Release Notes v12.0.0

19 views
Skip to first unread message

Bjoern Kimminich

unread,
Sep 9, 2020, 10:12:09 AM9/9/20
to Juice Shop Project

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files. This release also contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release.

🎨 User Interface
  • Performed upgrade to Angular 10 and Angular Material 10 (⚠️)
  • Added Support Chat page where a smart bot will answer all important customer questions (kudos to our GSoC student @Scar26)
  • #1413: Replace BarRating component with MatSlider for feedback rating on Customer Feedback screen
  • #1413: Replace all read-only instances of BarRating component with MatIcons on Score Board and admin dashboard
🏪 Convenience
  • #1423Added local backup save/restore support to the Score Board for challenge progress and client-side application settings (🔬)
🎯 Challenges
  • Added Bully Chatbot (⭐) challenge
  • Added Kill Chatbot (⭐⭐⭐⭐⭐) challenge (kudos to our GSoC student @Scar26)
  • #1347: Added Meta Geo Stalking (⭐⭐) challenge
  • #1347: Added Visual Geo Stalking (⭐⭐) challenge
  • Added Poison Null Byte (⭐⭐⭐⭐) challenge
  • #1413: Swapped ng2-bar-rating with another typosquatted frontend component due to removal of BarRating from all screens (⚡)
  • Where applicable a Vulnerability Mitigation link is now shown on the Score Board after solving the corresponding hacking challenge
    • Links currently point to the best matching OWASP Cheat Sheet for each challenge (🔬)
  • For solved challenges the Hacking Instructor button on the Score Board will now be removed instead of disabled
  • Added a Tags column to the Score Board to mark special challenges (🔬)
    • "Shenanigans" marks challenges which are not considered serious and/or realistic but exist more for entertainment
    • "Contraption" indicates that a challenge is not exactly part of a realistic scenario but might be a bit forced or crafted
    • "OSINT" marks challenges which require some Internet research or "social stalking" actvitiy outside the application
    • "Good Practice" highlights challenges which are less about vulnerabilities but promoting good (security) practices
    • "Danger Zone" marks potentially dangerous challenges which are disabled on Docker/Heroku by default due to RCE or other risks
    • "Good for Demos" highlights challenges which are suitable for live demos or awareness trainings
    • "Prerequisite" marks challenges which need to be solved before one or more other challenges can be (realistically) solved
    • "Brute Force" marks challenges where automation of some security tool or custom script is an option or even prerequisite
    • "Tutorial" marks challenges for which a Hacking Instructor script exists to assist newcomers
    • "Code Analysis" marks challenges where it can be helpful to rummage through some source code of the application or a third party
  • Added a tooltip describing each challenge category to their corresponding filter button on the Score Board
  • #1452: Accept an additional possible solution for Manipulate Basket challenge
🎭 Customization
  • Added geoStalkingMetaSecurityQuestion and geoStalkingMetaSecurityAnswer as mandatory properties of one memories entry (⚠️)
  • Added geoStalkingVisualSecurityQuestion and geoStalkingVisualSecurityAnswer as mandatory properties of one memories entry (⚠️)
  • Enforce minimum number of two memories entries (⚠️)
  • Added challenges.showMitigations property (defaults to true) to show or hide Vulnerability Mitigation links from the Score Board
  • Added new application.chatbot subsection to configure name, greeting, trainingData, defaultResponse and avatar (kudos to our GSoC student @Scar26)
🎣 Solution Webhook
  • Added ctfFlag property to webhook payload containing the flag code of the solved challenge (based on the CTF_KEY of the server instance)
🛍️ Products
  • Added Juice Shop "Permafrost" 2020 Edition product
🗺️ I18N
  • Challenge categories can now be translated and are shown in the selected language on the Score Board
  • Added support for 🇹🇼 language
Reply all
Reply to author
Forward
0 new messages