arbitrary File Write challenge (:star::star::star::star::star::star:)
- Added new Basket Access Tier 2 challenge (:star::star::star:)
- Added new Admin Registration challenge (:star::star::star:)
- Added new Login Amy challenge (:star::star::star:)
- Added new XSS Tier 5 challenge (:star::star::star::star:)
- Added new Email Leak challenge (:star::star::star::star::star:)
- Added new Multiple Likes challenge (:star::star::star::star::star::star:)
- Added new Server Side Template Injection challenge (:star::star::star::star::star::star:)
- Added new Server Side Request Forgery challenge (:star::star::star::star::star::star:)
- Increased difficulty of Christmas Special challenge from ⭐⭐⭐ to ⭐⭐⭐⭐ (⚡️)
- Slightly changed solution for Login Bjoern challenge to outpace online Rainbow Tables (⚡️)
- Removed Eye Candy challenge (⚡️)
- Disabled XXE Tier 1 and Tier 2 challenges in Docker and Heroku environments (⚡️)
- Replaced
<script>
payloads for XSS Tier 0 to Tier 5 challenges with<iframe>
payloads (⚡️) - Several challenges have now slightly (a few even significantly) different solution paths (⚡️)
Configuration
- Added
challenges.safetyOverride
option to enable potentially dangerous challenges (e.g. XXE) regardless of runtime environment (defaults tofalse
) - Added
application.slackUrl
property to define a Slack server or invite URL (defaults tohttp://owaspslack.com
) - Allowed properties for
application.theme
are nowbluegrey-lightgreen
,blue-lightblue
,deeppurple-amber
,indigo-pink
,pink-bluegrey
,purple-green
anddeeporange-indigo
(⚠️) - Changed
application.gitHubRibbon
property intotrue
/false
flag (⚠️) - Generic error page now displayed
application.name
property instead of hardcodedJuice Shop
as headline
I18N
- Added Georgian translation (🇬🇪)
Miscellaneous
- Improved and extended validation of configuration and precondition during appliation start
The majority of changes in this release were developed by @Aashish683 and @CaptainFreak under mentorship of @J12934, @wurstbrot and @bkimminich during 🌞 Google Summer of Code 2018.