v18.0.0

Compare Source

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

• Removed support for Node.js 18.x and no longer provide packaged distributions for this version (⚠️)
• Removed inofficial support for Node.js 19.x
• Switched from libxmljs to libxmljs2 as XML parser where binaries are available for up to at least Node.js 24

🐳 Docker

• Official Docker image now uses Node.js 22.x base images
• Removed pre-build step specific to libxmljs

🎭 Customization

• Added full-conversion DEF CON 33 theme that can be used with NODE_ENV=defcon33 npm start
• #​2625: Added a metricsIgnoredUserAgents config option to configure uncommon metric collector user-agents for challenge tracking. Support for more common metric collectors have been added too, see bugfixes. (kudos to @​SvenKirschbaum)

🎯 Challenges

• Added new Leaked API Key ⭐⭐⭐⭐⭐-challenge
• #​2602: Added accompanying ftp/package-lock.json to make several Vulnerable Components category challenges more accessible
• Cross-Site Imaging challenge now uses https://cataas.com/ instead of frequently unavailable http://placecats.com/ service (⚡)

🐛 Bugfixes

• #​2631: Fixed discount validation for "Forged Coupon" challenge to only trigger for 80%+ as intended
• #​2625: Fixed metric challenge getting solved by non-prometheus monitoring agents. e.g. OpenTelemetry collector. (kudos to @​SvenKirschbaum)

v17.3.0

Compare Source

🅰️ Frontend

• Updated frontend to Angular 19.x and Angular Material 19.x (kudos to @​logz254)

🎨 User Interface

• #​2541: Language selection dropdown is now searchable to make finding your preferred language even faster! (kudos to @​AnvitaPrasad)

🐛 Bug Fixes

• Fixed issue causing colors from themes not getting displayed correctly

🧹 Technical Debt Reduction

• Migrated all server code to use ESM syntax for imports and exports
• Replaced node-fetch and request with the new built-in fetch HTTP client in Node.js

🐳 Docker

• Update base image from debian 11 to debian 12

v17.2.0

Compare Source

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop!

🅰️ Frontend

• Updated frontend to Angular 17.x and Angular Material 17.x (kudos to @​martinakraus, @​thomasbreland, @​hxrshxz, @​ayushrajparihar and @​alekszivko for the help and hard work on this 🙌)

🎯 Challenges

• Added new Memory Bomb ⭐⭐⭐⭐⭐ -challenge
• Cross-Site Imaging challenge now uses http://placecats.com instead of abandoned http://placekitten.com service (⚡)

🔧 Configuration

• Added blueSkyUrl and mastodonUrl to social section of configuration

🎨 User Interface

• Added BlueSky and Mastodon links to About Us screen

🐛 Bugfixes

• #​2341: Fixed "Product Tampering" challenge verification to work in any selected language
• #​2365: Restored prevention of unintentional RCE in NoSQL challenges (kudos to @​KapilSareen)
• #​2384: Now checking challenge continue code for invalid characters before processing (kudos to @​drwtsn95)
• #​2404: Fixed "Upload Size" challenge verification to trigger properly in all situations (kudos to @​criticic)
• #​2317: Hacking Instructor script is now again lazy-loaded into the browser (kudos to @​alekszivko)

v17.1.1

Compare Source

🛒 Product Inventory

• Added DSOMM & Juice Shop User Day Ticket as in-app advertisement for the corresponding real-world event

v17.1.0

Compare Source

👟 Runtime

• Added support for Node.js 22.x

🎨 User Interface

• #​2261: Improved visuals of scrollbars on Score Board challenge panels with longer description text (kudos to @​ThReinecke)

👨‍🏫 Tutorials

• #​2273: Added tutorial script for "Admin Section" ⭐⭐-challenge (kudos to @​ThReinecke)
• #​2278: Added tutorial script for "Reflected XSS" ⭐⭐-challenge (kudos to @​ThReinecke)
• #​2286: Helper function now better recognizes when DevTools have been opened during a tutorial (kudos to @​ThReinecke)

🐛 Bugfixes

• #​2303: Reverted dependency optimization resulting in build/ artifacts missing for production builds
• #​2266: Fixed long name of OWASP in Welcome Banner text (kudos to @​stuebingerb)
• #​2279: Hiding button to launch hacking instructor from Score Board when hackingInstructor.isEnabled is false
• #​2279: Hiding or disabling button to launch coding challenge from Score Board according to challenges.codingChallengesEnabled being never, always or solved

v17.0.0

Compare Source

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

🎯 Challenges

• #​2198: Added new Security Advisory ⭐⭐⭐-challenge

🎨 UI

• Removed legacy Score Board and all related settings and services (⚠️)
• Removed re-routing of legacy challenge=<name> parameter obsoleted by https://github.com/OWASP/OpenCRE/pull/467 (⚠️)

🧹 Housekeeping

• Changed back to libxmljs because libxmljs2 is no longer maintained
  • Installation from source on Node.js 18-20 will download pre-built binaries for the underlying C++ library as in libxmljs2
  • Installation from source code on Node.js >20 currently requires C++ binaries to be built during installation (⚠️)

💾 Local Backup

• Removed scoreBoard subsection from backup format along with removal of legacy Score Board (compatible with the version: 1 backup format as the subsection from older exports would now simply be ignored during import)

🕵️ Cheat Detection

• Further pre-solve interactions after the first with the same expected URL will no longer be counted
• Cheat score is increased by half the percentage of missing expected pre-solve interactions with the server

🎭 Custom Theming

• Adjusted image URLs in 7ms theme and extended with photo wall entries and new products

🐳 Docker

• #​2447: Significantly reduce Docker image size by omitting unneeded dependencies

v16.0.1

Compare Source

🐛 Bugfixes

• #​2236: Updated links to Authorization Cheat Sheet as successor of deprecated Access Control Cheat Sheet (kudos to @​bceylan)
• 992780c: Fixed null-unsafe property access during JWT decoding

v16.0.0

Compare Source

This release brings technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

• Added support for Node.js 21.x
• Removed support for Node.js 16.x and no longer provide packaged distributions for this version (⚠️)
• Removed inofficial support for Node.js 17.x

🎨 UI

• 1946f2e: The new Score Board introduced with v15.1.0 is now the default
• Inverted banners and option to switch layouts to allow setting the legacy Score Board as default
• #​2152: Enchanced scrolling behavior in Coding Challenge modal to keep buttons always visible (kudos to @​bogminic)

🕵️ Cheat Detection

• #​2150: Switched to median instead of average to calculate total cheat score
• Monitor and report on expected URL interactions to happen before related challenges are solved (no score impact yet)

🔙 Backward compatibility

• #​2149: Links to /#/score-board?challenge=<name> will now be rewritten into /#/score-board?searchQuery= to keep existing OpenCRE links working

⚙️ DevOps Automation

• Update default Node.js version for non-matrix build jobs to 20.x
• Update Node.js version in base Docker images to 20.x

v15.3.0

Compare Source

🎨 User Interface

• #​2116: Introduced full responsiveness to Digital Wallet, Crypto Wallet, Token Sale, Juicy Chatbot SBT, Web3 Code Sandbox, and Bee Haven screens (kudos to @​rishabhkeshan)

👮 Startup Validations

• 98c1941: Added warning-only startup check for domains (on Internet) being reachable from the server
  • https://www.alchemy.com/ is needed for the "Mint the Honeypot" and "Wallet Depletion" challenges

💾 Local Backup

• Added optional scoreBoard.scoreBoardVersion property to persist/restore score-board-version property from/to browser local storage

🐛 Bugfixes

• #​2120: Replaced all references github.com/bkimminich/juice-shop with github.com/juice-shop/juice-shop

⚙️ DevOps Automation

• #​2115: Unstuck Angular installation in configuration for GitHub Codespaces (kudos to @​MatteoGheza)

🌐 I18N

• #​2105: Add translation support for Crypto Wallet screen
• Add translation support for Web3 Code Sandbox screen
• Add translation support for Bee Haven and Juicy Chatbot SBT screen (kudos to @​MatteoGheza)
• Extended 🇨🇳, 🇹🇷 and 🇩🇪 translations
• Added 🇧🇩 to language dropdown

v15.2.1

Compare Source

🐛 Bugfixes

• Added pinned dependency on "zustand": "4.4.1" to avoid build error due to subdependency issue https://github.com/pmndrs/zustand/discussions/2095

v15.2.0

Compare Source

🎯 Challenges

• #​2091: Added accompanying coding challenge for "Web3 Sandbox" challenge
• Added related OWASP Cheat Sheets as mitigation links to several challenges
• #​2100: Added tag "Internet Traffic" to mark challenges which require the Juice Shop server to call hosts on the Internet

🎨 User Interface

• Added tag description as tooltip on new Score Board

🐛 Bugfixes

• #​2100: Failing to connect with Smart Contracts on infura.io will no longer crash the server on startup but trigger non-blocking retry loop
  • Challenges "Mint the Honeypot" and "Wallet Depletion" are unsolvable if connection to infura.io cannot be established
• Non-.ts codefix files are now protected via the RSN

⚙️ DevOps Automation

• Updated and pinned all GitHub Actions (except CodeQL) to latest compatible versions

v15.1.0

Compare Source

🚨 This release accidentally introduced a technical breaking change in a minor release! 🚨 The application server now requires Internet access (📡) and must be able to reach https://sepolia.infura.io where Smart Contracts for some of the Web3 challenges are deployed!

🎨 UI

• #​2043: Added fully re-designed Score Board with option pick preferred and switch between old and new version
• #​2027: Reduced load time of old Score Board significantly by pre-fetching FontAwesome icons only once

🎯 Challenges

• Added Web3 challenge suite (kudos to our GSoC 2023 student @​rishabhkeshan)
  • #​2066: Added "Web3 Sandbox" ⭐-challenge
  • #​2029: Added "NFT Takeover" ⭐⭐-challenge
  • #​2050: Added "Mint the Honey Pot" ⭐⭐⭐-challenge (📡)
  • #​2064: Added "Wallet Depletion" ⭐⭐⭐⭐⭐⭐-challenge (📡)
• Added new "Web3" tag for challenges
• Changed hint URLs for all challenges to match new site structure in companion guide

🛡️Security

• #​2028: Added OWASP CycloneDX SBOMs for backend and frontend (kudos to @​jkowalleck)

🧪 Testing

• #​2077: Migrated end-to-end test suite from Cypress 9.x to 11.x
• Upgraded to v0.9.0 of ZAP Baseline Scan GitHub Action

🐛 Bugfixes

• #​2081: Fixed issues with libxml4js in Docker images for ARM processors
• #​2015: Fixed auto-scrolling issue in chatbot window to keep submit button visible (kudos to @​parthn2)
• #​2049: Fixed issue with newst release of flag-icons module by switching from SASS to CSS inclusion (kudos to @​RobertoBorges)
• #​2060: Fixed issue where "Local File Read" challenge was solved without actual success and success notifications could be spammed
• 1fb0f12: Treat "Mass Dispel" as a trivial challenge during cheat detection

🌐 I18N

• Extended and corrected 🇳🇱 translation (kudos to @​eric-nieuwland)
• Extended 🇧🇷, 🇷🇴, 🇮🇹 and 🇹🇷 translations

v15.0.0

Compare Source

This release brings technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

• Added support for Node.js 20.x
• Removed support for Node.js 14.x (and 19.x) and no longer provide packaged distributions for these versions (⚠️)
• Removed inofficial support for Node.js 15.x

🎯 Challenges

• #​1958: Added "Empty User Registration" challenge (⭐⭐) to Improper Input Validation category (kudos to @​Freedisch)

🎮 Cheat Detection

• #​1996: Coding challenges with overlapping code snippets are less likely to count as cheating when solved in quick succession (kudos to @​sohamparate)

🏰 Security

• Updated juicy-chat-bot library to fix CVE-2023-29017 vulnerability

🐛 Bugfixes

• Confetti cannon no longer fires for solved hacking challenges when challenges.showSolvedNotifications: false is configured

🗺️ I18N

• Extend 🇧🇩, 🇷🇺, 🇹🇷 and 🇲🇲 translations

v14.5.1

Compare Source

🐛 Bugfixes

• Disabled pagination for all finale-rest API endpoints to make challenges >100 show up on the Score Board
• Code diff component in Coding Challenge Fix it screen now remembers Side-by-Side vs. Line-by-Line UI settings (kudos to @​Coder-Manan)

🗺️ I18N

• Added support for 🇮🇪 language
• Extended 🇨🇭 translation

v14.5.0

Compare Source

This release brings technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

🐳 Docker

• Removed dedicated Docker image for 32bit ARM processors due to compatibility issues and Node.js 14.x approaching end-of-life (⚠️)

👨‍💻 Coding Challenges

• #​1913: Added coding challenge to Weak Password challenge

🐛 Bugfixes

• #​1948: Fixed alignment of checkboxes with code lines in Find It tab of Coding Challenges

🗺️ I18N

• Extendend 🇯🇵 and 🇮🇱 translations

v14.4.0

Compare Source

🎨 Angular

• #​1925 Migrated frontend to Angular 15 (kudos to @​Freedisch)

🐳 Docker

• ce7a3c5: Build Docker images for linux/amd64 and linux/arm64 on Node.js 18.x instead of 16.x

💡 Features

• #​1935: Continue codes for local backup are now retrieved from server using cookie value as fallback (kudos to @​nitishdewan)
• Added customizable NFT URL to "About Us" page
• Added static NFT URL to "Merchandise" section of "My Payment Options" page

🎭 Customization

• Added application.social.nftUrl configuration property to define NFT URL (by default https://opensea.io/collection/juice-shop)

🐛 Bugfixes

• #​1928: Now checking presence of JWT token before attempting verification
• #​1927: Fixed issues with sizing and placement of icons on Deluxe Membership screen
• Loading spinner on Score Board screen is now showing its timer animation again

⚙️ DevOps Automation

• Switched default Node.js version for non-matrix jobs of CI/CD pipeline from 16.x to 18.x

🌐 I18N

• Extended 🇷🇴, 🇫🇷 and 🇨🇳 translations

v14.3.1

Compare Source

🐛 Bugfixes

• #​1918: Updated file upload library to fix vulnerability against CVE-2022-24434 (kudos to @​JanStorm)
• #​1909: Fixed occassional application server crash when working on Kill Chatbot challenge

🌐 I18N

• Extended 🇸🇪 translation

v14.3.0

Compare Source

🎯 Challenges

• Added Mass Dispel challenge to teach the use of closing multiple "Challenge solved"-notifications in one go
• #​1891: Correctly distinguish XXE Data Access challenge success conditions for Windows, Linux and MacOS systems (kudos to @​StephanPillhofer)

🐛 Bugfixes

• #​1892: Fixed race condition between initializations of SQLite DB and Prometheus metrics (kudos to @​matt-moses)
• #​1868: Extended hint with recommendation to use older browser version for CSRF challenge
• #​1885: Add safeguard against null pointer while checking Database Schema solution

🌐 I18N

• Extended 🇩🇪 and 🇨🇳 translations

v14.2.1

Compare Source

🔥 Hotfixes

#​1876: Bypass isGitpod() check to prevent unintended disabling of dangerous challenges in any environment (workaround until https://github.com/dword-design/is-gitpod/issues/94 is resolved)

v14.2.0

Compare Source

🏃‍♂️Runtime

• #​1849: Added Gitpod installation instructions (kudos to @​knut-erik)

🎯 Challenges

• Timespan for CAPTCHA Bypass challenge has been increased from 10sec to 20sec
• Reduced requirements for XXE Data Access challenge success check on Windows and Linux

🐳 Docker

• #​1850: latest-arm, snapshot-arm and vX.Y.Z-arm images are no longer built for linux/arm64 (⚠️)

🌐 I18N

• Extended 🇯🇵, 🇨🇳, 🇩🇪 and 🇮🇱 translations

v14.1.1

Compare Source

🐳 Docker

• Docker images for linux/arm are now also built under Node 16.x as vX.Y.Z tags

v14.1.0

Compare Source

🎨 Frontend

• Migrated frontend to Angular 14 and Angular Material 14

🎭 Theming

• Added application.securityTxt.hiring property as hiring field in security.txt and as X-Recruiting HTTP header

🐳 Docker

• #​1810: Switched from alpine to distroless runtime image
• #​1810: Reduced size of compressed image from 276.02 MiB → 175.59 MiB (uncompressed: 762MB → 509MiB)

🐛 Bugfixes

• #​1755: Now waiting for all entity models to be defined before attempting to create database tables
• #​1755: Now safeguarding against race condition leading to missing tables inside Prometheus metrics update loop

🧪 Testing

• Introduced Cypress end-to-end test framework as future full replacement for (end-of-life) Protractor
• Partially replaced Protractor-based e2e tests with Cypress tests

v14.0.1

Compare Source

🔥 Hotfix

• #​1815: Fixed path to a core-js subcomponent in polyfills.ts

v14.0.0

Compare Source

This release brings technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

• Added support for Node.js 18.x
• Removed support for Node.js 12.x and 17.x and no longer provide packaged distributions for these versions (⚠️)
• Removed inofficial support for Node.js 13.x

🎭 Customization

• 89fd86b: Playback speed of tutorial hints can be adjusted by setting hackingInstructor.hintPlaybackSpeed property to faster/slower (±50%), fast/slow (±25%) or leaving it normal

👨‍🏫 Hacking Instructor

• #​1785: Skippable hints will now by skipped on double-click instead of single-click to avoid accidental skipping
• Skippable hints will now show a tooltip "Double-click to skip" when hovered over

⚙️ DevOps Automation

• Split CI/CD job test into test (for unit tests), api-test (for Frisby.js) and coverage-report (for Codeclimate merge and upload)

🧹 Technical Debt Reduction

• #​1757: All sequelize ORM models have been migrated to TypeScript (kudos to @​ShubhamPalriwala)
• b7a2edb: Cache of Refactoring Safety Net (RSN) is now stored in pretty-printed format
• #​1798: Converted insecurity.js into TypeScript (kudos to @​ShubhamPalriwala)

🐛 Bugfixes

• #​1793: Fixed base path to video from frontend/src/ to frontend/dist/frontend/ as the source folder should never be referenced
• #​1786: Errors from tampering with Deluxe Membership payment are now more gracefully handled
• #​1797: Preventing likes of non-existing product reviews which previously caused a server crash
• #​1801: Vagrant box now exposes application under http://192.168.56.110 to avoid issues on MacOS and Linux with IPs not in 192.168.56.0/21 network (⚠️)

🌐 I18N

• Extended 🇫🇷 and 🇷🇺 translations