Merge branch 'juice-shop:master' into master

.github/workflows/ci.yml

@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-      - name: "Use Node.js 16"
+      - name: "Use Node.js 18"
         uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
         with:
           node-version: 18
@@ -57,7 +57,7 @@ jobs:
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-      - name: "Use Node.js 16"
+      - name: "Use Node.js 18"
         uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
         with:
           node-version: 18
@@ -72,7 +72,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        node-version: [14, 16, 18, 19]
+        node-version: [16, 18, 20]
     steps:
       - name: "Check out Git repository"
         if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16'
@@ -112,7 +112,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        node-version: [14, 16, 18, 19]
+        node-version: [16, 18, 20]
     steps:
       - name: "Check out Git repository"
         if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16'
@@ -184,7 +184,7 @@ jobs:
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-      - name: "Use Node.js 16"
+      - name: "Use Node.js 18"
         uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
         with:
           node-version: 18
@@ -220,7 +220,7 @@ jobs:
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-      - name: "Use Node.js 16"
+      - name: "Use Node.js 18"
         uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
         with:
           node-version: 18
@@ -261,7 +261,7 @@ jobs:
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available
-      - name: "Use Node.js 16"
+      - name: "Use Node.js 18"
         uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available
         with:
           node-version: 18

.github/workflows/release.yml

@@ -9,7 +9,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        node-version: [14, 16, 18]
+        node-version: [16, 18, 20]
     steps:
       - name: "Check out Git repository"
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available

Dockerfile

@@ -25,7 +25,7 @@ LABEL maintainer="Bjoern Kimminich <[email protected]>" \
     org.opencontainers.image.vendor="Open Web Application Security Project" \
     org.opencontainers.image.documentation="https://help.owasp-juice.shop" \
     org.opencontainers.image.licenses="MIT" \
-    org.opencontainers.image.version="14.5.1" \
+    org.opencontainers.image.version="15.0.0" \
     org.opencontainers.image.url="https://owasp-juice.shop" \
     org.opencontainers.image.source="https://github.com/juice-shop/juice-shop" \
     org.opencontainers.image.revision=$VCS_REF \

HALL_OF_FAME.md

@@ -11,7 +11,7 @@
 
 ## GitHub Contributors
 
-As reported by [`git-stats -a -s '2014'`](https://www.npmjs.com/package/git-stats) analysis of `master` as of Tue, 14 Feb
+As reported by [`git-stats -a -s '2014'`](https://www.npmjs.com/package/git-stats) analysis of `master` as of Fri, 19 May
 2023 after deduplication with `.mailmap`.
 
 ![Top git contributors](screenshots/git-stats.png)
@@ -63,12 +63,6 @@ Giovanni (cruzgio), Alexander Nissen (Nissen96), fabrizio1979, OrNol (TRNSRL), J
   of [@SecureState](https://github.com/SecureState))
 * Wallpaper artworks by Mike Branscum (courtesy of
   [@daylightstudio](https://github.com/daylightstudio))
-* [Pwning OWASP Juice Shop](https://leanpub.com/juice-shop) cover artwork
-  by [Patch Kroll](https://99designs.de/profiles/3099878)
-* [Banner](https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop/banners)
-  and
-  [flyer](https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop/flyers)
-  artwork by [logicainfo](https://99designs.de/profiles/logicainfo)
 * Official
   [OWASP Juice Shop Jingle](https://soundcloud.com/braimee/owasp-juice-shop-jingle)
   written and performed by [Brian Johnson](https://github.com/braimee)
@@ -77,6 +71,15 @@ Giovanni (cruzgio), Alexander Nissen (Nissen96), fabrizio1979, OrNol (TRNSRL), J
 * Admin profile picture artworks by Kharisma Mulyana (courtesy of
   [Timo Pagel](https://github.com/wurstbrot/))
 
+Additional thanks goes to the contractors we were able to hire for specific work packages over the years with OWASP funding:
+
+* [Pwning OWASP Juice Shop](https://leanpub.com/juice-shop) cover artwork
+  by [Patch Kroll](https://99designs.de/profiles/3099878)
+* [Banner](https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop/banners)
+  and
+  [flyer](https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop/flyers)
+  artwork by [logicainfo](https://99designs.de/profiles/logicainfo)
+
 ## Stargazers (over time)
 
 [![Stargazers over time](https://starchart.cc/juice-shop/juice-shop.svg)](https://starchart.cc/juice-shop/juice-shop)

README.md

@@ -216,9 +216,7 @@ offered accordingly.
 | 18.x    | :heavy_check_mark:   | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`)     | `latest` (`linux/amd64`, `linux/arm64`)          | `snapshot` (`linux/amd64`, `linux/arm64`)         |
 | 17.x    | (:heavy_check_mark:) | :x:                |                                                   |                                                  |                                                   |
 | 16.x    | :heavy_check_mark:   | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`)     |                                                  |                                                   |
-| 15.x    | (:heavy_check_mark:) | :x:                |                                                   |                                                  |                                                   |
-| 14.x    | :heavy_check_mark:   | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`)     |                                                  | `                                                 |
-| <14.x   | :x:                  | :x:                |                                                   |                                                  |                                                   |
+| <16.x   | :x:                  | :x:                |                                                   |                                                  |                                                   |
 
 Juice Shop is automatically tested _only on the latest `.x` minor version_ of each node.js version mentioned above!
 There is no guarantee that older minor node.js releases will always work with Juice Shop!

REFERENCES.md

@@ -11,6 +11,26 @@ mentioned or used!
 > tackling these challenges yourself! :mega: marks short friendly shout
 > outs. Finally, the :dollar: bill marks commercial resources.
 
+## Table of contents
+
+* [Awards](#awards--trophy-)
+* [Web Links](#web-links)
+  + [Pod- & Webcasts](#pod---webcasts)
+  + [Blogs & Articles](#blogs--articles)
+* [Lectures and Trainings](#lectures-and-trainings)
+* [Summits & Open Source Events](#summits--open-source-events)
+  + [Google Summer of Code](#googlesummerofcode)
+* [Conference and Meetup Appearances](#conference-and-meetup-appearances)
+  - [2023](#2023)
+  - [2022](#2022)
+  - [2021](#2021)
+  - [2020](#2020)
+  - [2019](#2019)
+  - [2018](#2018)
+  - [2017](#2017)
+  - [2016](#2016)
+  - [2015](#2015)
+
 ## Awards :trophy:
 
 * [Heroku Button of the Month](https://hello.heroku.com/webmail/36622/679286305/8049a634b1a01b0aa75c0966325856dc9a463b7f1beeb6a2f32cbb30248b5bc6)
@@ -280,11 +300,16 @@ mentioned or used!
 
 ## Conference and Meetup Appearances
 
+> Upcoming events are marked with :date:. The availability of link destinations for past events cannot be guaranteed. 
+
 #### 2023
 
-* [Squeezing the last drop out of OWASP Juice Shop](https://owasp2023globalappsecdublin.sched.com/event/1FWfq/squeezing-the-last-drop-out-of-owasp-juice-shop) by Björn Kimminich, [OWASP 2023 Global AppSec Dublin](https://dublin.globalappsec.org/), 15.02.2023 [YouTube](https://youtu.be/m1f2fPC8hLU)
+* :date: [Track keynote: OWASP Juice Shop](https://sikkerhetsfestivalen.no/program-2023) by Björn Kimminich, [Sikkerhetsfestivalen 2023](https://sikkerhetsfestivalen.no/). 29.08.2023
+* :date: [Juice Shop Update³](https://god.owasp.de/2023/schedule/index.html) by Björn Kimminich, [German OWASP Day 2023](https://god.owasp.de/2023). 31.05.2023
+* :date: [Juice Shop Training: Train the Trainer Edition](https://god.owasp.de/2023/schedule/index.html) with Björn Kimminich, [German OWASP Day 2023](https://god.owasp.de/2023). 30.05.2023
 * [OWASP Juice Shop](https://www.meetup.com/owasp-chapter-netherlands-meetup/events/292323208)
-  by Björn Kimminich, [April 2023 OWASP Chapter Netherlands Meetup](https://www.meetup.com/owasp-chapter-netherlands-meetup/), 20.04.2023
+  by Björn Kimminich, [April 2023 OWASP Chapter Netherlands Meetup](https://www.meetup.com/owasp-chapter-netherlands-meetup/), 20.04.2023 [YouTube](https://www.youtube.com/live/Bhp3LpgtNZ4?feature=share&t=3856)
+* [Squeezing the last drop out of OWASP Juice Shop](https://owasp2023globalappsecdublin.sched.com/event/1FWfq/squeezing-the-last-drop-out-of-owasp-juice-shop) by Björn Kimminich, [OWASP 2023 Global AppSec Dublin](https://dublin.globalappsec.org/), 15.02.2023  [YouTube](https://youtu.be/m1f2fPC8hLU)
 
 #### 2022
 
@@ -553,3 +578,6 @@ mentioned or used!
   by Björn Kimminich,
   [17. OWASP Stammtisch Hamburg](http://lanyrd.com/2015/owasp-de/), 27.01.2015
 
+## Usage in Tools & Products
+
+* [How to try GitHub Advanced Security with your team](https://resources.github.com/security/tools/ghas-trial/) uses Juice Shop as an example for CI/CD integration in [Code scanning in action with Juice Shop](https://resources.github.com/security/tools/ghas-trial/#code-scanning-in-action-with-juice-shop) 

SECURITY.md

@@ -12,8 +12,8 @@ We provide security patches for the latest released minor version.
 
 | Version | Supported          |
 |:--------|:-------------------|
-| 14.5.x  | :white_check_mark: |
-| <14.5   | :x:                |
+| 15.0.x  | :white_check_mark: |
+| <15.0   | :x:                |
 
 ## Reporting a Vulnerability
 

SOLUTIONS.md

@@ -15,6 +15,12 @@ file and open a PR! The same goes for any scripts or automated tools you made fo
 > that a solution/script/tool is supposedly working with or that a video
 > guide/solution was recorded for.
 
+## Table of contents
+
+* [Hacking Videos](#hacking-videos)
+* [Walkthroughs](#walkthroughs)
+* [Scripts & Tools](#scripts--tools)
+
 ## Hacking Videos
 
 * [How to Solve Juiceshop Challenges - Intern Talks](https://www.youtube.com/watch?v=dqxdbIWFD5c) by [Indian Servers University](https://www.youtube.com/c/IndianServersUniversity) (🧃`v11.x`)
@@ -140,7 +146,7 @@ file and open a PR! The same goes for any scripts or automated tools you made fo
       [7MS #229: Intro to Docker for Pentesters](https://7ms.us/7ms-229-intro-to-docker-for-pentesters/)
       ([Youtube](https://youtu.be/WIpxvBpnylI?t=407))
 
-### Walkthroughs
+## Walkthroughs
 
 * Blog post (:myanmar:) on [LOL Security](http://location-href.com/):
   [Juice Shop Walkthrough](http://location-href.com/owasp-juice-shop-walkthroughs/)
@@ -149,7 +155,7 @@ file and open a PR! The same goes for any scripts or automated tools you made fo
   [Hacking(and automating!) the OWASP Juice Shop](https://incognitjoe.github.io/hacking-the-juice-shop.html)
   (🧃`v2.x`)
 
-### Scripts & Tools
+## Scripts & Tools
 
 * [Session management script for OWASP Juice Shop](https://github.com/zaproxy/zaproxy/blob/master/zap/src/main/dist/scripts/templates/session/Juice%20Shop%20Session%20Management.js)
   distributed as a scripting template with

config.schema.yml

@@ -106,8 +106,7 @@ application:
     clientId:
       type: string
     authorizedRedirects:
-      -
-        uri:
+      - uri:
           type: string
         proxy:
           type: string
@@ -138,8 +137,7 @@ hackingInstructor:
   hintPlaybackSpeed:
     type: string
 products:
-  -
-    name:
+  - name:
       type: string
     price:
       type: number
@@ -164,17 +162,14 @@ products:
     fileForRetrieveBlueprintChallenge:
       type: string
     exifForBlueprintChallenge:
-      -
-        type: string
+      - type: string
     reviews:
-      -
-        text:
+      - text:
           type: string
         author:
           type: string
 memories:
-  -
-    image:
+  - image:
       type: string
     caption:
       type: string
@@ -699,3 +694,8 @@ ctf:
         type: string
       code:
         type: string
+    emptyUserRegistration:
+      name:
+        type: string
+      code:
+        type: string

config/fbctf.yml

@@ -318,3 +318,6 @@ ctf:
     closeNotificationsChallenge:
       name: Zambia
       code: ZM
+    emptyUserRegistration:
+      name: Kenya
+      code: KE

data/datacreator.ts

@@ -21,15 +21,15 @@ import { SecurityQuestionModel } from '../models/securityQuestion'
 import { UserModel } from '../models/user'
 import { WalletModel } from '../models/wallet'
 import { Address, Card, Challenge, Delivery, Memory, Product, SecurityQuestion, User } from './types'
+import logger from '../lib/logger'
+import config from 'config'
+import path from 'path'
+import * as utils from '../lib/utils'
 const datacache = require('./datacache')
-const config = require('config')
-const utils = require('../lib/utils')
 const mongodb = require('./mongodb')
 const security = require('../lib/insecurity')
-const logger = require('../lib/logger')
 
 const fs = require('fs')
-const path = require('path')
 const util = require('util')
 const { safeLoad } = require('js-yaml')
 const Entities = require('html-entities').AllHtmlEntities
@@ -93,7 +93,7 @@ async function createChallenges () {
           hint: showHints ? hint : null,
           hintUrl: showHints ? hintUrl : null,
           mitigationUrl: showMitigations ? mitigationUrl : null,
-          disabledEnv: config.get('challenges.safetyOverride') ? null : effectiveDisabledEnv,
+          disabledEnv: config.get<boolean>('challenges.safetyOverride') ? null : effectiveDisabledEnv,
           tutorialOrder: tutorial ? tutorial.order : null,
           codingChallengeStatus: 0
         })
@@ -236,7 +236,7 @@ async function createRandomFakeUsers () {
 
 async function createQuantity () {
   return await Promise.all(
-    config.get('products').map(async (product: Product, index: number) => {
+    config.get<Product[]>('products').map(async (product: Product, index: number) => {
       return await QuantityModel.create({
         ProductId: index + 1,
         quantity: product.quantity !== undefined ? product.quantity : Math.floor(Math.random() * 70 + 30),
@@ -262,7 +262,7 @@ async function createMemories () {
       if (utils.isUrl(memory.image)) {
         const imageUrl = memory.image
         tmpImageFileName = utils.extractFilename(memory.image)
-        utils.downloadToFile(imageUrl, 'frontend/dist/frontend/assets/public/images/uploads/' + tmpImageFileName)
+        void utils.downloadToFile(imageUrl, 'frontend/dist/frontend/assets/public/images/uploads/' + tmpImageFileName)
       }
       if (memory.geoStalkingMetaSecurityQuestion && memory.geoStalkingMetaSecurityAnswer) {
         await createSecurityAnswer(datacache.users.john.id, memory.geoStalkingMetaSecurityQuestion, memory.geoStalkingMetaSecurityAnswer)
@@ -296,7 +296,7 @@ async function createProducts () {
     if (utils.isUrl(product.image)) {
       const imageUrl = product.image
       product.image = utils.extractFilename(product.image)
-      utils.downloadToFile(imageUrl, 'frontend/dist/frontend/assets/public/images/products/' + product.image)
+      void utils.downloadToFile(imageUrl, 'frontend/dist/frontend/assets/public/images/products/' + product.image)
     }
     return product
   })
@@ -607,7 +607,7 @@ async function createSecurityAnswer (UserId: number, SecurityQuestionId: number,
 }
 
 async function createOrders () {
-  const products = config.get('products')
+  const products = config.get<Product[]>('products')
   const basket1Products = [
     {
       quantity: 3,

data/static/challenges.yml

@@ -223,6 +223,15 @@
   hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#perform-an-unwanted-information-disclosure-by-accessing-data-cross-domain'
   mitigationUrl: ~
   key: emailLeakChallenge
+-
+  name: 'Empty User Registration'
+  category: 'Improper Input Validation'
+  description: 'Register a user with an empty email and password.'
+  difficulty: 2
+  hint: 'Consider intercepting and playing with the request payload.'
+  hintUrl: https://pwning.owasp-juice.shop/part2/improper-input-validation.html#register-a-user-account-with-an-empty-email-and-password
+  mitigationUrl: ~
+  key: emptyUserRegistration
 -
   name: 'Ephemeral Accountant'
   category: 'Injection'

data/static/codefixes/exposedMetricsChallenge_1.ts

@@ -18,10 +18,10 @@ export async function start (readyCallback: Function) {
   metricsUpdateLoop = Metrics.updateLoop()
 
   server.listen(port, () => {
-    logger.info(colors.cyan(`Server listening on port ${colors.bold(port)}`))
+    logger.info(colors.cyan(`Server listening on port ${colors.bold(`${port}`)}`))
     startupGauge.set({ task: 'ready' }, (Date.now() - startTime) / 1000)
     if (process.env.BASE_PATH !== '') {
-      logger.info(colors.cyan(`Server using proxy base path ${colors.bold(process.env.BASE_PATH)} for redirects`))
+      logger.info(colors.cyan(`Server using proxy base path ${colors.bold(`${process.env.BASE_PATH}`)} for redirects`))
     }
     registerWebsocketEvents(server)
     if (readyCallback) {

data/static/codefixes/exposedMetricsChallenge_2.ts

@@ -15,10 +15,10 @@ export async function start (readyCallback: Function) {
   process.env.BASE_PATH = process.env.BASE_PATH ?? config.get('server.basePath')
 
   server.listen(port, () => {
-    logger.info(colors.cyan(`Server listening on port ${colors.bold(port)}`))
+    logger.info(colors.cyan(`Server listening on port ${colors.bold(`${port}`)}`))
     startupGauge.set({ task: 'ready' }, (Date.now() - startTime) / 1000)
     if (process.env.BASE_PATH !== '') {
-      logger.info(colors.cyan(`Server using proxy base path ${colors.bold(process.env.BASE_PATH)} for redirects`))
+      logger.info(colors.cyan(`Server using proxy base path ${colors.bold(`${process.env.BASE_PATH}`)} for redirects`))
     }
     registerWebsocketEvents(server)
     if (readyCallback) {