v12.10.0

👨‍💻 Coding Challenges

• Added cheat detection for coding challenges (based on solving speed in relation to code snippet length and selectable fix options)
• Added accuracy calculation for coding challenges (based on number of failed solving attempts)
• Added Prometheus metrics juiceshop_coding_challenges_progress and juiceshop_coding_challenges_accuracy
• Added panels for new coding challenge metrics to Grafana dashboard template

⚙️ DevOps Automation

• #1685: Refactored CI/CD to work on repository forks without guaranteed failures or unnecessary credit consumption
  • Turned off GitHub action steps that would fail on forks such as Docker, CodeClimate, Heroku and Slack (kudos to @commjoen)
  • Limit matrix build test stage to only Node 14.x on Ubuntu for forks
• #1687: Pin GitHub action plugins to current commit hash to reduce risk for supply chain attacks (kudos to @commjoen)

🛍️ Product Inventory

• The product 20th Anniversary Celebration Ticket is no longer available

🐛 Bugfixes

• #1691: Improved fix options for "NoSQL Manipulation" coding challenge (kudos to @denkerszaf)

v12.9.3

🐛 Bugfixes

• Show "Loading code snippet..." placeholder again when snippet is retrieved for a coding challenge
• Fixed accidental lockouts from "Fit It" tab after false submissions during a coding challenge
• Fixed accidental blowup of JSON response with each subsequent call to the /snippets endpoint
• Calls to /snippets endpoint now return a cached result after the first retrieval

v12.9.2

🐛 Bugfixes

• Fix It tab in coding challenges dialog no longer uses Find It label in title

v12.9.1

📘 Documentation

• Changed all GitHub repository links from https://github.com/bkimminich/juice-shop to https://github.com/juice-shop/juice-shop

👨‍⚖️ Copyright

• Included OWASP Juice Shop contributors into all copyright notices

v12.9.0

👨‍💻 Coding Challenges

• Extended Code Snippets into Coding Challenges (kudos to our Google Summer of Code 2021 student @the-pro)
  • Vulnerable code snippets have been redesigned to allow selecting and submitting a vulnerable line and receiving a verdict
  • Additional tab after succesful selection of vulnerable line allows to select the assumed fix from a provided list of options
  • Solution status of coding challenges is persisted to the database and displayed on the Score Board
• Switch default availability of coding challenges from always till after corresponding hacking challenge was solved

🎊 UI Enhancements

• Added confetti shooter animation when a hacking or coding challenge is solved (kudos to @the-pro)

⚙️ DevOps Automation

• #1660: Switched to newer GitLab Auto-Devops with additional scans (kudos to @ricardoamarilla)

🔐 Security

• 524f3be: Increase maximum password length from 20 to 40 in user registration and password change UI

🐛 Bugfixes

• #1666: Fixed occasional server crash when tampering with user feedback HTTP requests

🗺️ I18N

• Added 🇱🇰 language
• Extended translations in 🇦🇿, 🇨🇳, 🇩🇰, 🇫🇷, 🇳🇴, 🇹🇭 and 🇩🇪

v12.8.1

🛍️ Products

• Added "20th Anniversary Celebration Ticket" to product inventory to promote https://20thanniversary.owasp.org/

🐛 Bugfixes

• 04b6393: Fixed issues with URL encoding recognition for "Missing Encoding" challenge
• #1638: Fixed unnecessary extra path traversal step being required to get "Cross-Site Imaging" challenge solved although payload works without it

v12.8.0

This release brings significant changes to existing challenges (:zap:) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!

🎯 Challenges

• #1576: Added "Local File Read" challenge (kudos to @cigar-galaxy82 for implementing and @CaptainFreak for the idea)
• #1491: Removed "Login CISO" challenge due to Google no longer accepting X-User-Email header during OAuth login (:zap:)
• Updated links in quarantine folder to point to new malware location at https://github.com/juice-shop/juicy-malware

🛍️ Products

• Added "OWASP Juice Shop Card (non-foil)" to product inventory

🐛 Bugfixes

• #1628: Fixed server crashes when accessing data export or order history endpoints without an authorization token

🗺️ I18N

• Extended 🇹🇭 and 🇩🇰 translations significantly

v12.7.2

🐛 Bugfixes

• #1625: Fixed unhandled promise rejection to instead bubble up into default error handler (kudos to @omerlh)

v12.7.1

🐛 Bugfixes

• #1620: Prevent crashes from too many open file handles when retrieving vulnerable code snippets (kudos to @the-pro)

v12.7.0

This release contains experimental or prototype features (🔬) which are not guaranteed to work and are subject to breaking changes (or removal) within a subsequent minor release. Feeback on these features is particularly welcome via Gitter, Slack or by opening a GitHub issue.

👟 Runtime

• 4201a98: Added support for Node.js 15.x

👨‍💻 Code Snippets (🔬)

• Introduced Vulnerable Code Snippets which show the actual underlying source code for many hacking challenges
  • Added new Code Snippet button to all challenges on Score Board that opens snippet in modular dialog
  • Introduced code comment markers under vuln-code-snippet namespace to assign actual source code to challenges
  • Added spoiler section to code snippet where the ultimately vulnerable/responsible line(s) of code for a challenge can be revealed

🎯 Challenges

• #1576: Converted deletion request form for data subject from Angular to HBS frontend for future use in hacking challenge (kudos to @cigar-galaxy82)
• #1592: CSRF challenge no longer requires a seriously outdated browser (like Firefox from 2017) to be exploitable (kudos to @dnull & @chinggg)

👨‍🏫 Hacking Instructor

• #1600: Added button to cancel an ongoing tutorial script without a Browser refresh (kudos to @the-pro)

☑️ Pre-start Validations

• #1613: Added (optional) config property exifForBlueprintChallenge and corresponding checks during server startup for existence of EXIF data for "Retrieve Blueprint" challenge (kudos to @chinggg and @the-pro)

🐛 Bugfixes

• Fixed race condition during node-i18n initialization and copying of locale files that caused server startup failure (kudos to @adityaofficial10)
• #1597: Added back lost EXIF data to image needed for "Retrieve Blueprint" challenge
• Fixed outdated Slack invite link on About Us page to new https://owasp.org/slack/invite self registration page

🟦 Codebase

• #1573: Backend code base has been converted from JavaScript into TypeScript (kudos to @paseaf)
  • Backend code checks with eslint are now based on standard-with-typescript
• #1612: Replaced cookie module in frontend with ngx-cookie to make CSRF easier to exploit (kudos to @chinggg)