Release Notes v9.0.0

7 views
Skip to first unread message

Bjoern Kimminich

unread,
Aug 26, 2019, 8:31:41 AM8/26/19
to Juice Shop Project
 

This release brings significant changes to existing challenges (⚡️) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

🧩 Compatibility

  • Dropped support of for Node.js 8.x and 9.x (⚠️)
  • Building client-side JavaScript for current and legacy browsers seperately now (⚠️)

🎨 User Interface

  • Major refactoring of UI to Material Design standards and UX best practices (kudos to @MarcRler)
  • Migrated frontend to to Angular 8
  • Introduced additional accessability and usability features on all facelifted dialogs
  • Fixed icon for challenges that are disabled when run on Heroku
  • #1140: Fixed favicon not being displayed or customized any longer
  • Generic currency symbol (¤) is now shown on prices in UI and order confirmation PDFs
  • Order tracking screen now highlights actual delivery status in green color
  • Application name in navigation bar now works as home button like the logo does

🛒 GSoC Feature Pack 2019 by @agrawalarpit14

  • Extended realism by adding delivery addresses, payment options and delivery methods during Checkout
  • Products can now go out of stock and indicate so in the UI
  • Added Order Summary and Order Confirmation screens
  • Added accountant user role which is permitted to maintain inventory stock
  • Users can now add their juciest memories to new Photo Wall
  • Added Deluxe Membership option for premium customers and corresponding special offers

🎯 Challenges

  • #1093Refactored challenge names, descriptions and hints for better consistency and solvability (⚡️)
  • Added Database Schema challenge (⭐️⭐️⭐️) asking do exfiltrate the DB schema via SQLi
  • #1194: Added Ephemeral Accountant challenge (⭐️⭐️⭐️⭐️) demanding to log in a non-existing user
  • Both Blocked RCE DoS and Successful RCE DoS are disabled in containerized environments now (⚡️)
  • Renamed account email required for Login Bjoern challenge to match primary account email (⚡️)
  • Fixed HTTP-Header XSS challenge which could be solved but payload was not actually executed
  • Added tutorial button to welcome banner to help beginners find the Score Board

🎭 Customization

  • Renamed application.gitHubRibbon into application.showGitHubLinks (⚠️)
  • Replaced application.hideWelcomeBanner with subsection application.welcomeBanner (⚠️)
    • application.welcomeBanner.showOnFirstStart configures visibility of the banner
    • application.welcomeBanner.title and .message define the content of the banner
  • Now uses custom application name in TOTP name for 2FA

🎛 API

  • Renamed endpoint rest/data-export into rest/user/data-export to improve API consistency (⚡️)

🛅 Miscellaneous

  • #1188: Reduced Docker image size by optimizing layers
  • #1173: Safeguard intended NoSQL vuln against malicious exploits by allowing only 40 char payload
  • #535: Expiration of cookie-submitted auth tokens is now validated by /rest/whoami endpoint
  • #822: Fixed issue with cookie removal on logout
Reply all
Reply to author
Forward
0 new messages