diff --git a/.devcontainer.json b/.devcontainer.json index d7ae27d0081..a81e1e9d0ba 100644 --- a/.devcontainer.json +++ b/.devcontainer.json @@ -10,5 +10,5 @@ { "mode": "auto" } ] }, - "postCreateCommand": "export NG_CLI_ANALYTICS=ci && npm i -g @angular/cli && npm install" + "postCreateCommand": "export NG_CLI_ANALYTICS=ci && export NG_FORCE_TTY=false && npm i -g @angular/cli && npm install && unset NG_FORCE_TTY" } \ No newline at end of file diff --git a/.dockerignore b/.dockerignore index 5f114213be6..4fcadbb6509 100644 --- a/.dockerignore +++ b/.dockerignore @@ -9,6 +9,8 @@ vagrant/ logs/ Dockerfile .npmrc +/bom.json +/bom.xml # Pattern is *not covered* by node_modules/ above no matter what IntelliJ says! frontend/node_modules/ diff --git a/.eslintrc.js b/.eslintrc.js index 53256ad96ce..29131f75e72 100644 --- a/.eslintrc.js +++ b/.eslintrc.js @@ -33,13 +33,13 @@ module.exports = { parser: '@typescript-eslint/parser', rules: { 'no-void': 'off', // conflicting with recommendation from @typescript-eslint/no-floating-promises - // FIXME warnings below this line need to be checked and fixed. Line end comments below are number of findings per rule on 02.05.2022 - '@typescript-eslint/no-misused-promises': 'off', // 1 - '@typescript-eslint/explicit-function-return-type': 'off', // 197 - '@typescript-eslint/restrict-plus-operands': 'off', // 250 - '@typescript-eslint/strict-boolean-expressions': 'off', // 337 - '@typescript-eslint/restrict-template-expressions': 'off', // 395 - '@typescript-eslint/no-var-requires': 'off' // 509 + // FIXME warnings below this line need to be checked and fixed. + '@typescript-eslint/no-misused-promises': 'off', + '@typescript-eslint/explicit-function-return-type': 'off', + '@typescript-eslint/restrict-plus-operands': 'off', + '@typescript-eslint/strict-boolean-expressions': 'off', + '@typescript-eslint/restrict-template-expressions': 'off', + '@typescript-eslint/no-var-requires': 'off' } } ] diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index a27a89de4b5..2aab30e2e14 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,3 @@ /vagrant/ @wurstbrot /test/cypress/ @ShubhamPalriwala +/frontend/src/app/score-board-preview @J12934 diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index a9e46ed8cd7..1339029b272 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -4,7 +4,9 @@ You can expedite processing of your PR by using this template to provide context and additional information. Before actually opening a PR please make sure that it does NOT fall into any of the following categories -🚫 Spam PRs (accidental or intentional) - see https://pwning.owasp-juice.shop/part3/contribution.html#handling-of-spam-prs for more information +🚫 Spam PRs (accidental or intentional) - these will result in a 7 / 30 / ∞ days ban from +interacting with the project depending on reoccurrence and severity. You can find more +information [here](https://pwning.owasp-juice.shop/companion-guide/latest/part3/contribution.html#_handling_of_spam_prs). 🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only be merged if all other typos in the same file are also fixed with the same PR diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24e29c16786..064fc484cd1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,15 +18,16 @@ on: - 'data/static/i18n/*.json' - 'frontend/src/assets/i18n/*.json' env: - ANGULAR_CLI_VERSION: 13 + ANGULAR_CLI_VERSION: 15 + CYCLONEDX_NPM_VERSION: '^1.12.0' jobs: lint: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js 18" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: 18 - name: "Install CLI tools" @@ -56,9 +57,9 @@ jobs: runs-on: windows-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js 18" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: 18 - name: "Install CLI tools" @@ -71,26 +72,26 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-latest, windows-latest, macos-latest] + os: [ubuntu-latest, macos-latest] # FIXME: Removed "windows-latest" due to 'Error: ENOENT: no such file or directory, open' error breaking at least on Node 20.0 constantly node-version: [16, 18, 20] steps: - name: "Check out Git repository" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js ${{ matrix.node-version }}" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: ${{ matrix.node-version }} - name: "Install CLI tools" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION - name: "Install application" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') run: npm install - name: "Execute unit tests" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: nick-invision/retry@45ba062d357edb3b29c4a94b456b188716f61020 #v2: 2.4.1 available + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') + uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd #v2.8.3 with: timeout_minutes: 15 max_attempts: 3 @@ -100,8 +101,8 @@ jobs: cp build/reports/coverage/frontend-tests/lcov.info frontend-lcov.info cp build/reports/coverage/server-tests/lcov.info server-lcov.info - name: "Upload unit test coverage data" - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 #v3: v3.0.0 available + if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18' + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3 with: name: unit-test-lcov path: | @@ -115,38 +116,33 @@ jobs: node-version: [16, 18, 20] steps: - name: "Check out Git repository" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js ${{ matrix.node-version }}" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: ${{ matrix.node-version }} - name: "Install CLI tools" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION - name: "Install application" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') run: npm install - name: "Execute integration tests" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: nick-invision/retry@45ba062d357edb3b29c4a94b456b188716f61020 #v2: 2.4.1 available + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') + uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd #v2.8.3 + env: + NODE_ENV: test with: timeout_minutes: 5 max_attempts: 3 - command: | - if [ "$RUNNER_OS" == "Windows" ]; then - set NODE_ENV=test - else - export NODE_ENV=test - fi - npm run frisby - shell: bash + command: npm run frisby - name: "Copy API test coverage data" run: cp build/reports/coverage/api-tests/lcov.info api-lcov.info - name: "Upload API test coverage data" - if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 #v3: v3.0.0 available + if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18' + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3 with: name: api-test-lcov path: | @@ -157,13 +153,13 @@ jobs: if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Download unit test coverage data" - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 #v3: v3.0.0 available + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a #v3.0.2 with: name: unit-test-lcov - name: "Download API test coverage data" - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 #v3: v3.0.0 available + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a #v3.0.2 with: name: api-test-lcov - name: "Publish coverage to Codeclimate" @@ -183,18 +179,18 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js 18" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: 18 - name: "Install CLI tools" run: npm install -g @angular/cli@$ANGULAR_CLI_VERSION - name: "Install application" - if: github.repository == 'juice-shop/juice-shop' || github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '16' + if: github.repository == 'juice-shop/juice-shop' || (github.repository != 'juice-shop/juice-shop' && matrix.os == 'ubuntu-latest' && matrix.node-version == '18') run: npm install - name: "Execute server tests for each custom configuration" - uses: nick-invision/retry@45ba062d357edb3b29c4a94b456b188716f61020 #v2: 2.4.1 available + uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd #v2.8.3 with: timeout_minutes: 10 max_attempts: 3 @@ -219,9 +215,9 @@ jobs: fail-fast: false steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js 18" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: 18 - name: "Install CLI tools" @@ -230,7 +226,7 @@ jobs: run: npm install - name: "Execute end-to-end tests on Ubuntu" if: ${{ matrix.os == 'ubuntu-latest' }} - uses: cypress-io/github-action@c662a784116e1a26360c4e1fc0a90feedb4b5ed3 #v3.1.0 + uses: cypress-io/github-action@59810ebfa5a5ac6fcfdcfdf036d1cd4d083a88f2 #v6.5.0 with: install: false browser: ${{ matrix.browser }} @@ -244,7 +240,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: "Execute end-to-end tests on Mac" if: ${{ matrix.os == 'macos-latest' }} - uses: cypress-io/github-action@c662a784116e1a26360c4e1fc0a90feedb4b5ed3 #v3.1.0 + uses: cypress-io/github-action@59810ebfa5a5ac6fcfdcfdf036d1cd4d083a88f2 #v6.5.0 with: install: false browser: ${{ matrix.browser }} @@ -260,24 +256,24 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js 18" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: 18 - name: "Install CLI tools" run: | npm install -g @angular/cli@$ANGULAR_CLI_VERSION + npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION npm install -g grunt-cli - name: "Set packaging options for Grunt" run: | echo "PCKG_OS_NAME=linux" >> $GITHUB_ENV - echo "PCKG_NODE_VERSION=14" >> $GITHUB_ENV + echo "PCKG_NODE_VERSION=18" >> $GITHUB_ENV echo "PCKG_CPU_ARCH=x64" >> $GITHUB_ENV - name: "Package application" run: | npm install --production - npm install -g grunt-cli npm run package:ci - name: "Unpack application archive" run: | @@ -294,7 +290,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Execute smoke test on Docker" run: docker-compose -f docker-compose.test.yml up --exit-code-from sut docker: @@ -303,13 +299,13 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Set up QEMU" - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 #v1: V1.2.0 available + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0 - name: "Set up Docker Buildx" - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 #v1 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 #v3.0.0 - name: "Login to DockerHub" - uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 #v1.10 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #v3.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -323,7 +319,7 @@ jobs: echo "VCS_REF=`git rev-parse --short HEAD`" >> $GITHUB_ENV echo "BUILD_DATE=`date -u +”%Y-%m-%dT%H:%M:%SZ”`" >> $GITHUB_ENV - name: "Build and push for AMD64 and ARM64 processors" - uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 #note: newer is available + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 #v5.0.0 with: context: . file: ./Dockerfile @@ -334,13 +330,14 @@ jobs: build-args: | VCS_REF=${{ env.VCS_REF }} BUILD_DATE=${{ env.BUILD_DATE }} + CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }} heroku: if: github.repository == 'juice-shop/juice-shop' && github.event_name == 'push' && (github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/master') needs: [test, api-test, e2e, custom-config-test] runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Set Heroku app & branch for ${{ github.ref }}" run: | if [ "$GITHUB_REF" == "refs/heads/master" ]; then @@ -351,7 +348,7 @@ jobs: echo "HEROKU_BRANCH=develop" >> $GITHUB_ENV fi - name: "Deploy ${{ github.ref }} to Heroku" - uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 #v3.12.12 + uses: akhileshns/heroku-deploy@9fd0f9faae4aa93a38d6f5e25b9128589f1371b0 #v3.12.14 with: heroku_api_key: ${{ secrets.HEROKU_API_KEY }} heroku_app_name: ${{ env.HEROKU_APP }} @@ -369,7 +366,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Slack workflow notification" - uses: Gamesight/slack-workflow-status@master + uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 #v1.2.0 with: repo_token: ${{ secrets.GITHUB_TOKEN }} slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 27990cf833b..ece9c151e45 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,13 +18,13 @@ jobs: language: [ 'javascript' ] steps: - name: Checkout repository - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} queries: security-extended - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/lint-fixer.yml b/.github/workflows/lint-fixer.yml index 04d7fe760a9..49cce0cdcf7 100644 --- a/.github/workflows/lint-fixer.yml +++ b/.github/workflows/lint-fixer.yml @@ -7,11 +7,11 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available - - name: "Use Node.js 14" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 + - name: "Use Node.js 18" + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: - node-version: 16 + node-version: 18 - name: "Install CLI tools" run: npm install -g @angular/cli - name: "Install application" @@ -21,11 +21,11 @@ jobs: npm install --ignore-scripts --legacy-peer-deps - name: "Fix everything which can be fixed" run: 'npm run lint:fix' - - uses: stefanzweifel/git-auto-commit-action@v4.0.0 + - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a #v4.16.0 with: commit_message: "Auto-fix linting issues" branch: ${{ github.head_ref }} commit_options: '--signoff' commit_user_name: JuiceShopBot commit_user_email: 61591748+JuiceShopBot@users.noreply.github.com - commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> \ No newline at end of file + commit_author: JuiceShopBot <61591748+JuiceShopBot@users.noreply.github.com> diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 9d10e79c2f7..a2334efdb25 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -12,11 +12,11 @@ jobs: action: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@f1a42f0f44eb83361d617a014663e1a76cf282d2 #note newer is available + - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 #v4.0.1 with: issue-lock-comment: > This thread has been automatically locked because it has not had recent activity after it was closed. :lock: Please open a new issue for regressions or related bugs. issue-lock-reason: '' - pr-lock-reason: '' \ No newline at end of file + pr-lock-reason: '' diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 06880289535..1e812602115 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -10,11 +10,11 @@ jobs: if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 with: fetch-depth: 0 - name: Automatic Rebase - uses: cirrus-actions/rebase@1.2 + uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 #v1.8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://github.community/t5/GitHub-Actions/Workflow-is-failing-if-no-job-can-be-ran-due-to-condition/m-p/38186#M3250 @@ -23,4 +23,4 @@ jobs: runs-on: ubuntu-latest steps: - name: Always run - run: echo "This job is used to prevent the workflow to fail when all other jobs are skipped." \ No newline at end of file + run: echo "This job is used to prevent the workflow to fail when all other jobs are skipped." diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7e79dd9a7b6..101d65fcc89 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,9 @@ on: push: tags: - v* +env: + ANGULAR_CLI_VERSION: 15 + CYCLONEDX_NPM_VERSION: '^1.12.0' jobs: package: runs-on: ${{ matrix.os }} @@ -12,14 +15,15 @@ jobs: node-version: [16, 18, 20] steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Use Node.js ${{ matrix.node-version }}" - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e #v1: v2.x available + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d #v3.8.1 with: node-version: ${{ matrix.node-version }} - name: "Install CLI tools" run: | - npm install -g @angular/cli + npm install -g @angular/cli@$ANGULAR_CLI_VERSION + npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION npm install -g grunt-cli - name: "Set packaging options for Grunt" run: | @@ -36,10 +40,9 @@ jobs: - name: "Package application" run: | npm install --production - npm install -g grunt-cli npm run package:ci - name: 'Attach packaged archive to tag release' - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v0.1.15 with: draft: true files: dist/* @@ -49,25 +52,25 @@ jobs: runs-on: ubuntu-latest steps: - name: "Check out Git repository" - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 - name: "Set up QEMU" - uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 #v1: V1.2.0 available + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0 - name: "Set up Docker Buildx" - uses: docker/setup-buildx-action@94ab11c41e45d028884a99163086648e898eed25 #v1 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 #v3.0.0 - name: "Login to DockerHub" - uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 #v1.10 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d #v3.0.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: "Get tag name" id: tag - uses: dawidd6/action-get-tag@v1 + uses: dawidd6/action-get-tag@727a6f0a561be04e09013531e73a3983a65e3479 #v1.1.0 TODO Action is archived and should be replaced eventually - name: "Set labels for ${{ github.ref }}" run: | echo "VCS_REF=`git rev-parse --short HEAD`" >> $GITHUB_ENV echo "BUILD_DATE=`date -u +”%Y-%m-%dT%H:%M:%SZ”`" >> $GITHUB_ENV - name: "Build and push for AMD64 and ARM64 processors" - uses: docker/build-push-action@a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229 #note: newer is available + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 #v5.0.0 with: context: . file: ./Dockerfile @@ -78,6 +81,7 @@ jobs: build-args: | VCS_REF=${{ env.VCS_REF }} BUILD_DATE=${{ env.BUILD_DATE }} + CYCLONEDX_NPM_VERSION=${{ env.CYCLONEDX_NPM_VERSION }} notify-slack: if: always() needs: @@ -86,7 +90,7 @@ jobs: runs-on: ubuntu-latest steps: - name: "Slack workflow notification" - uses: Gamesight/slack-workflow-status@master + uses: Gamesight/slack-workflow-status@26a36836c887f260477432e4314ec3490a84f309 #v1.2.0 with: repo_token: ${{ secrets.GITHUB_TOKEN }} slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 41e4ce06c26..8d1151fa6fd 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v6 + - uses: actions/stale@5ebf00ea0e4c1561e9b43a292ed34424fb1d4578 #v6.0.1 TODO Upgrade to v8.0.0 or later with: stale-issue-message: > This issue has been automatically marked as `stale` because it has not had diff --git a/.github/workflows/update-challenges-www.yml b/.github/workflows/update-challenges-www.yml index eb901c0ab1c..8e0e6084a2f 100644 --- a/.github/workflows/update-challenges-www.yml +++ b/.github/workflows/update-challenges-www.yml @@ -3,7 +3,7 @@ name: "Update challenges on owasp-juice.shop" on: push: branches: [ master ] - paths: + paths: - 'data/static/challenges.yml' jobs: @@ -12,17 +12,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out Git repository - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 with: token: ${{ secrets.BOT_TOKEN }} repository: OWASP/www-project-juice-shop - branch: master + ref: master - name: Update challenges.yml run: | cd _data/ rm challenges.yml wget https://raw.githubusercontent.com/juice-shop/juice-shop/master/data/static/challenges.yml - - uses: stefanzweifel/git-auto-commit-action@v4.0.0 + - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a #v4.16.0 with: commit_message: "Auto-update challenges.yml from ${{ github.sha }}" branch: master diff --git a/.github/workflows/update-news-www.yml b/.github/workflows/update-news-www.yml index 37741cdfc14..2077a9807e8 100644 --- a/.github/workflows/update-news-www.yml +++ b/.github/workflows/update-news-www.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out Git repository - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 with: token: ${{ secrets.BOT_TOKEN }} repository: OWASP/www-project-juice-shop @@ -17,7 +17,7 @@ jobs: - name: Update tab_news.md run: | sed -i 's//\n* ${{ github.event.release.published_at }}: juice-shop [`${{ github.event.release.tag_name }}`](https:\/\/github.com\/juice-shop\/juice-shop\/releases\/tag\/${{ github.event.release.tag_name }})/' tab_news.md - - uses: stefanzweifel/git-auto-commit-action@v4.0.0 + - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a #v4.16.0 with: commit_message: "Add juice-shop ${{ github.event.release.tag_name }} release notes to tab_news.md" branch: master diff --git a/.github/workflows/zap_scan.yml b/.github/workflows/zap_scan.yml index a9c122c47c4..e18fd174a0b 100644 --- a/.github/workflows/zap_scan.yml +++ b/.github/workflows/zap_scan.yml @@ -10,11 +10,11 @@ jobs: name: Scan Juice Shop preview instance on Heroku steps: - name: Check out Git repository - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f #v2: v2.3.4 available + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4.0.0 with: ref: develop - name: ZAP Scan - uses: zaproxy/action-baseline@v0.3.0 + uses: zaproxy/action-baseline@41aee98ebc7cf2802c3beae4e7d4336413a21e43 # v0.9.0 with: token: ${{ secrets.GITHUB_TOKEN }} target: 'https://preview.owasp-juice.shop' diff --git a/.gitignore b/.gitignore index d633d59fa3b..1ffe2970762 100644 --- a/.gitignore +++ b/.gitignore @@ -30,6 +30,8 @@ vagrant/.vagrant/ JSON JSON.map frontend/src/**/*.js +/bom.json +/bom.xml # IDEs .idea/ @@ -59,3 +61,6 @@ config/*.yml !config/unsafe.yml !config/tutorial.yml !config/oss.yml + +# System Files +.DS_Store \ No newline at end of file diff --git a/.imgbotconfig b/.imgbotconfig deleted file mode 100644 index 91a2f4fe002..00000000000 --- a/.imgbotconfig +++ /dev/null @@ -1,7 +0,0 @@ -{ - "ignoredFiles": [ - "frontend/src/assets/public/images/carousel/5.png", - "frontend/src/assets/public/images/products/3d_keychain.jpg", - "frontend/src/assets/public/images/uploads/favorite-hiking-place.png" - ] -} diff --git a/.zap/rules.tsv b/.zap/rules.tsv index 1007ceaf7e3..007cfe35d21 100644 --- a/.zap/rules.tsv +++ b/.zap/rules.tsv @@ -13,3 +13,7 @@ 10049 IGNORE (Non-Storable Content) 10110 IGNORE (Dangerous JS Functions) 90004 IGNORE (Insufficient Site Isolation Against Spectre Vulnerability) +90005 IGNORE (Sec-Fetch-Dest Header is Missing) +90005 IGNORE (Sec-Fetch-Mode Header is Missing) +90005 IGNORE (Sec-Fetch-Site Header is Missing) +90005 IGNORE (Sec-Fetch-User Header is Missing) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 91f0f4872f9..5062f140741 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -23,9 +23,9 @@ The minimum requirements for code contributions are: You can find our detailed contribution guidelines over here: - + ## I18N Contributions Learn all about our crowd-sourced [translation project on Crowdin](https://crowdin.com/project/owasp-juice-shop) -here: +here: diff --git a/Dockerfile b/Dockerfile index 69c555827b1..54ebc290df8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18 as installer +FROM node:18-buster as installer COPY . /juice-shop WORKDIR /juice-shop RUN npm i -g typescript ts-node @@ -15,7 +15,20 @@ RUN rm data/chatbot/botDefaultTrainingData.json || true RUN rm ftp/legal.md || true RUN rm i18n/*.json || true -FROM gcr.io/distroless/nodejs:18 +ARG CYCLONEDX_NPM_VERSION=latest +RUN npm install -g @cyclonedx/cyclonedx-npm@$CYCLONEDX_NPM_VERSION +RUN npm run sbom + +# workaround for libxmljs startup error +FROM node:18-buster as libxmljs-builder +WORKDIR /juice-shop +RUN apt-get update && apt-get install -y build-essential python3 +COPY --from=installer /juice-shop/node_modules ./node_modules +RUN rm -rf node_modules/libxmljs2/build && \ + cd node_modules/libxmljs2 && \ + npm run build + +FROM gcr.io/distroless/nodejs18-debian11 ARG BUILD_DATE ARG VCS_REF LABEL maintainer="Bjoern Kimminich " \ @@ -25,13 +38,14 @@ LABEL maintainer="Bjoern Kimminich " \ org.opencontainers.image.vendor="Open Web Application Security Project" \ org.opencontainers.image.documentation="https://help.owasp-juice.shop" \ org.opencontainers.image.licenses="MIT" \ - org.opencontainers.image.version="15.0.0" \ + org.opencontainers.image.version="15.3.0" \ org.opencontainers.image.url="https://owasp-juice.shop" \ org.opencontainers.image.source="https://github.com/juice-shop/juice-shop" \ org.opencontainers.image.revision=$VCS_REF \ org.opencontainers.image.created=$BUILD_DATE WORKDIR /juice-shop COPY --from=installer --chown=65532:0 /juice-shop . +COPY --chown=65532:0 --from=libxmljs-builder /juice-shop/node_modules/libxmljs2 ./node_modules/libxmljs2 USER 65532 EXPOSE 3000 CMD ["/juice-shop/build/app.js"] diff --git a/Gruntfile.js b/Gruntfile.js index a6b6bcac0ce..2abb7cbc269 100644 --- a/Gruntfile.js +++ b/Gruntfile.js @@ -42,12 +42,15 @@ module.exports = function (grunt) { 'config.schema.yml', 'build/**', '!build/reports/**', + 'bom.json', + 'bom.xml', 'config/*.yml', 'data/*.ts', 'data/static/**', 'data/chatbot/.gitkeep', 'encryptionkeys/**', 'frontend/dist/frontend/**', + 'frontend/dist/bom/**', 'frontend/src/**/*.ts', 'ftp/**', 'i18n/.gitkeep', diff --git a/HALL_OF_FAME.md b/HALL_OF_FAME.md index 94669264fca..d6ddebc4fd6 100644 --- a/HALL_OF_FAME.md +++ b/HALL_OF_FAME.md @@ -11,7 +11,7 @@ ## GitHub Contributors -As reported by [`git-stats -a -s '2014'`](https://www.npmjs.com/package/git-stats) analysis of `master` as of Fri, 19 May +As reported by [`git-stats -a -s '2014'`](https://www.npmjs.com/package/git-stats) analysis of `master` as of Fri, 08 Sep 2023 after deduplication with `.mailmap`. ![Top git contributors](screenshots/git-stats.png) @@ -79,6 +79,7 @@ Additional thanks goes to the contractors we were able to hire for specific work and [flyer](https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop/flyers) artwork by [logicainfo](https://99designs.de/profiles/logicainfo) +* [Score Board redesign](https://www.figma.com/file/DwC5ErhRz6gb3eTZEYYriS/Juiceshop-Scoreboard?type=design&node-id=0-1&mode=design) by Vibhuti Arora ## Stargazers (over time) diff --git a/README.md b/README.md index 408174dd00d..ef0fdfc554f 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ [![Maintainability](https://api.codeclimate.com/v1/badges/6206c8f3972bcc97a033/maintainability)](https://codeclimate.com/github/juice-shop/juice-shop/maintainability) [![Code Climate technical debt](https://img.shields.io/codeclimate/tech-debt/juice-shop/juice-shop)](https://codeclimate.com/github/juice-shop/juice-shop/trends/technical_debt) [![Cypress tests](https://img.shields.io/endpoint?url=https://dashboard.cypress.io/badge/simple/3hrkhu/master&style=flat&logo=cypress)](https://dashboard.cypress.io/projects/3hrkhu/runs) -[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/223/badge)](https://bestpractices.coreinfrastructure.org/projects/223) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/223/badge)](https://www.bestpractices.dev/projects/223) ![GitHub stars](https://img.shields.io/github/stars/juice-shop/juice-shop.svg?label=GitHub%20%E2%98%85&style=flat) [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](CODE_OF_CONDUCT.md) @@ -63,7 +63,7 @@ For a detailed introduction, full list of features and architecture overview ple ## Setup > You can find some less common installation variations in -> [the _Running OWASP Juice Shop_ documentation](https://pwning.owasp-juice.shop/part1/running.html). +> [the _Running OWASP Juice Shop_ documentation](https://pwning.owasp-juice.shop/companion-guide/latest/part1/running.html). ### From Sources @@ -180,14 +180,6 @@ gcloud compute firewall-rules create juice-rule --allow tcp:3000 If you have forked the Juice Shop repository on GitHub, the _Deploy to Heroku_ button will deploy your forked version of the application. -### Gitpod - -1. Login to [gitpod.io](https://gitpod.io) and use to start a new workspace. If you want to spin up a forked repository, your URL needs to be adjusted accordingly. - -2. After the Gitpod workspace is loaded, Gitpod tasks is still running to install `npm install` and launch the website. Despite Gitpod showing your workspace state already as _Running_, you need to wait until the installation process is done, before the website becomes accessable. The _Open Preview Window (Internal Browser)_, will open automatically and refresh itself automatically when the server has started. - -3. Your Juice Shop instance is now also available at `https://3000-..gitpod.io`. - ## Demo Feel free to have a look at the latest version of OWASP Juice Shop: @@ -209,14 +201,16 @@ OWASP Juice Shop officially supports the following versions of [node.js LTS schedule](https://github.com/nodejs/LTS) as close as possible. Docker images and packaged distributions are offered accordingly. -| node.js | Supported | Tested | [Packaged Distributions](#packaged-distributions) | [Docker images](#docker-container) from `master` | [Docker images](#docker-container) from `develop` | -|:--------|:---------------------|:-------------------|:--------------------------------------------------|:-------------------------------------------------|:--------------------------------------------------| -| 20.x | :x: | :x: | | | | -| 19.x | (:heavy_check_mark:) | :heavy_check_mark: | | | | -| 18.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | `latest` (`linux/amd64`, `linux/arm64`) | `snapshot` (`linux/amd64`, `linux/arm64`) | -| 17.x | (:heavy_check_mark:) | :x: | | | | -| 16.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | -| <16.x | :x: | :x: | | | | +| node.js | Supported | Tested | [Packaged Distributions](#packaged-distributions) | [Docker images](#docker-container) from `master` | [Docker images](#docker-container) from `develop` | +|:--------|:---------------------|:-------------------------------------------------------------|:--------------------------------------------------|:-------------------------------------------------|:--------------------------------------------------| +| 21.x | :x: | :x: | | | | +| 20.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | +| 20.6.0 | :x: | :bug: https://github.com/angular/angular-cli/issues/25782 | | | | +| 19.x | (:heavy_check_mark:) | :x: | | | | +| 18.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | `latest` (`linux/amd64`, `linux/arm64`) | `snapshot` (`linux/amd64`, `linux/arm64`) | +| 17.x | (:heavy_check_mark:) | :x: | | | | +| 16.x | :heavy_check_mark: | :heavy_check_mark: | Windows (`x64`), MacOS (`x64`), Linux (`x64`) | | | +| <16.x | :x: | :x: | | | | Juice Shop is automatically tested _only on the latest `.x` minor version_ of each node.js version mentioned above! There is no guarantee that older minor node.js releases will always work with Juice Shop! @@ -250,11 +244,12 @@ and much more is also included. and is available **for free** in PDF, Kindle and ePub format on LeanPub. You can also [browse the full content online](https://pwning.owasp-juice.shop)! -[![Pwning OWASP Juice Shop Cover](https://raw.githubusercontent.com/bkimminich/pwning-juice-shop/master/cover_small.jpg)](https://leanpub.com/juice-shop) +[Pwning OWASP Juice Shop cover](https://leanpub.com/juice-shop) +[Pwning OWASP Juice Shop back cover](https://leanpub.com/juice-shop) ## Contributing -[![GitHub contributors](https://img.shields.io/github/contributors/bkimminich/juice-shop.svg)](https://github.com/bkimminich/juice-shop/graphs/contributors) +[![GitHub contributors](https://img.shields.io/github/contributors/bkimminich/juice-shop.svg)](https://github.com/juice-shop/juice-shop/graphs/contributors) [![JavaScript Style Guide](https://img.shields.io/badge/code%20style-standard-brightgreen.svg)](http://standardjs.com/) [![Crowdin](https://d322cqt584bo4o.cloudfront.net/owasp-juice-shop/localized.svg)](https://crowdin.com/project/owasp-juice-shop) ![GitHub issues by-label](https://img.shields.io/github/issues/bkimminich/juice-shop/help%20wanted.svg) diff --git a/REFERENCES.md b/REFERENCES.md index f4716eaeb62..471fb59a2bf 100644 --- a/REFERENCES.md +++ b/REFERENCES.md @@ -44,6 +44,7 @@ mentioned or used! ### Pod- & Webcasts +* [ZAP Chat 05 Modern Apps Part 1](https://www.youtube.com/watch?v=Rq_d7OLmMfw) on [ZAP](https://www.youtube.com/@psiinon) with Simon Bennetts * [OWASP Spotlight - Project 25 - OWASP Juice Shop](https://www.youtube.com/watch?v=--50rE76EeA) by Vandana Verma with Björn Kimminich * [Visual application security testing with ZAP and Simon Bennetts #DemoDays](https://youtu.be/4xBJsRNV9ds) by [GitHub](https://www.youtube.com/channel/UC7c3Kb6jYCRj4JOHHZTxKsQ) with Simon Bennetts :mega: @@ -131,8 +132,9 @@ mentioned or used! ### Blogs & Articles -* Article on [Cobalt.io Developer Best Practices](https://developer.cobalt.io/bestpractices/): [Validate User Input](https://developer.cobalt.io/bestpractices/input-validation/) -* Blog post (:de:) on [Dev-Insider](https://www.dev-insider.de/): [OWASP Juice Shop lädt zum Hacken ein](https://www.dev-insider.de/owasp-juice-shop-laedt-zum-hacken-ein-a-968485/) :godmode: +* Blog post on [OWASP.org](https://owasp.org) by Björn Kimminich: [OWASP Juice Shop 2023 achievements and beyond](https://owasp.org/blog/2023/10/10/juice-shop-2023.html) +* Article on [Cobalt.io Developer Best Practices](https://developer.cobalt.io/bestpractices/): [Validate User Input](https://developer.cobalt.io/bestpractices/input-validation/) +* Blog post (:de:) on [Dev-Insider](https://www.dev-insider.de/): [OWASP Juice Shop lädt zum Hacken ein](https://www.dev-insider.de/owasp-juice-shop-laedt-zum-hacken-ein-a-968485/) :godmode: * Blog post on [OWASP.org](https://owasp.org) by Björn Kimminich: [OWASP Juice Shop v10.0.0 released](https://owasp.org/2020/03/17/juice-shop-v10.html) * [20+ Free Resources To Legally Practice Your Ethical Hacking Skills](https://blog.elearnsecurity.com/free-resources-to-legally-practice-ethical-hacking.html?utm_source=twitter&utm_medium=social&utm_campaign=eh_resources_blogpost) @@ -203,6 +205,7 @@ mentioned or used! ## Lectures and Trainings +* [Introduction to OWASP Top 10 Security Risks](https://www.pluralsight.com/cloud-guru/courses/introduction-to-owasp-top-10-security-risks) course by Chris Jackson :dollar: * Courses on the [freeCodeCamp.org](https://www.YouTube.com/channel/UC8butISFwT-Wl7EV0hUK0BQ) YouTube channel * [Ethical Hacking 101: Web App Penetration Testing - a full course for beginners](https://youtu.be/2_lswM1S264) :godmode: by HackerSploit @@ -275,6 +278,12 @@ mentioned or used! ### [Google Summer of Code](http://owasp.org/gsoc) +* Student projects from + [Google Summer of Code 2023](https://summerofcode.withgoogle.com/archive/2023/projects) + * [Companion Guide Tech Stack](https://summerofcode.withgoogle.com/organizations/owasp-foundation/projects/details/h2der3Mf) + by Parth Nanda (mentored by Jannik Hollenbach, Björn Kimminich and Shubham Palriwala) + * [Hacking the Blockchain: Building Web3 Challenges for OWASP Juice Shop](https://summerofcode.withgoogle.com/organizations/owasp-foundation/projects/details/yabiWLkF) + by Rishabh Keshan (mentored by Shubham Palriwala and Björn Kimminich) * Student project from [Google Summer of Code 2022](https://summerofcode.withgoogle.com/archive/2022/projects) * [Replacement for Protractor end-to-end & Frisby API test suite to Cypress](https://summerofcode.withgoogle.com/organizations/owasp-foundation/projects/details/2J1Xedwf) @@ -302,11 +311,18 @@ mentioned or used! > Upcoming events are marked with :date:. The availability of link destinations for past events cannot be guaranteed. +#### 2024 + +* :date: [OWASP Juice Shop - An Open Source Software and security Fairytale](https://ndc-security.com/agenda/owasp-juice-shop-an-open-source-software-and-security-fairytale-09mg/09ko186cud8) by Björn Kimminich, [NDC Security 2024](https://ndc-security.com/), 11.01.2024 + #### 2023 -* :date: [Track keynote: OWASP Juice Shop](https://sikkerhetsfestivalen.no/program-2023) by Björn Kimminich, [Sikkerhetsfestivalen 2023](https://sikkerhetsfestivalen.no/). 29.08.2023 -* :date: [Juice Shop Update³](https://god.owasp.de/2023/schedule/index.html) by Björn Kimminich, [German OWASP Day 2023](https://god.owasp.de/2023). 31.05.2023 -* :date: [Juice Shop Training: Train the Trainer Edition](https://god.owasp.de/2023/schedule/index.html) with Björn Kimminich, [German OWASP Day 2023](https://god.owasp.de/2023). 30.05.2023 +* :date: [Juice Shop Training: Train the Trainer Edition](http://www.owaspbenelux.eu/program/training#Bj%C3%B6rn-Kimminich) with Björn Kimminich, [OWASP BeNeLux Days 2023](http://www.owaspbenelux.eu/). 24.11.2023 +* :date: [OWASP Juice Shop - An Open Source Software (and security) Fairytale](http://www.owaspbenelux.eu/program/talks#Bj%C3%B6rn-Kimminich) by Björn Kimminich, [OWASP BeNeLux Days 2023](http://www.owaspbenelux.eu/). 23.11.2023 +* [How Vulnerable is Juice Shop? A Secure Code Review of Insecure Code](https://www.nationalcybersummit.com/Program/2023-Agenda) by Joshua Beck, [National Cyber Summit 2023](https://www.nationalcybersummit.com/Home). 20.09.2023 +* [Track keynote: OWASP Juice Shop](https://sikkerhetsfestivalen.no/program-2023) by Björn Kimminich, [Sikkerhetsfestivalen 2023](https://sikkerhetsfestivalen.no/). 29.08.2023 +* [Juice Shop Update³](https://god.owasp.de/2023/schedule/index.html) by Björn Kimminich, [German OWASP Day 2023](https://god.owasp.de/2023). 31.05.2023 [YouTube](https://youtu.be/87DuRYwXtxk) +* [Juice Shop Training: Train the Trainer Edition](https://god.owasp.de/2023/schedule/index.html) with Björn Kimminich, [German OWASP Day 2023](https://god.owasp.de/2023). 30.05.2023 * [OWASP Juice Shop](https://www.meetup.com/owasp-chapter-netherlands-meetup/events/292323208) by Björn Kimminich, [April 2023 OWASP Chapter Netherlands Meetup](https://www.meetup.com/owasp-chapter-netherlands-meetup/), 20.04.2023 [YouTube](https://www.youtube.com/live/Bhp3LpgtNZ4?feature=share&t=3856) * [Squeezing the last drop out of OWASP Juice Shop](https://owasp2023globalappsecdublin.sched.com/event/1FWfq/squeezing-the-last-drop-out-of-owasp-juice-shop) by Björn Kimminich, [OWASP 2023 Global AppSec Dublin](https://dublin.globalappsec.org/), 15.02.2023 [YouTube](https://youtu.be/m1f2fPC8hLU) diff --git a/SECURITY.md b/SECURITY.md index 93728b40890..235b918a048 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,8 +12,8 @@ We provide security patches for the latest released minor version. | Version | Supported | |:--------|:-------------------| -| 15.0.x | :white_check_mark: | -| <15.0 | :x: | +| 15.3.x | :white_check_mark: | +| <15.3 | :x: | ## Reporting a Vulnerability diff --git a/config.schema.yml b/config.schema.yml index 3e6e50c2dc5..52707c4fe80 100644 --- a/config.schema.yml +++ b/config.schema.yml @@ -67,14 +67,6 @@ application: message: type: string cookieConsent: - backgroundColor: - type: string - textColor: - type: string - buttonColor: - type: string - buttonTextColor: - type: string message: type: string dismissText: @@ -499,6 +491,26 @@ ctf: type: string code: type: string + nftUnlockChallenge: + name: + type: string + code: + type: string + nftMintChallenge: + name: + type: string + code: + type: string + web3WalletChallenge: + name: + type: string + code: + type: string + web3SandboxChallenge: + name: + type: string + code: + type: string securityPolicyChallenge: name: type: string diff --git a/config/7ms.yml b/config/7ms.yml index a97e85f3a2d..891409b23a6 100644 --- a/config/7ms.yml +++ b/config/7ms.yml @@ -28,10 +28,6 @@ application: welcomeBanner: showOnFirstStart: false cookieConsent: - backgroundColor: '#0395d5' - textColor: '#ffffff' - buttonColor: '#b3b3b3' - buttonTextColor: '#000000' message: 'If you stay on this website for more than 7 minutes our cookies will start tracking you.' dismissText: 'I`ll be long gone by then!' linkText: 'But I want to stay an arbitrary number of minutes!' diff --git a/config/addo.yml b/config/addo.yml index 096b8efb69b..223bc1196e8 100644 --- a/config/addo.yml +++ b/config/addo.yml @@ -25,10 +25,6 @@ application: welcomeBanner: showOnFirstStart: false cookieConsent: - backgroundColor: '#c2185b' - textColor: '#ffffff' - buttonColor: '#b0bec5' - buttonTextColor: '#000000' message: 'Taste our 150 practitioner-baked cookies with 5 tracking flavors!' dismissText: 'Register for 24/7 cookies!' linkText: 'Yum, tell me more!' diff --git a/config/bodgeit.yml b/config/bodgeit.yml index 04bb3e119e2..cece8b30dda 100644 --- a/config/bodgeit.yml +++ b/config/bodgeit.yml @@ -25,10 +25,6 @@ application: welcomeBanner: showOnFirstStart: false cookieConsent: - backgroundColor: '#000000' - textColor: '#ffffff' - buttonColor: '#ffffff' - buttonTextColor: '#000000' message: 'This website is so legacy, it might even run without cookies.' dismissText: 'Bodge it!' linkText: 'Lega-what?' diff --git a/config/default.yml b/config/default.yml index 86038cb3dba..e12a16ad5b7 100644 --- a/config/default.yml +++ b/config/default.yml @@ -36,10 +36,6 @@ application: title: 'Welcome to OWASP Juice Shop!' message: "

Being a web application with a vast number of intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The OWASP Juice Shop is an open-source project hosted by the non-profit Open Web Application Security Project (OWASP) and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.

https://owasp-juice.shop

" cookieConsent: - backgroundColor: '#546e7a' - textColor: '#ffffff' - buttonColor: '#558b2f' - buttonTextColor: '#ffffff' message: 'This website uses fruit cookies to ensure you get the juiciest tracking experience.' dismissText: 'Me want it!' linkText: 'But me wait!' @@ -412,6 +408,10 @@ memories: caption: 'My old workplace...' geoStalkingVisualSecurityQuestion: 10 geoStalkingVisualSecurityAnswer: 'ITsec' + - + image: 'BeeHaven.png' + caption: 'Welcome to the Bee Haven (/#/bee-haven)🐝' + user: evm ctf: showFlagsInNotifications: false showCountryDetailsInNotifications: none # Options: none name flag both diff --git a/config/fbctf.yml b/config/fbctf.yml index 304a2a06726..debcedc9c22 100644 --- a/config/fbctf.yml +++ b/config/fbctf.yml @@ -320,4 +320,16 @@ ctf: code: ZM emptyUserRegistration: name: Kenya - code: KE \ No newline at end of file + code: KE + nftUnlockChallenge: + name: Afghanistan + code: AF + nftMintChallenge: + name: United Arab Emirates + code: UAE + web3WalletChallenge: + name: Mexico + code: MEX + web3SandboxChallenge: + name: France + code: FR diff --git a/config/mozilla.yml b/config/mozilla.yml index 740a72d0d3f..ad68be38b4e 100644 --- a/config/mozilla.yml +++ b/config/mozilla.yml @@ -26,10 +26,6 @@ application: welcomeBanner: showOnFirstStart: false cookieConsent: - backgroundColor: '#e95420' - textColor: '#ffffff' - buttonColor: '#2778c5' - buttonTextColor: '#ffffff' message: 'This website uses a myriad of 3rd-party cookies for your convenience and tracking pleasure.' dismissText: 'Never mind!' linkText: 'How can I turn this off?' diff --git a/config/oss.yml b/config/oss.yml index 9240bb1ebec..c64e1fb8645 100644 --- a/config/oss.yml +++ b/config/oss.yml @@ -5,8 +5,6 @@ application: showOnFirstStart: false theme: blue-lightblue cookieConsent: - backgroundColor: '#23527c' - textColor: '#ffffff' message: 'We are not only using cookies but also recorded this session on YouTube!' dismissText: "I've been there live, so thanks!" linkText: 'I want to watch that!' diff --git a/cypress.config.ts b/cypress.config.ts new file mode 100644 index 00000000000..04031dae887 --- /dev/null +++ b/cypress.config.ts @@ -0,0 +1,99 @@ +import { defineConfig } from 'cypress' +import * as security from './lib/insecurity' +import config from 'config' +import { type Memory, type Product } from './data/types' +import * as utils from './lib/utils' +import * as otplib from 'otplib' + +export default defineConfig({ + projectId: '3hrkhu', + defaultCommandTimeout: 10000, + e2e: { + baseUrl: 'http://localhost:3000', + specPattern: 'test/cypress/e2e/**.spec.ts', + downloadsFolder: 'test/cypress/downloads', + fixturesFolder: false, + supportFile: 'test/cypress/support/e2e.ts', + setupNodeEvents (on: any) { + on('before:browser:launch', (browser: any = {}, launchOptions: any) => { // TODO Remove after upgrade to Cypress >=12.5.0 Chrome 119 become available on GitHub Workflows, see https://github.com/cypress-io/cypress-documentation/issues/5479 + if (browser.name === 'chrome' && browser.isHeadless) { + launchOptions.args = launchOptions.args.map((arg: any) => { + if (arg === '--headless') { + return '--headless=new' + } + + return arg + }) + } + return launchOptions + }) + + on('task', { + GenerateCoupon (discount: number) { + return security.generateCoupon(discount) + }, + GetBlueprint () { + for (const product of config.get('products')) { + if (product.fileForRetrieveBlueprintChallenge) { + const blueprint = product.fileForRetrieveBlueprintChallenge + return blueprint + } + } + }, + GetChristmasProduct () { + return config.get('products').filter( + (product: Product) => product.useForChristmasSpecialChallenge + )[0] + }, + GetCouponIntent () { + const trainingData = require(`data/chatbot/${utils.extractFilename( + config.get('application.chatBot.trainingData') + )}`) + const couponIntent = trainingData.data.filter( + (data: { intent: string }) => data.intent === 'queries.couponCode' + )[0] + return couponIntent + }, + GetFromMemories (property: string) { + for (const memory of config.get('memories') as any) { + if (memory[property]) { + return memory[property] + } + } + }, + GetFromConfig (variable: string) { + return config.get(variable) + }, + GetOverwriteUrl () { + return config.get('challenges.overwriteUrlForProductTamperingChallenge') + }, + GetPastebinLeakProduct () { + return config.get('products').filter( + (product: Product) => product.keywordsForPastebinDataLeakChallenge + )[0] + }, + GetTamperingProductId () { + const products: Product[] = config.get('products') + for (let i = 0; i < products.length; i++) { + if (products[i].urlForProductTamperingChallenge) { + return i + 1 + } + } + }, + GenerateAuthenticator (inputString: string) { + return otplib.authenticator.generate(inputString) + }, + toISO8601 () { + const date = new Date() + return utils.toISO8601(date) + }, + disableOnContainerEnv () { + return utils.disableOnContainerEnv() + }, + disableOnWindowsEnv () { + return utils.disableOnWindowsEnv() + } + }) + } + } +}) diff --git a/cypress.json b/cypress.json deleted file mode 100644 index 04101101250..00000000000 --- a/cypress.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "projectId": "3hrkhu", - "baseUrl": "http://localhost:3000", - "defaultCommandTimeout": 10000, - "env": { - "baseUrl": "http://localhost:3000" - }, - "downloadsFolder": "test/cypress/downloads", - "fixturesFolder": "test/cypress/fixtures", - "integrationFolder": "test/cypress/integration", - "pluginsFile": "test/cypress/plugins/index.ts", - "supportFile": "test/cypress/support/index.ts" -} \ No newline at end of file diff --git a/data/datacreator.ts b/data/datacreator.ts index aaa84c4b14c..ddf03e6a798 100644 --- a/data/datacreator.ts +++ b/data/datacreator.ts @@ -20,7 +20,7 @@ import { SecurityAnswerModel } from '../models/securityAnswer' import { SecurityQuestionModel } from '../models/securityQuestion' import { UserModel } from '../models/user' import { WalletModel } from '../models/wallet' -import { Address, Card, Challenge, Delivery, Memory, Product, SecurityQuestion, User } from './types' +import { type Address, type Card, type Challenge, type Delivery, type Memory, type Product, type SecurityQuestion, type User } from './types' import logger from '../lib/logger' import config from 'config' import path from 'path' @@ -86,7 +86,7 @@ async function createChallenges () { key, name, category, - tags: tags ? tags.join(',') : undefined, + tags: (tags != null) ? tags.join(',') : undefined, description: effectiveDisabledEnv ? (description + ' (This challenge is ' + (config.get('challenges.safetyOverride') ? 'potentially harmful' : 'not available') + ' on ' + effectiveDisabledEnv + '!)') : description, difficulty, solved: false, @@ -94,7 +94,7 @@ async function createChallenges () { hintUrl: showHints ? hintUrl : null, mitigationUrl: showMitigations ? mitigationUrl : null, disabledEnv: config.get('challenges.safetyOverride') ? null : effectiveDisabledEnv, - tutorialOrder: tutorial ? tutorial.order : null, + tutorialOrder: (tutorial != null) ? tutorial.order : null, codingChallengeStatus: 0 }) } catch (err) { @@ -122,11 +122,11 @@ async function createUsers () { lastLoginIp }) datacache.users[key] = user - if (securityQuestion) await createSecurityAnswer(user.id, securityQuestion.id, securityQuestion.answer) - if (feedback) await createFeedback(user.id, feedback.comment, feedback.rating, user.email) + if (securityQuestion != null) await createSecurityAnswer(user.id, securityQuestion.id, securityQuestion.answer) + if (feedback != null) await createFeedback(user.id, feedback.comment, feedback.rating, user.email) if (deletedFlag) await deleteUser(user.id) - if (address) await createAddresses(user.id, address) - if (card) await createCards(user.id, card) + if (address != null) await createAddresses(user.id, address) + if (card != null) await createCards(user.id, card) } catch (err) { logger.error(`Could not insert User ${key}: ${utils.getErrorMessage(err)}`) } @@ -140,7 +140,7 @@ async function createWallet () { users.map(async (user: User, index: number) => { return await WalletModel.create({ UserId: index + 1, - balance: user.walletBalance !== undefined ? user.walletBalance : 0 + balance: user.walletBalance ?? 0 }).catch((err: unknown) => { logger.error(`Could not create wallet: ${utils.getErrorMessage(err)}`) }) @@ -168,27 +168,29 @@ async function createDeliveryMethods () { ) } -function createAddresses (UserId: number, addresses: Address[]) { - addresses.map(async (address) => { - return await AddressModel.create({ - UserId: UserId, - country: address.country, - fullName: address.fullName, - mobileNum: address.mobileNum, - zipCode: address.zipCode, - streetAddress: address.streetAddress, - city: address.city, - state: address.state ? address.state : null - }).catch((err: unknown) => { - logger.error(`Could not create address: ${utils.getErrorMessage(err)}`) +async function createAddresses (UserId: number, addresses: Address[]) { + return await Promise.all( + addresses.map(async (address) => { + return await AddressModel.create({ + UserId, + country: address.country, + fullName: address.fullName, + mobileNum: address.mobileNum, + zipCode: address.zipCode, + streetAddress: address.streetAddress, + city: address.city, + state: address.state ? address.state : null + }).catch((err: unknown) => { + logger.error(`Could not create address: ${utils.getErrorMessage(err)}`) + }) }) - }) + ) } async function createCards (UserId: number, cards: Card[]) { return await Promise.all(cards.map(async (card) => { return await CardModel.create({ - UserId: UserId, + UserId, fullName: card.fullName, cardNum: Number(card.cardNum), expMonth: card.expMonth, @@ -239,7 +241,7 @@ async function createQuantity () { config.get('products').map(async (product: Product, index: number) => { return await QuantityModel.create({ ProductId: index + 1, - quantity: product.quantity !== undefined ? product.quantity : Math.floor(Math.random() * 70 + 30), + quantity: product.quantity ?? Math.floor(Math.random() * 70 + 30), limitPerUser: product.limitPerUser ?? null }).catch((err: unknown) => { logger.error(`Could not create quantity: ${utils.getErrorMessage(err)}`) @@ -336,7 +338,7 @@ async function createProducts () { logger.error(`Could not insert Product ${product.name}: ${utils.getErrorMessage(err)}`) } ).then((persistedProduct) => { - if (persistedProduct) { + if (persistedProduct != null) { if (useForChristmasSpecialChallenge) { datacache.products.christmasSpecial = persistedProduct } if (urlForProductTamperingChallenge) { datacache.products.osaft = persistedProduct @@ -691,13 +693,13 @@ async function createOrders () { return await Promise.all( orders.map(({ orderId, email, totalPrice, bonus, products, eta, delivered }) => mongodb.orders.insert({ - orderId: orderId, - email: email, - totalPrice: totalPrice, - bonus: bonus, - products: products, - eta: eta, - delivered: delivered + orderId, + email, + totalPrice, + bonus, + products, + eta, + delivered }).catch((err: unknown) => { logger.error(`Could not insert Order ${orderId}: ${utils.getErrorMessage(err)}`) }) diff --git a/data/mongodb.ts b/data/mongodb.ts index a572583ba61..2300e458e1c 100644 --- a/data/mongodb.ts +++ b/data/mongodb.ts @@ -3,7 +3,7 @@ * SPDX-License-Identifier: MIT */ -// @ts-expect-error due to non-existing type definitions for MarsDB +// @ts-expect-error FIXME due to non-existing type definitions for MarsDB import MarsDB = require('marsdb') const reviews = new MarsDB.Collection('posts') diff --git a/data/static/botDefaultTrainingData.json b/data/static/botDefaultTrainingData.json index 46929df04c6..f48c057a9ec 100644 --- a/data/static/botDefaultTrainingData.json +++ b/data/static/botDefaultTrainingData.json @@ -97,6 +97,29 @@ } ] }, + { + "intent": "queries.nft", + "utterances": [ + "Do you know anything about NFTs", + "Can you tell me anything about NFTs", + "Do you sell NFTs", + "where can I buy NFTs" + ], + "answers": [ + { + "action": "response", + "body": "I'm not sure if we have any actual NFTs listed right now, but you can check if there's a link on our \"About Us\" page!" + }, + { + "action": "response", + "body": "Our developers are currently learning Web3, and they published a (literal) NFT honey pot for you to mint on /#/bee-haven." + }, + { + "action": "response", + "body": "Our developers are currently learning Web3, and they published our official Soul-Bound-Token over on /#/juicy-nft for you to marvel at." + } + ] + }, { "intent": "queries.productPrice", "utterances": [ @@ -184,6 +207,18 @@ } ] }, + { + "intent": "queries.swallow", + "utterances": [ + "What is the airspeed velocity of an unladen swallow" + ], + "answers": [ + { + "action": "response", + "body": "What do you mean? African or European swallow?" + } + ] + }, { "intent": "queries.functionTest", "utterances": [ diff --git a/data/static/challenges.yml b/data/static/challenges.yml index 9f1b4a5228f..7095f1141bc 100644 --- a/data/static/challenges.yml +++ b/data/static/challenges.yml @@ -6,7 +6,7 @@ description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> without using the frontend application at all.' difficulty: 3 hint: 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-without-using-the-frontend-application-at-all' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_without_using_the_frontend_application_at_all' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: restfulXssChallenge disabledEnv: @@ -19,7 +19,7 @@ description: 'Gain access to any access log file of the server.' difficulty: 4 hint: 'Who would want a server access log to be accessible through a web application?' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#gain-access-to-any-access-log-file-of-the-server' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_gain_access_to_any_access_log_file_of_the_server' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html' key: accessLogDisclosureChallenge - @@ -28,7 +28,7 @@ description: 'Register as a user with administrator privileges.' difficulty: 3 hint: 'You have to assign the unassignable.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#register-as-a-user-with-administrator-privileges' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_as_a_user_with_administrator_privileges' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html' key: registerAdminChallenge - @@ -39,7 +39,7 @@ description: 'Access the administration section of the store.' difficulty: 2 hint: 'It is just slightly harder to find than the score board link.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#access-the-administration-section-of-the-store' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_access_the_administration_section_of_the_store' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html' key: adminSectionChallenge - @@ -51,7 +51,7 @@ description: 'Overwrite the Legal Information file.' difficulty: 6 hint: 'Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#overwrite-the-legal-information-file' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_overwrite_the_legal_information_file' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: fileWriteChallenge disabledEnv: @@ -65,8 +65,8 @@ - OSINT description: 'Reset the password of Bjoern''s OWASP account via the Forgot Password mechanism with the original answer to his security question.' difficulty: 3 - hint: 'He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-the-password-of-bjoerns-owasp-account-via-the-forgot-password-mechanism' + hint: 'He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_owasp_account_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordBjoernOwaspChallenge - @@ -75,12 +75,61 @@ tags: - Contraption - Code Analysis + - Web3 description: 'Learn about the Token Sale before its official announcement.' difficulty: 5 hint: 'The developers truly believe in "Security through Obscurity" over actual access restrictions.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#learn-about-the-token-sale-before-its-official-announcement' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_learn_about_the_token_sale_before_its_official_announcement' mitigationUrl: ~ key: tokenSaleChallenge +- + name: 'NFT Takeover' + category: 'Sensitive Data Exposure' + tags: + - Contraption + - Good for Demos + - Web3 + description: 'Take over the wallet containing our official Soul Bound Token (NFT).' + difficulty: 2 + hint: 'Find the seed phrase posted accidentally.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_take_over_the_wallet_containing_our_official_soul_bound_token' + mitigationUrl: ~ + key: nftUnlockChallenge +- + name: 'Mint the Honey Pot' + category: 'Improper Input Validation' + tags: + - Web3 + - Internet Traffic + description: 'Mint the Honey Pot NFT by gathering BEEs from the bee haven.' + difficulty: 3 + hint: 'Discover NFT wonders among the captivating visual memories.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_mint_the_honey_pot_nft_by_gathering_bees_from_the_bee_haven' + mitigationUrl: ~ + key: nftMintChallenge +- + name: 'Wallet Depletion' + category: 'Miscellaneous' + tags: + - Web3 + - Internet Traffic + description: 'Withdraw more ETH from the new wallet than you deposited.' + difficulty: 6 + hint: 'Try to exploit the contract of the wallet.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_withdraw_more_eth_from_the_new_wallet_than_you_deposited' + mitigationUrl: ~ + key: web3WalletChallenge +- + name: 'Web3 Sandbox' + category: 'Broken Access Control' + tags: + - Web3 + description: 'Find an accidentally deployed code sandbox for writing smart contracts on the fly.' + difficulty: 1 + hint: 'It is just as easy as finding the Score Board.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_an_accidentally_deployed_code_sandbox' + mitigationUrl: ~ + key: web3SandboxChallenge - name: 'Blocked RCE DoS' category: 'Insecure Deserialization' @@ -89,7 +138,7 @@ description: 'Perform a Remote Code Execution that would keep a less hardened application busy forever.' difficulty: 5 hint: 'The feature you need to exploit for this challenge is not directly advertised anywhere.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-would-keep-a-less-hardened-application-busy-forever' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_would_keep_a_less_hardened_application_busy_forever' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html' key: rceChallenge disabledEnv: @@ -104,7 +153,7 @@ description: 'Submit 10 or more customer feedbacks within 20 seconds.' difficulty: 3 hint: 'After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#submit-10-or-more-customer-feedbacks-within-20-seconds' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_submit_10_or_more_customer_feedbacks_within_20_seconds' mitigationUrl: ~ key: captchaBypassChallenge - @@ -113,8 +162,8 @@ description: 'Change Bender''s password into slurmCl4ssic without using SQL Injection or Forgot Password.' difficulty: 5 hint: 'In previous releases this challenge was wrongly accused of being based on CSRF.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#change-benders-password-into-slurmcl4ssic-without-using-sql-injection-or-forgot-password' - mitigationUrl: ~ + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_change_benders_password_into_slurmcl4ssic_without_using_sql_injection_or_forgot_password' + mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: changePasswordBenderChallenge - name: 'Christmas Special' @@ -122,7 +171,7 @@ description: 'Order the Christmas special offer of 2014.' difficulty: 4 hint: 'Find out how the application handles unavailable products and try to find a loophole.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#order-the-christmas-special-offer-of-2014' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_order_the_christmas_special_offer_of_2014' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: christmasSpecialChallenge - @@ -133,7 +182,7 @@ description: 'Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script> on a legacy page within the application.' difficulty: 4 hint: 'What is even "better" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#bypass-the-content-security-policy-and-perform-an-xss-attack-on-a-legacy-page' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_bypass_the_content_security_policy_and_perform_an_xss_attack_on_a_legacy_page' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: usernameXssChallenge disabledEnv: @@ -148,7 +197,7 @@ description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a client-side security mechanism.' difficulty: 3 hint: 'Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-client-side-security-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_client_side_security_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: persistedXssUserChallenge disabledEnv: @@ -163,7 +212,7 @@ description: 'Access a confidential document.' difficulty: 1 hint: 'Analyze and tamper with links in the application that deliver a file directly.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-confidential-document' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_confidential_document' mitigationUrl: ~ key: directoryListingChallenge - @@ -175,7 +224,7 @@ description: 'Perform a DOM XSS attack with <iframe src="javascript:alert(`xss`)">.' difficulty: 1 hint: 'Look for an input field where its content appears in the HTML when its form is submitted.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-dom-xss-attack' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_dom_xss_attack' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html' key: localXssChallenge tutorial: @@ -186,7 +235,7 @@ description: 'Exfiltrate the entire DB schema definition via SQL Injection.' difficulty: 3 hint: 'Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#exfiltrate-the-entire-db-schema-definition-via-sql-injection' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_exfiltrate_the_entire_db_schema_definition_via_sql_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: dbSchemaChallenge - @@ -198,7 +247,7 @@ description: 'Use a deprecated B2B interface that was not properly shut down.' difficulty: 2 hint: 'The developers who disabled the interface think they could go invisible by just closing their eyes.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/security-misconfiguration.html#use-a-deprecated-b2b-interface-that-was-not-properly-shut-down' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_use_a_deprecated_b2b_interface_that_was_not_properly_shut_down' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Web_Service_Security_Cheat_Sheet.html' key: deprecatedInterfaceChallenge - @@ -208,10 +257,10 @@ - Shenanigans - Contraption - Good for Demos - description: 'Find the hidden easter egg.' + description: 'Find the hidden easter egg.' difficulty: 4 hint: 'If you solved one of the three file access challenges, you already know where to find the easter egg.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#find-the-hidden-easter-egg' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_find_the_hidden_easter_egg' mitigationUrl: ~ key: easterEggLevelOneChallenge - @@ -220,8 +269,8 @@ description: 'Perform an unwanted information disclosure by accessing data cross-domain.' difficulty: 5 hint: 'Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#perform-an-unwanted-information-disclosure-by-accessing-data-cross-domain' - mitigationUrl: ~ + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_perform_an_unwanted_information_disclosure_by_accessing_data_cross_domain' + mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XS_Leaks_Cheat_Sheet.html' key: emailLeakChallenge - name: 'Empty User Registration' @@ -229,8 +278,8 @@ description: 'Register a user with an empty email and password.' difficulty: 2 hint: 'Consider intercepting and playing with the request payload.' - hintUrl: https://pwning.owasp-juice.shop/part2/improper-input-validation.html#register-a-user-account-with-an-empty-email-and-password - mitigationUrl: ~ + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_register_a_user_account_with_an_empty_email_and_password' + mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html' key: emptyUserRegistration - name: 'Ephemeral Accountant' @@ -238,7 +287,7 @@ description: 'Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.' difficulty: 4 hint: 'Try to create the needed user "out of thin air".' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-the-non-existing-accountant-without-ever-registering-that-user' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_non_existing_accountant_without_ever_registering_that_user' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: ephemeralAccountantChallenge - @@ -249,7 +298,7 @@ description: 'Provoke an error that is neither very gracefully nor consistently handled.' difficulty: 1 hint: 'Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/security-misconfiguration.html#provoke-an-error-that-is-neither-very-gracefully-nor-consistently-handled' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_provoke_an_error_that_is_neither_very_gracefully_nor_consistently_handled' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html' key: errorHandlingChallenge - @@ -258,7 +307,7 @@ description: 'Successfully redeem an expired campaign coupon code.' difficulty: 4 hint: 'Try to identify past special event or holiday campaigns of the shop first.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#successfully-redeem-an-expired-campaign-coupon-code' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_successfully_redeem_an_expired_campaign_coupon_code' mitigationUrl: ~ key: manipulateClockChallenge - @@ -269,7 +318,7 @@ description: 'Retrieve the language file that never made it into production.' difficulty: 5 hint: 'Brute force is not the only option for this challenge, but a perfectly viable one.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#retrieve-the-language-file-that-never-made-it-into-production' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_retrieve_the_language_file_that_never_made_it_into_production' mitigationUrl: ~ key: extraLanguageChallenge - @@ -278,7 +327,7 @@ description: 'Get rid of all 5-star customer feedback.' difficulty: 2 hint: 'Once you found admin section of the application, this challenge is almost trivial.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#get-rid-of-all-5-star-customer-feedback' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_get_rid_of_all_5_star_customer_feedback' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html' key: feedbackChallenge - @@ -289,8 +338,8 @@ - Code Analysis description: 'Forge a coupon code that gives you a discount of at least 80%.' difficulty: 6 - hint: 'Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#forge-a-coupon-code-that-gives-you-a-discount-of-at-least-80' + hint: 'Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_forge_a_coupon_code_that_gives_you_a_discount_of_at_least_80' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html' key: forgedCouponChallenge - @@ -301,7 +350,7 @@ description: "Post some feedback in another user's name." difficulty: 3 hint: 'You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#post-some-feedback-in-another-users-name' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_some_feedback_in_another_users_name' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html' key: forgedFeedbackChallenge tutorial: @@ -312,7 +361,7 @@ description: 'Post a product review as another user or edit any user''s existing review.' difficulty: 3 hint: 'Observe the flow of product review posting and editing and see if you can exploit it.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#post-a-product-review-as-another-user-or-edit-any-users-existing-review' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_post_a_product_review_as_another_user_or_edit_any_users_existing_review' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html' key: forgedReviewChallenge - @@ -321,7 +370,7 @@ description: 'Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.' difficulty: 6 hint: 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#forge-an-almost-properly-rsa-signed-jwt-token' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_almost_properly_rsa_signed_jwt_token' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html' key: jwtForgedChallenge disabledEnv: @@ -336,7 +385,7 @@ description: 'Access a developer''s forgotten backup file.' difficulty: 4 hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-developers-forgotten-backup-file' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_developers_forgotten_backup_file' mitigationUrl: ~ key: forgottenDevBackupChallenge - @@ -347,7 +396,7 @@ description: 'Access a salesman''s forgotten backup file.' difficulty: 4 hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-salesmans-forgotten-backup-file' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_salesmans_forgotten_backup_file' mitigationUrl: ~ key: forgottenBackupChallenge - @@ -356,7 +405,7 @@ description: 'Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)' difficulty: 5 hint: 'This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-shop-about-a-typosquatting-imposter-that-dug-itself-deep-into-the-frontend' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_imposter_that_dug_itself_deep_into_the_frontend' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: typosquattingAngularChallenge - @@ -365,7 +414,7 @@ description: 'Log in with Chris'' erased user account.' difficulty: 3 hint: 'Turns out that something is technically and legally wrong with the implementation of the "right to be forgotten" for users.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-chris-erased-user-account' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_chris_erased_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html' key: ghostLoginChallenge - @@ -374,7 +423,7 @@ description: 'Steal someone else''s personal data without using Injection.' difficulty: 4 hint: 'Trick the regular Data Export to give you more than actually belongs to you.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#steal-someone-elses-personal-data-without-using-injection' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_steal_someone_elses_personal_data_without_using_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html' key: dataExportChallenge - @@ -385,7 +434,7 @@ description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> through an HTTP header.' difficulty: 4 hint: 'Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-through-an-http-header' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_through_an_http_header' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: httpHeaderXssChallenge disabledEnv: @@ -401,7 +450,7 @@ description: 'Solve challenge #999. Unfortunately, this challenge does not exist.' difficulty: 6 hint: 'You need to trick the hacking progress persistence feature into thinking you solved challenge #999.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#solve-challenge-999' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_solve_challenge_999' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html' key: continueCodeChallenge - @@ -412,7 +461,7 @@ description: 'Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)' difficulty: 5 hint: 'Once you have it, a technique called "Password Spraying" might prove useful.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#dumpster-dive-the-internet-for-a-leaked-password-and-log-in-to-the-original-user-account-it-belongs-to' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_dumpster_dive_the_internet_for_a_leaked_password_and_log_in_to_the_original_user_account_it_belongs_to' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Credential_Stuffing_Prevention_Cheat_Sheet.html' key: dlpPasswordSprayingChallenge - @@ -424,7 +473,7 @@ description: 'Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.' difficulty: 4 hint: 'Your own SQLi and someone else''s Ctrl-V will be your accomplices in this challenge!' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#identify-an-unsafe-product-that-was-removed-from-the-shop-and-inform-the-shop-which-ingredients-are-dangerous' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_identify_an_unsafe_product_that_was_removed_from_the_shop_and_inform_the_shop_which_ingredients_are_dangerous' mitigationUrl: ~ key: dlpPastebinDataLeakChallenge - @@ -433,7 +482,7 @@ description: 'Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)' difficulty: 4 hint: 'This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer''s backup file instead.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-shop-about-a-typosquatting-trick-it-has-been-a-victim-of' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_typosquatting_trick_it_has_been_a_victim_of' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: typosquattingNpmChallenge - @@ -445,7 +494,7 @@ description: 'Log in with the administrator''s user account.' difficulty: 2 hint: 'Try different SQL Injection attack patterns depending whether you know the admin''s email address or not.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-the-administrators-user-account' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_the_administrators_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: loginAdminChallenge tutorial: @@ -458,7 +507,7 @@ description: 'Log in with Amy''s original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the "One Important Final Note")' difficulty: 3 hint: 'This challenge will make you go after a needle in a haystack.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#log-in-with-amys-original-user-credentials' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_amys_original_user_credentials' mitigationUrl: ~ key: loginAmyChallenge - @@ -469,7 +518,7 @@ description: 'Log in with Bender''s user account.' difficulty: 3 hint: 'If you know Bender''s email address, try SQL Injection. Bender''s password hash might not help you very much.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-benders-user-account' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_benders_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: loginBenderChallenge tutorial: @@ -482,7 +531,7 @@ description: 'Log in with Bjoern''s Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.' difficulty: 4 hint: 'The security flaw behind this challenge is 100% OWASP Juice Shop''s fault and 0% Google''s.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-bjoerns-gmail-account' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_bjoerns_gmail_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: oauthUserPasswordChallenge - @@ -493,7 +542,7 @@ description: 'Log in with Jim''s user account.' difficulty: 3 hint: 'Try cracking Jim''s password hash if you harvested it already. Alternatively, if you know Jim''s email address, try SQL Injection.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#log-in-with-jims-user-account' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_log_in_with_jims_user_account' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: loginJimChallenge tutorial: @@ -507,7 +556,7 @@ description: 'Log in with MC SafeSearch''s original user credentials without applying SQL Injection or any other bypass.' difficulty: 2 hint: 'You should listen to MC''s hit song "Protect Ya Passwordz".' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#log-in-with-mc-safesearchs-original-user-credentials' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_log_in_with_mc_safesearchs_original_user_credentials' mitigationUrl: ~ key: loginRapperChallenge - @@ -519,7 +568,7 @@ description: 'Log in with the support team''s original user credentials without applying SQL Injection or any other bypass.' difficulty: 6 hint: 'The underlying flaw of this challenge is a lot more human error than technical weakness.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/security-misconfiguration.html#log-in-with-the-support-teams-original-user-credentials' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-misconfiguration.html#_log_in_with_the_support_teams_original_user_credentials' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: loginSupportChallenge - @@ -528,7 +577,7 @@ description: 'Put an additional product into another user''s shopping basket.' difficulty: 3 hint: 'Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn''t count.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#put-an-additional-product-into-another-users-shopping-basket' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_put_an_additional_product_into_another_users_shopping_basket' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html' key: basketManipulateChallenge - @@ -540,7 +589,7 @@ description: 'Access a misplaced SIEM signature file.' difficulty: 4 hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#access-a-misplaced-siem-signature-file' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_access_a_misplaced_siem_signature_file' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html' key: misplacedSignatureFileChallenge - @@ -549,7 +598,7 @@ description: 'Like any review at least three times as the same user.' difficulty: 6 hint: 'Punctuality is the politeness of kings.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#like-any-review-at-least-three-times-as-the-same-user' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_like_any_review_at_least_three_times_as_the_same_user' mitigationUrl: ~ key: timingAttackChallenge - @@ -561,7 +610,7 @@ description: 'Apply some advanced cryptanalysis to find the real easter egg.' difficulty: 4 hint: 'You might have to peel through several layers of tough-as-nails encryption for this challenge.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#apply-some-advanced-cryptanalysis-to-find-the-real-easter-egg' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_apply_some_advanced_cryptanalysis_to_find_the_real_easter_egg' mitigationUrl: ~ key: easterEggLevelTwoChallenge - @@ -572,7 +621,7 @@ description: 'Let the server sleep for some time. (It has done more than enough hard work for you)' difficulty: 4 hint: 'This challenge is essentially a stripped-down Denial of Service (DoS) attack.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#let-the-server-sleep-for-some-time' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_let_the_server_sleep_for_some_time' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html' key: noSqlCommandChallenge disabledEnv: @@ -587,7 +636,7 @@ description: 'All your orders are belong to us! Even the ones which don''t.' difficulty: 5 hint: 'Take a close look on how the $where query operator works in MongoDB.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#all-your-orders-are-belong-to-us' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_all_your_orders_are_belong_to_us' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html' key: noSqlOrdersChallenge disabledEnv: @@ -600,7 +649,7 @@ description: 'Update multiple product reviews at the same time.' difficulty: 4 hint: 'Take a close look on how the equivalent of UPDATE-statements in MongoDB work.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#update-multiple-product-reviews-at-the-same-time' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_update_multiple_product_reviews_at_the_same_time' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html' key: noSqlReviewsChallenge - @@ -611,7 +660,7 @@ description: 'Let us redirect you to one of our crypto currency addresses which are not promoted any longer.' difficulty: 1 hint: 'We might have failed to take this out of our code properly.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html#let-us-redirect-you-to-one-of-our-crypto-currency-addresses' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_let_us_redirect_you_to_one_of_our_crypto_currency_addresses' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html' key: redirectCryptoCurrencyChallenge - @@ -623,7 +672,7 @@ description: 'Log in with the administrator''s user credentials without previously changing them or applying SQL Injection.' difficulty: 2 hint: 'This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#log-in-with-the-administrators-user-credentials-without-previously-changing-them-or-applying-sql-injection' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_log_in_with_the_administrators_user_credentials_without_previously_changing_them_or_applying_sql_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html' key: weakPasswordChallenge tutorial: @@ -634,7 +683,7 @@ description: 'Place an order that makes you rich.' difficulty: 3 hint: 'You literally need to make the shop owe you any amount of money.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#place-an-order-that-makes-you-rich' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_place_an_order_that_makes_you_rich' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html' key: negativeOrderChallenge - @@ -645,7 +694,7 @@ description: ' Unlock Premium Challenge to access exclusive content.' difficulty: 6 hint: 'You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#unlock-premium-challenge-to-access-exclusive-content' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_unlock_premium_challenge_to_access_exclusive_content' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html' key: premiumPaywallChallenge - @@ -658,7 +707,7 @@ description: 'Read our privacy policy.' difficulty: 1 hint: 'We won''t even ask you to confirm that you did. Just read it. Please. Pretty please.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/miscellaneous.html#read-our-privacy-policy' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_read_our_privacy_policy' mitigationUrl: ~ key: privacyPolicyChallenge tutorial: @@ -672,7 +721,7 @@ description: 'Prove that you actually read our privacy policy.' difficulty: 3 hint: 'Only by visiting a special URL you can confirm that you read it carefully.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#prove-that-you-actually-read-our-privacy-policy' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_prove_that_you_actually_read_our_privacy_policy' mitigationUrl: ~ key: privacyPolicyProofChallenge - @@ -681,7 +730,7 @@ description: 'Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.' difficulty: 3 hint: 'Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#change-the-href-of-the-link-within-the-o-saft-product-description' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_href_of_the_link_within_the_o_saft_product_description' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html' key: changeProductChallenge - @@ -693,7 +742,7 @@ description: 'Perform a reflected XSS attack with <iframe src="javascript:alert(`xss`)">.' difficulty: 2 hint: 'Look for a url parameter where its value appears in the page it is leading to.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-reflected-xss-attack' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_reflected_xss_attack' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: reflectedXssChallenge disabledEnv: @@ -706,7 +755,7 @@ description: 'Follow the DRY principle while registering a user.' difficulty: 1 hint: 'You can solve this by cleverly interacting with the UI or bypassing it altogether.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#follow-the-dry-principle-while-registering-a-user' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_follow_the_dry_principle_while_registering_a_user' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html' key: passwordRepeatChallenge - @@ -717,7 +766,7 @@ description: 'Reset Bender''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 4 hint: 'Not as trivial as Jim''s but still not too difficult with some "Futurama" background knowledge.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-benders-password-via-the-forgot-password-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_benders_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordBenderChallenge - @@ -728,7 +777,7 @@ description: 'Reset the password of Bjoern''s internal account via the Forgot Password mechanism with the original answer to his security question.' difficulty: 5 hint: 'Nothing a little bit of Facebook stalking couldn''t reveal. Might involve a historical twist.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-the-password-of-bjoerns-internal-account-via-the-forgot-password-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_the_password_of_bjoerns_internal_account_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordBjoernChallenge - @@ -739,7 +788,7 @@ description: 'Reset Jim''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 3 hint: 'It''s hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#reset-jims-password-via-the-forgot-password-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_reset_jims_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordJimChallenge - @@ -751,7 +800,7 @@ description: 'Reset Morty''s password via the Forgot Password mechanism with his obfuscated answer to his security question.' difficulty: 5 hint: 'Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty''s security question.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-anti-automation.html#reset-mortys-password-via-the-forgot-password-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-anti-automation.html#_reset_mortys_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html' key: resetPasswordMortyChallenge - @@ -760,7 +809,7 @@ description: 'Deprive the shop of earnings by downloading the blueprint for one of its products.' difficulty: 5 hint: 'The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#deprive-the-shop-of-earnings-by-downloading-the-blueprint-for-one-of-its-products' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_deprive_the_shop_of_earnings_by_downloading_the_blueprint_for_one_of_its_products' mitigationUrl: ~ key: retrieveBlueprintChallenge - @@ -771,7 +820,7 @@ description: 'Request a hidden resource on server through server.' difficulty: 6 hint: 'Reverse engineering something bad can make good things happen.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#request-a-hidden-resource-on-server-through-server' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_request_a_hidden_resource_on_server_through_server' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html' key: ssrfChallenge - @@ -784,7 +833,7 @@ description: 'Infect the server with juicy malware by abusing arbitrary command execution.' difficulty: 6 hint: '"SSTi" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#infect-the-server-with-juicy-malware-by-abusing-arbitrary-command-execution' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_infect_the_server_with_juicy_malware_by_abusing_arbitrary_command_execution' mitigationUrl: ~ key: sstiChallenge disabledEnv: @@ -800,7 +849,7 @@ description: 'Find the carefully hidden ''Score Board'' page.' difficulty: 1 hint: 'Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/score-board.html#find-the-carefully-hidden-score-board-page' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_find_the_carefully_hidden_score_board_page' mitigationUrl: ~ key: scoreBoardChallenge tutorial: @@ -812,8 +861,8 @@ - Good Practice description: 'Behave like any "white-hat" should before getting into the action.' difficulty: 2 - hint: 'Undoubtably you want to read our security policy before conducting any research on our application.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/miscellaneous.html#behave-like-any-white-hat-should-before-getting-into-the-action' + hint: 'Undoubtedly you want to read our security policy before conducting any research on our application.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_behave_like_any_white_hat_should_before_getting_into_the_action' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html' key: securityPolicyChallenge - @@ -824,7 +873,7 @@ description: 'Perform a persisted XSS attack with <iframe src="javascript:alert(`xss`)"> bypassing a server-side security mechanism.' difficulty: 4 hint: 'The "Comment" field in the "Customer Feedback" screen is where you want to put your focus on.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-server-side-security-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_perform_a_persisted_xss_attack_bypassing_a_server_side_security_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: persistedXssFeedbackChallenge disabledEnv: @@ -839,7 +888,7 @@ description: 'Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)' difficulty: 4 hint: 'No matter how good your eyes are, you will need tool assistance for this challenge.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/security-through-obscurity.html#rat-out-a-notorious-character-hiding-in-plain-sight-in-the-shop' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/security-through-obscurity.html#_rat_out_a_notorious_character_hiding_in_plain_sight_in_the_shop' mitigationUrl: ~ key: hiddenImageChallenge - @@ -850,7 +899,7 @@ description: 'Perform a Remote Code Execution that occupies the server for a while without using infinite loops.' difficulty: 6 hint: 'Your attack payload must not trigger the protection against too many iterations.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-occupies-the-server-for-a-while-without-using-infinite-loops' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/insecure-deserialization.html#_perform_a_remote_code_execution_that_occupies_the_server_for_a_while_without_using_infinite_loops' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html' key: rceOccupyChallenge disabledEnv: @@ -865,7 +914,7 @@ description: 'Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)' difficulty: 5 hint: 'This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-development-team-about-a-danger-to-some-of-their-credentials' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_development_team_about_a_danger_to_some_of_their_credentials' mitigationUrl: ~ key: supplyChainAttackChallenge - @@ -874,7 +923,7 @@ description: 'Solve the 2FA challenge for user "wurstbrot". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)' difficulty: 5 hint: 'The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-authentication.html#solve-the-2fa-challenge-for-user-wurstbrot' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-authentication.html#_solve_the_2fa_challenge_for_user_wurstbrot' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html' key: twoFactorAuthUnsafeSecretStorageChallenge - @@ -883,7 +932,7 @@ description: 'Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.' difficulty: 5 hint: 'This challenge exploits a weird option that is supported when signing tokens with JWT.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#forge-an-essentially-unsigned-jwt-token' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_forge_an_essentially_unsigned_jwt_token' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html' key: jwtUnsignedChallenge - @@ -892,7 +941,7 @@ description: 'Upload a file larger than 100 kB.' difficulty: 3 hint: 'You can attach a small file to the "Complaint" form. Investigate how this upload actually works.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#upload-a-file-larger-than-100-kb' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_larger_than_100_kb' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html' key: uploadSizeChallenge - @@ -901,7 +950,7 @@ description: 'Upload a file that has no .pdf or .zip extension.' difficulty: 3 hint: 'You can attach a PDF or ZIP file to the "Complaint" form. Investigate how this upload actually works.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#upload-a-file-that-has-no-pdf-or-zip-extension' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_upload_a_file_that_has_no_pdf_or_zip_extension' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html' key: uploadTypeChallenge - @@ -910,7 +959,7 @@ description: 'Retrieve a list of all user credentials via SQL Injection.' difficulty: 4 hint: 'Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#retrieve-a-list-of-all-user-credentials-via-sql-injection' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_retrieve_a_list_of_all_user_credentials_via_sql_injection' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html' key: unionSqlInjectionChallenge - @@ -921,7 +970,7 @@ description: 'Embed an XSS payload </script><script>alert(`xss`)</script> into our promo video.' difficulty: 6 hint: 'You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#embed-an-xss-payload-into-our-promo-video' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_embed_an_xss_payload_into_our_promo_video' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html' key: videoXssChallenge disabledEnv: @@ -937,7 +986,7 @@ description: 'View another user''s shopping basket.' difficulty: 2 hint: 'Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#view-another-users-shopping-basket' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_view_another_users_shopping_basket' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html' key: basketAccessChallenge tutorial: @@ -950,7 +999,7 @@ description: 'Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)' difficulty: 4 hint: 'Report one of two possible answers via the "Customer Feedback" form. Do not forget to submit the library''s version as well.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/vulnerable-components.html#inform-the-shop-about-a-vulnerable-library-it-is-using' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_inform_the_shop_about_a_vulnerable_library_it_is_using' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html' key: knownVulnerableComponentChallenge - @@ -959,7 +1008,7 @@ description: 'Inform the shop about an algorithm or library it should definitely not use the way it does.' difficulty: 2 hint: 'Report one of four possible answers via the "Customer Feedback" form.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/cryptographic-issues.html#inform-the-shop-about-an-algorithm-or-library-it-should-definitely-not-use-the-way-it-does' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/cryptographic-issues.html#_inform_the_shop_about_an_algorithm_or_library_it_should_definitely_not_use_the_way_it_does' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html' key: weirdCryptoChallenge - @@ -970,7 +1019,7 @@ description: 'Enforce a redirect to a page you are not supposed to redirect to.' difficulty: 4 hint: 'You have to find a way to beat the allowlist of allowed redirect URLs.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/unvalidated-redirects.html#enforce-a-redirect-to-a-page-you-are-not-supposed-to-redirect-to' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/unvalidated-redirects.html#_enforce_a_redirect_to_a_page_you_are_not_supposed_to_redirect_to' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html' key: redirectChallenge - @@ -981,7 +1030,7 @@ description: 'Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.' difficulty: 3 hint: 'The leverage point for this challenge is the deprecated B2B interface.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xxe.html#retrieve-the-content-of-cwindowssystemini-or-etcpasswd-from-the-server' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_retrieve_the_content_of_cwindowssystemini_or_etcpasswd_from_the_server' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html' key: xxeFileDisclosureChallenge disabledEnv: @@ -996,7 +1045,7 @@ description: 'Give the server something to chew on for quite a while.' difficulty: 5 hint: 'It is not as easy as sending a large amount of data directly to the deprecated B2B interface.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xxe.html#give-the-server-something-to-chew-on-for-quite-a-while' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xxe.html#_give_the_server_something_to_chew_on_for_quite_a_while' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html' key: xxeDosChallenge disabledEnv: @@ -1009,7 +1058,7 @@ description: 'Give a devastating zero-star feedback to the store.' difficulty: 1 hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#give-a-devastating-zero-star-feedback-to-the-store' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_give_a_devastating_zero_star_feedback_to_the_store' mitigationUrl: ~ key: zeroStarsChallenge - @@ -1020,7 +1069,7 @@ description: 'Retrieve the photo of Bjoern''s cat in "melee combat-mode".' difficulty: 1 hint: 'Check the Photo Wall for an image that could not be loaded correctly.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#retrieve-the-photo-of-bjoerns-cat-in-melee-combat-mode' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_retrieve_the_photo_of_bjoerns_cat_in_melee_combat_mode' mitigationUrl: ~ key: missingEncodingChallenge - @@ -1031,7 +1080,7 @@ description: 'Stick cute cross-domain kittens all over our delivery boxes.' difficulty: 5 hint: 'This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/injection.html#stick-cute-cross-domain-kittens-all-over-our-delivery-boxes' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/injection.html#_stick_cute_cross_domain_kittens_all_over_our_delivery_boxes' mitigationUrl: ~ key: svgInjectionChallenge - @@ -1042,7 +1091,7 @@ description: 'Find the endpoint that serves usage data to be scraped by a popular monitoring system.' difficulty: 1 hint: 'Try to guess what URL the endpoint might have.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#find-the-endpoint-that-serves-usage-data-to-be-scraped-by-a-popular-monitoring-system' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_find_the_endpoint_that_serves_usage_data_to_be_scraped_by_a_popular_monitoring_system' mitigationUrl: ~ key: exposedMetricsChallenge - @@ -1051,7 +1100,7 @@ description: 'Obtain a Deluxe Membership without paying for it.' difficulty: 3 hint: 'Look closely at what happens when you attempt to upgrade your account.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#obtain-a-deluxe-membership-without-paying-for-it' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_obtain_a_deluxe_membership_without_paying_for_it' mitigationUrl: ~ key: freeDeluxeChallenge - @@ -1060,7 +1109,7 @@ description: 'Change the name of a user by performing Cross-Site Request Forgery from another origin.' difficulty: 3 hint: 'Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#change-the-name-of-a-user-by-performing-cross-site-request-forgery-from-another-origin' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/broken-access-control.html#_change_the_name_of_a_user_by_performing_cross_site_request_forgery_from_another_origin' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html' key: csrfChallenge - @@ -1072,7 +1121,7 @@ description: 'Use the bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> in the DOM XSS challenge.' difficulty: 1 hint: 'Copy + Paste = Solved!' - hintUrl: 'https://pwning.owasp-juice.shop/part2/xss.html#use-the-bonus-payload-in-the-dom-xss-challenge' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/xss.html#_use_the_bonus_payload_in_the_dom_xss_challenge' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html' key: xssBonusChallenge tutorial: @@ -1085,7 +1134,7 @@ description: 'Reset Uvogin''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 4 hint: 'You might have to do some OSINT on his social media personas to find out his honest answer to the security question.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#reset-uvogins-password-via-the-forgot-password-mechanism' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_reset_uvogins_password_via_the_forgot_password_mechanism' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: resetPasswordUvoginChallenge - @@ -1096,7 +1145,7 @@ description: 'Determine the answer to John''s security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.' difficulty: 2 hint: 'Take a look at the meta data of the corresponding photo.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#determine-the-answer-to-johns-security-question' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_johns_security_question' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: geoStalkingMetaChallenge - @@ -1107,7 +1156,7 @@ description: 'Determine the answer to Emma''s security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.' difficulty: 2 hint: 'Take a look at the details in the photo to determine the location of where it was taken.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/sensitive-data-exposure.html#determine-the-answer-to-emmas-security-question' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/sensitive-data-exposure.html#_determine_the_answer_to_emmas_security_question' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Choosing_and_Using_Security_Questions_Cheat_Sheet.html' key: geoStalkingVisualChallenge - @@ -1118,7 +1167,7 @@ description: 'Permanently disable the support chatbot so that it can no longer answer customer queries.' difficulty: 5 hint: 'Think of a way to get a hold of the internal workings on the chatbot API.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#permanently-disable-the-support-chatbot' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_permanently_disable_the_support_chatbot' mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Vulnerable_Dependency_Management_Cheat_Sheet.html' key: killChatbotChallenge - @@ -1126,10 +1175,10 @@ category: 'Improper Input Validation' tags: - Prerequisite - description: 'Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.' + description: 'Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.' difficulty: 4 hint: 'Take a look at the details in the photo to determine the location of where it was taken.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/improper-input-validation.html#bypass-a-security-control-with-a-poison-null-byte' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/improper-input-validation.html#_bypass_a_security_control_with_a_poison_null_byte' mitigationUrl: ~ key: nullByteChallenge - @@ -1141,7 +1190,7 @@ description: 'Receive a coupon code from the support chatbot.' difficulty: 1 hint: 'Just keep asking.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/miscellaneous.html#receive-a-coupon-code-from-the-support-chatbot' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/miscellaneous.html#_receive_a_coupon_code_from_the_support_chatbot' mitigationUrl: ~ key: bullyChatbotChallenge - @@ -1152,6 +1201,7 @@ - Danger Zone difficulty: 5 hint: 'You should read up on vulnerabilities in popular NodeJs template engines.' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/vulnerable-components.html#_gain_read_access_to_an_arbitrary_local_file_on_the_web_server' description: 'Gain read access to an arbitrary local file on the web server.' key: 'lfrChallenge' disabledEnv: @@ -1164,6 +1214,6 @@ description: 'Close multiple "Challenge solved"-notifications in one go.' difficulty: 1 hint: 'Either check the official documentation or inspect a notification UI element directly.' - hintUrl: 'https://pwning.owasp-juice.shop/part2/score-board.html#close-multiple-challenge-solved-notifications-in-one-go' + hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_close_multiple_challenge_solved_notifications_in_one_go' mitigationUrl: ~ key: closeNotificationsChallenge diff --git a/data/static/codefixes/adminSectionChallenge_1_correct.ts b/data/static/codefixes/adminSectionChallenge_1_correct.ts index 5273237b97d..845bf5eba6c 100644 --- a/data/static/codefixes/adminSectionChallenge_1_correct.ts +++ b/data/static/codefixes/adminSectionChallenge_1_correct.ts @@ -157,6 +157,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/adminSectionChallenge_2.ts b/data/static/codefixes/adminSectionChallenge_2.ts index 6576d14deb4..076541089ad 100644 --- a/data/static/codefixes/adminSectionChallenge_2.ts +++ b/data/static/codefixes/adminSectionChallenge_2.ts @@ -154,6 +154,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/adminSectionChallenge_3.ts b/data/static/codefixes/adminSectionChallenge_3.ts index 08c8f4b826b..5f0595bdda8 100644 --- a/data/static/codefixes/adminSectionChallenge_3.ts +++ b/data/static/codefixes/adminSectionChallenge_3.ts @@ -154,6 +154,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/adminSectionChallenge_4.ts b/data/static/codefixes/adminSectionChallenge_4.ts index 779539a2dee..bc2c3ffc853 100644 --- a/data/static/codefixes/adminSectionChallenge_4.ts +++ b/data/static/codefixes/adminSectionChallenge_4.ts @@ -154,6 +154,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/exposedMetricsChallenge_1.ts b/data/static/codefixes/exposedMetricsChallenge_1.ts index 9b825c485a3..f33f657f421 100644 --- a/data/static/codefixes/exposedMetricsChallenge_1.ts +++ b/data/static/codefixes/exposedMetricsChallenge_1.ts @@ -7,7 +7,7 @@ errorhandler.title = `${config.get('application.name')} (Express ${utils.version const registerWebsocketEvents = require('./lib/startup/registerWebsocketEvents') const customizeApplication = require('./lib/startup/customizeApplication') -export async function start (readyCallback: Function) { +export async function start (readyCallback: any) { const datacreatorEnd = startupGauge.startTimer({ task: 'datacreator' }) await sequelize.sync({ force: true }) await datacreator() diff --git a/data/static/codefixes/exposedMetricsChallenge_2.ts b/data/static/codefixes/exposedMetricsChallenge_2.ts index 2cb4fa2ee21..28799426bb8 100644 --- a/data/static/codefixes/exposedMetricsChallenge_2.ts +++ b/data/static/codefixes/exposedMetricsChallenge_2.ts @@ -6,7 +6,7 @@ errorhandler.title = `${config.get('application.name')} (Express ${utils.version const registerWebsocketEvents = require('./lib/startup/registerWebsocketEvents') const customizeApplication = require('./lib/startup/customizeApplication') -export async function start (readyCallback: Function) { +export async function start (readyCallback: any) { const datacreatorEnd = startupGauge.startTimer({ task: 'datacreator' }) await sequelize.sync({ force: true }) await datacreator() diff --git a/data/static/codefixes/exposedMetricsChallenge_3_correct.ts b/data/static/codefixes/exposedMetricsChallenge_3_correct.ts index e7ed765b18e..3685502b4d2 100644 --- a/data/static/codefixes/exposedMetricsChallenge_3_correct.ts +++ b/data/static/codefixes/exposedMetricsChallenge_3_correct.ts @@ -7,7 +7,7 @@ errorhandler.title = `${config.get('application.name')} (Express ${utils.version const registerWebsocketEvents = require('./lib/startup/registerWebsocketEvents') const customizeApplication = require('./lib/startup/customizeApplication') -export async function start (readyCallback: Function) { +export async function start (readyCallback: any) { const datacreatorEnd = startupGauge.startTimer({ task: 'datacreator' }) await sequelize.sync({ force: true }) await datacreator() diff --git a/data/static/codefixes/nftMintChallenge.info.yml b/data/static/codefixes/nftMintChallenge.info.yml new file mode 100644 index 00000000000..e8ad882cf8b --- /dev/null +++ b/data/static/codefixes/nftMintChallenge.info.yml @@ -0,0 +1,13 @@ +fixes: + - id: 1 + explanation: 'Wrong!' + - id: 2 + explanation: 'Wrong!' + - id: 3 + explanation: 'Wrong!' + - id: 4 + explanation: 'Correct!' +hints: + - 'Hint1' + - 'Hint2' + - 'Hint3' diff --git a/data/static/codefixes/nftMintChallenge_1.sol b/data/static/codefixes/nftMintChallenge_1.sol new file mode 100644 index 00000000000..27fa0def98d --- /dev/null +++ b/data/static/codefixes/nftMintChallenge_1.sol @@ -0,0 +1,31 @@ +pragma solidity ^0.8.0; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/math/SafeMath.sol"; +import "@openzeppelin/contracts/token/ERC20/IERC20.sol"; + +contract HoneyPotNFT is ERC721, Ownable { + using SafeMath for uint256; + + IERC20 public token = IERC20(0x36435796Ca9be2bf150CE0dECc2D8Fab5C4d6E13); + uint256 public constant mintPrice = 1000 * (10**18); + uint256 public totalSupply = 0; + + string public constant fixedMetadataHash = "QmRad1vxT3soFMNx9j3bBmkABb4C86anY1f5XeonosHy3m"; + event NFTMinted(address indexed owner, uint256 tokenId); + + constructor() ERC721("The Enchanted Honey Pot", "EHP") {} + + function mintNFT() external { + token.transferFrom(msg.sender, address(this), mintPrice); + _safeMint(msg.sender, totalSupply); + totalSupply = totalSupply.add(1); + emit NFTMinted(msg.sender, totalSupply - 1); + } + + function tokenURI(uint256 tokenId) public view override returns (string memory) { + require(_exists(tokenId), "Token does not exist."); + return fixedMetadataHash; + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftMintChallenge_2.sol b/data/static/codefixes/nftMintChallenge_2.sol new file mode 100644 index 00000000000..27fa0def98d --- /dev/null +++ b/data/static/codefixes/nftMintChallenge_2.sol @@ -0,0 +1,31 @@ +pragma solidity ^0.8.0; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/math/SafeMath.sol"; +import "@openzeppelin/contracts/token/ERC20/IERC20.sol"; + +contract HoneyPotNFT is ERC721, Ownable { + using SafeMath for uint256; + + IERC20 public token = IERC20(0x36435796Ca9be2bf150CE0dECc2D8Fab5C4d6E13); + uint256 public constant mintPrice = 1000 * (10**18); + uint256 public totalSupply = 0; + + string public constant fixedMetadataHash = "QmRad1vxT3soFMNx9j3bBmkABb4C86anY1f5XeonosHy3m"; + event NFTMinted(address indexed owner, uint256 tokenId); + + constructor() ERC721("The Enchanted Honey Pot", "EHP") {} + + function mintNFT() external { + token.transferFrom(msg.sender, address(this), mintPrice); + _safeMint(msg.sender, totalSupply); + totalSupply = totalSupply.add(1); + emit NFTMinted(msg.sender, totalSupply - 1); + } + + function tokenURI(uint256 tokenId) public view override returns (string memory) { + require(_exists(tokenId), "Token does not exist."); + return fixedMetadataHash; + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftMintChallenge_3.sol b/data/static/codefixes/nftMintChallenge_3.sol new file mode 100644 index 00000000000..27fa0def98d --- /dev/null +++ b/data/static/codefixes/nftMintChallenge_3.sol @@ -0,0 +1,31 @@ +pragma solidity ^0.8.0; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/math/SafeMath.sol"; +import "@openzeppelin/contracts/token/ERC20/IERC20.sol"; + +contract HoneyPotNFT is ERC721, Ownable { + using SafeMath for uint256; + + IERC20 public token = IERC20(0x36435796Ca9be2bf150CE0dECc2D8Fab5C4d6E13); + uint256 public constant mintPrice = 1000 * (10**18); + uint256 public totalSupply = 0; + + string public constant fixedMetadataHash = "QmRad1vxT3soFMNx9j3bBmkABb4C86anY1f5XeonosHy3m"; + event NFTMinted(address indexed owner, uint256 tokenId); + + constructor() ERC721("The Enchanted Honey Pot", "EHP") {} + + function mintNFT() external { + token.transferFrom(msg.sender, address(this), mintPrice); + _safeMint(msg.sender, totalSupply); + totalSupply = totalSupply.add(1); + emit NFTMinted(msg.sender, totalSupply - 1); + } + + function tokenURI(uint256 tokenId) public view override returns (string memory) { + require(_exists(tokenId), "Token does not exist."); + return fixedMetadataHash; + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftMintChallenge_4_correct.sol b/data/static/codefixes/nftMintChallenge_4_correct.sol new file mode 100644 index 00000000000..27fa0def98d --- /dev/null +++ b/data/static/codefixes/nftMintChallenge_4_correct.sol @@ -0,0 +1,31 @@ +pragma solidity ^0.8.0; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/math/SafeMath.sol"; +import "@openzeppelin/contracts/token/ERC20/IERC20.sol"; + +contract HoneyPotNFT is ERC721, Ownable { + using SafeMath for uint256; + + IERC20 public token = IERC20(0x36435796Ca9be2bf150CE0dECc2D8Fab5C4d6E13); + uint256 public constant mintPrice = 1000 * (10**18); + uint256 public totalSupply = 0; + + string public constant fixedMetadataHash = "QmRad1vxT3soFMNx9j3bBmkABb4C86anY1f5XeonosHy3m"; + event NFTMinted(address indexed owner, uint256 tokenId); + + constructor() ERC721("The Enchanted Honey Pot", "EHP") {} + + function mintNFT() external { + token.transferFrom(msg.sender, address(this), mintPrice); + _safeMint(msg.sender, totalSupply); + totalSupply = totalSupply.add(1); + emit NFTMinted(msg.sender, totalSupply - 1); + } + + function tokenURI(uint256 tokenId) public view override returns (string memory) { + require(_exists(tokenId), "Token does not exist."); + return fixedMetadataHash; + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftUnlockChallenge.info.yml b/data/static/codefixes/nftUnlockChallenge.info.yml new file mode 100644 index 00000000000..d5b0c716beb --- /dev/null +++ b/data/static/codefixes/nftUnlockChallenge.info.yml @@ -0,0 +1,13 @@ +fixes: + - id: 1 + explanation: 'Wrong!' + - id: 2 + explanation: 'Correct!' + - id: 3 + explanation: 'Wrong!' + - id: 4 + explanation: 'Wrong!' +hints: + - 'Hint1' + - 'Hint2' + - 'Hint3' diff --git a/data/static/codefixes/nftUnlockChallenge_1.sol b/data/static/codefixes/nftUnlockChallenge_1.sol new file mode 100644 index 00000000000..2b52a5e16d9 --- /dev/null +++ b/data/static/codefixes/nftUnlockChallenge_1.sol @@ -0,0 +1,43 @@ +pragma solidity ^0.8.4; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/Counters.sol"; + +contract JuiceShopSBT is ERC721, ERC721URIStorage, Ownable { + using Counters for Counters.Counter; + + Counters.Counter private _tokenIdCounter; + + constructor() ERC721("JuiceShopSBT", "JS") {} + + function safeMint(address to, string memory uri) public onlyOwner { + uint256 tokenId = _tokenIdCounter.current(); + _tokenIdCounter.increment(); + _safeMint(to, tokenId); + _setTokenURI(tokenId, uri); + } + + function _beforeTokenTransfer( + address from, + address to, + uint256 tokenId + ) internal override virtual { + require(from == address(0), "Err: token transfer is BLOCKED"); + super._beforeTokenTransfer(from, to, tokenId); + } + + function _burn(uint256 tokenId) internal override(ERC721, ERC721URIStorage) { + super._burn(tokenId); + } + + function tokenURI(uint256 tokenId) + public + view + override(ERC721, ERC721URIStorage) + returns (string memory) + { + return super.tokenURI(tokenId); + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftUnlockChallenge_2_correct.sol b/data/static/codefixes/nftUnlockChallenge_2_correct.sol new file mode 100644 index 00000000000..2b52a5e16d9 --- /dev/null +++ b/data/static/codefixes/nftUnlockChallenge_2_correct.sol @@ -0,0 +1,43 @@ +pragma solidity ^0.8.4; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/Counters.sol"; + +contract JuiceShopSBT is ERC721, ERC721URIStorage, Ownable { + using Counters for Counters.Counter; + + Counters.Counter private _tokenIdCounter; + + constructor() ERC721("JuiceShopSBT", "JS") {} + + function safeMint(address to, string memory uri) public onlyOwner { + uint256 tokenId = _tokenIdCounter.current(); + _tokenIdCounter.increment(); + _safeMint(to, tokenId); + _setTokenURI(tokenId, uri); + } + + function _beforeTokenTransfer( + address from, + address to, + uint256 tokenId + ) internal override virtual { + require(from == address(0), "Err: token transfer is BLOCKED"); + super._beforeTokenTransfer(from, to, tokenId); + } + + function _burn(uint256 tokenId) internal override(ERC721, ERC721URIStorage) { + super._burn(tokenId); + } + + function tokenURI(uint256 tokenId) + public + view + override(ERC721, ERC721URIStorage) + returns (string memory) + { + return super.tokenURI(tokenId); + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftUnlockChallenge_3.sol b/data/static/codefixes/nftUnlockChallenge_3.sol new file mode 100644 index 00000000000..2b52a5e16d9 --- /dev/null +++ b/data/static/codefixes/nftUnlockChallenge_3.sol @@ -0,0 +1,43 @@ +pragma solidity ^0.8.4; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/Counters.sol"; + +contract JuiceShopSBT is ERC721, ERC721URIStorage, Ownable { + using Counters for Counters.Counter; + + Counters.Counter private _tokenIdCounter; + + constructor() ERC721("JuiceShopSBT", "JS") {} + + function safeMint(address to, string memory uri) public onlyOwner { + uint256 tokenId = _tokenIdCounter.current(); + _tokenIdCounter.increment(); + _safeMint(to, tokenId); + _setTokenURI(tokenId, uri); + } + + function _beforeTokenTransfer( + address from, + address to, + uint256 tokenId + ) internal override virtual { + require(from == address(0), "Err: token transfer is BLOCKED"); + super._beforeTokenTransfer(from, to, tokenId); + } + + function _burn(uint256 tokenId) internal override(ERC721, ERC721URIStorage) { + super._burn(tokenId); + } + + function tokenURI(uint256 tokenId) + public + view + override(ERC721, ERC721URIStorage) + returns (string memory) + { + return super.tokenURI(tokenId); + } +} \ No newline at end of file diff --git a/data/static/codefixes/nftUnlockChallenge_4.sol b/data/static/codefixes/nftUnlockChallenge_4.sol new file mode 100644 index 00000000000..2b52a5e16d9 --- /dev/null +++ b/data/static/codefixes/nftUnlockChallenge_4.sol @@ -0,0 +1,43 @@ +pragma solidity ^0.8.4; + +import "@openzeppelin/contracts/token/ERC721/ERC721.sol"; +import "@openzeppelin/contracts/token/ERC721/extensions/ERC721URIStorage.sol"; +import "@openzeppelin/contracts/access/Ownable.sol"; +import "@openzeppelin/contracts/utils/Counters.sol"; + +contract JuiceShopSBT is ERC721, ERC721URIStorage, Ownable { + using Counters for Counters.Counter; + + Counters.Counter private _tokenIdCounter; + + constructor() ERC721("JuiceShopSBT", "JS") {} + + function safeMint(address to, string memory uri) public onlyOwner { + uint256 tokenId = _tokenIdCounter.current(); + _tokenIdCounter.increment(); + _safeMint(to, tokenId); + _setTokenURI(tokenId, uri); + } + + function _beforeTokenTransfer( + address from, + address to, + uint256 tokenId + ) internal override virtual { + require(from == address(0), "Err: token transfer is BLOCKED"); + super._beforeTokenTransfer(from, to, tokenId); + } + + function _burn(uint256 tokenId) internal override(ERC721, ERC721URIStorage) { + super._burn(tokenId); + } + + function tokenURI(uint256 tokenId) + public + view + override(ERC721, ERC721URIStorage) + returns (string memory) + { + return super.tokenURI(tokenId); + } +} \ No newline at end of file diff --git a/data/static/codefixes/redirectChallenge_1.ts b/data/static/codefixes/redirectChallenge_1.ts index e9d83f4be08..53d81bd0496 100644 --- a/data/static/codefixes/redirectChallenge_1.ts +++ b/data/static/codefixes/redirectChallenge_1.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', diff --git a/data/static/codefixes/redirectChallenge_2.ts b/data/static/codefixes/redirectChallenge_2.ts index 6c8e0c82d91..677162e9c9e 100644 --- a/data/static/codefixes/redirectChallenge_2.ts +++ b/data/static/codefixes/redirectChallenge_2.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', diff --git a/data/static/codefixes/redirectChallenge_3.ts b/data/static/codefixes/redirectChallenge_3.ts index d95aec73ab5..a3de65d7b7b 100644 --- a/data/static/codefixes/redirectChallenge_3.ts +++ b/data/static/codefixes/redirectChallenge_3.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', diff --git a/data/static/codefixes/redirectChallenge_4_correct.ts b/data/static/codefixes/redirectChallenge_4_correct.ts index 49a988a3c30..bb5a8597fba 100644 --- a/data/static/codefixes/redirectChallenge_4_correct.ts +++ b/data/static/codefixes/redirectChallenge_4_correct.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', diff --git a/data/static/codefixes/redirectCryptoCurrencyChallenge_1.ts b/data/static/codefixes/redirectCryptoCurrencyChallenge_1.ts index 0a013c95050..8f3647872ff 100644 --- a/data/static/codefixes/redirectCryptoCurrencyChallenge_1.ts +++ b/data/static/codefixes/redirectCryptoCurrencyChallenge_1.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', 'http://shop.spreadshirt.com/juiceshop', diff --git a/data/static/codefixes/redirectCryptoCurrencyChallenge_2.ts b/data/static/codefixes/redirectCryptoCurrencyChallenge_2.ts index 9f59837d5f0..2332e2390b8 100644 --- a/data/static/codefixes/redirectCryptoCurrencyChallenge_2.ts +++ b/data/static/codefixes/redirectCryptoCurrencyChallenge_2.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6', 'http://shop.spreadshirt.com/juiceshop', diff --git a/data/static/codefixes/redirectCryptoCurrencyChallenge_3_correct.ts b/data/static/codefixes/redirectCryptoCurrencyChallenge_3_correct.ts index 71601c84694..06e19b583d6 100644 --- a/data/static/codefixes/redirectCryptoCurrencyChallenge_3_correct.ts +++ b/data/static/codefixes/redirectCryptoCurrencyChallenge_3_correct.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'http://shop.spreadshirt.com/juiceshop', 'http://shop.spreadshirt.de/juiceshop', 'https://www.stickeryou.com/products/owasp-juice-shop/794', diff --git a/data/static/codefixes/redirectCryptoCurrencyChallenge_4.ts b/data/static/codefixes/redirectCryptoCurrencyChallenge_4.ts index 19fec507661..86170ca3f02 100644 --- a/data/static/codefixes/redirectCryptoCurrencyChallenge_4.ts +++ b/data/static/codefixes/redirectCryptoCurrencyChallenge_4.ts @@ -1,5 +1,5 @@ export const redirectAllowlist = new Set([ - 'https://github.com/bkimminich/juice-shop', + 'https://github.com/juice-shop/juice-shop', 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm', 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW', 'http://shop.spreadshirt.com/juiceshop', diff --git a/data/static/codefixes/restfulXssChallenge_1_correct.ts b/data/static/codefixes/restfulXssChallenge_1_correct.ts index 0e211e4cd44..77020ead022 100644 --- a/data/static/codefixes/restfulXssChallenge_1_correct.ts +++ b/data/static/codefixes/restfulXssChallenge_1_correct.ts @@ -50,5 +50,5 @@ ngAfterViewInit () { this.breakpoint = 6 } this.cdRef.detectChanges() - }, (err) => console.log(err)) + }, (err) => { console.log(err) }) } \ No newline at end of file diff --git a/data/static/codefixes/restfulXssChallenge_2.ts b/data/static/codefixes/restfulXssChallenge_2.ts index 4f0a21b913a..fd72a47b988 100644 --- a/data/static/codefixes/restfulXssChallenge_2.ts +++ b/data/static/codefixes/restfulXssChallenge_2.ts @@ -51,7 +51,7 @@ ngAfterViewInit () { this.breakpoint = 6 } this.cdRef.detectChanges() - }, (err) => console.log(err)) + }, (err) => { console.log(err) }) } encodeProductDescription (tableData: any[]) { diff --git a/data/static/codefixes/restfulXssChallenge_3.ts b/data/static/codefixes/restfulXssChallenge_3.ts index b9a1c390b38..509aca7409a 100644 --- a/data/static/codefixes/restfulXssChallenge_3.ts +++ b/data/static/codefixes/restfulXssChallenge_3.ts @@ -37,7 +37,7 @@ ngAfterViewInit () { this.filterTable() }) this.cdRef.detectChanges() - }, (err) => console.log(err)) + }, (err) => { console.log(err) }) } trustProductDescription (tableData: any[]) { diff --git a/data/static/codefixes/restfulXssChallenge_4.ts b/data/static/codefixes/restfulXssChallenge_4.ts index d30e359987f..5e5b848528a 100644 --- a/data/static/codefixes/restfulXssChallenge_4.ts +++ b/data/static/codefixes/restfulXssChallenge_4.ts @@ -51,7 +51,7 @@ ngAfterViewInit () { this.breakpoint = 6 } this.cdRef.detectChanges() - }, (err) => console.log(err)) + }, (err) => { console.log(err) }) } trustProductDescription (tableData: any[]) { diff --git a/data/static/codefixes/scoreBoardChallenge_1_correct.ts b/data/static/codefixes/scoreBoardChallenge_1_correct.ts index 94364436667..59a8ab36830 100644 --- a/data/static/codefixes/scoreBoardChallenge_1_correct.ts +++ b/data/static/codefixes/scoreBoardChallenge_1_correct.ts @@ -154,6 +154,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/scoreBoardChallenge_2.ts b/data/static/codefixes/scoreBoardChallenge_2.ts index 2183a1bcebc..7ff0860b5a2 100644 --- a/data/static/codefixes/scoreBoardChallenge_2.ts +++ b/data/static/codefixes/scoreBoardChallenge_2.ts @@ -154,6 +154,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/scoreBoardChallenge_3.ts b/data/static/codefixes/scoreBoardChallenge_3.ts index 867f702ed1b..f2436585881 100644 --- a/data/static/codefixes/scoreBoardChallenge_3.ts +++ b/data/static/codefixes/scoreBoardChallenge_3.ts @@ -150,6 +150,22 @@ const routes: Routes = [ component: LastLoginIpComponent } ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() }, { matcher: oauthMatcher, diff --git a/data/static/codefixes/web3SandboxChallenge.info.yml b/data/static/codefixes/web3SandboxChallenge.info.yml new file mode 100644 index 00000000000..f0903d18ba2 --- /dev/null +++ b/data/static/codefixes/web3SandboxChallenge.info.yml @@ -0,0 +1,11 @@ +fixes: + - id: 1 + explanation: 'This sandbox is for the developers of the application and was added for easy testing and prototyping. Functionality like this does under no circumstances belong into an application when it goes into production!' + - id: 2 + explanation: 'This sandbox is for the developers of the application and was added for easy testing and prototyping. Should it really be accessible for any user - even the eCommerce customers - who logged into the shop?' + - id: 3 + explanation: 'This sandbox is for the developers of the application and was added for easy testing and prototyping. Are administrators of the web shop really the target audience for such a functionality?' +hints: + - "Among the long list of route mappings, can you spot any that relates to a web3 sandbox feature?" + - "If you accidentally scrolled over the relevant line, try using the text search in your browser." + - 'Searching for "web3" should bring up some interesting route mappings.' diff --git a/data/static/codefixes/web3SandboxChallenge_1_correct.ts b/data/static/codefixes/web3SandboxChallenge_1_correct.ts new file mode 100644 index 00000000000..6dac4593491 --- /dev/null +++ b/data/static/codefixes/web3SandboxChallenge_1_correct.ts @@ -0,0 +1,187 @@ +const routes: Routes = [ + { + path: 'administration', + component: AdministrationComponent, + canActivate: [AdminGuard] + }, + { + path: 'accounting', + component: AccountingComponent, + canActivate: [AccountingGuard] + }, + { + path: 'about', + component: AboutComponent + }, + { + path: 'address/select', + component: AddressSelectComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/saved', + component: SavedAddressComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/create', + component: AddressCreateComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/edit/:addressId', + component: AddressCreateComponent, + canActivate: [LoginGuard] + }, + { + path: 'delivery-method', + component: DeliveryMethodComponent + }, + { + path: 'deluxe-membership', + component: DeluxeUserComponent, + canActivate: [LoginGuard] + }, + { + path: 'saved-payment-methods', + component: SavedPaymentMethodsComponent + }, + { + path: 'basket', + component: BasketComponent + }, + { + path: 'order-completion/:id', + component: OrderCompletionComponent + }, + { + path: 'contact', + component: ContactComponent + }, + { + path: 'photo-wall', + component: PhotoWallComponent + }, + { + path: 'complain', + component: ComplaintComponent + }, + { + path: 'chatbot', + component: ChatbotComponent + }, + { + path: 'order-summary', + component: OrderSummaryComponent + }, + { + path: 'order-history', + component: OrderHistoryComponent + }, + { + path: 'payment/:entity', + component: PaymentComponent + }, + { + path: 'wallet', + component: WalletComponent + }, + { + path: 'login', + component: LoginComponent + }, + { + path: 'forgot-password', + component: ForgotPasswordComponent + }, + { + path: 'recycle', + component: RecycleComponent + }, + { + path: 'register', + component: RegisterComponent + }, + { + path: 'search', + component: SearchResultComponent + }, + { + path: 'hacking-instructor', + component: SearchResultComponent + }, + { + path: 'score-board', + component: ScoreBoardComponent + }, + { + path: 'track-result', + component: TrackResultComponent + }, + { + path: 'track-result/new', + component: TrackResultComponent, + data: { + type: 'new' + } + }, + { + path: '2fa/enter', + component: TwoFactorAuthEnterComponent + }, + { + path: 'privacy-security', + component: PrivacySecurityComponent, + children: [ + { + path: 'privacy-policy', + component: PrivacyPolicyComponent + }, + { + path: 'change-password', + component: ChangePasswordComponent + }, + { + path: 'two-factor-authentication', + component: TwoFactorAuthComponent + }, + { + path: 'data-export', + component: DataExportComponent + }, + { + path: 'last-login-ip', + component: LastLoginIpComponent + } + ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() + }, + { + matcher: oauthMatcher, + data: { params: (window.location.href).substr(window.location.href.indexOf('#')) }, + component: OAuthComponent + }, + { + matcher: tokenMatcher, + component: TokenSaleComponent + }, + { + path: '403', + component: ErrorPageComponent + }, + { + path: '**', + component: SearchResultComponent + } +] \ No newline at end of file diff --git a/data/static/codefixes/web3SandboxChallenge_2.ts b/data/static/codefixes/web3SandboxChallenge_2.ts new file mode 100644 index 00000000000..c0febd5cf59 --- /dev/null +++ b/data/static/codefixes/web3SandboxChallenge_2.ts @@ -0,0 +1,192 @@ +const routes: Routes = [ + { + path: 'administration', + component: AdministrationComponent, + canActivate: [AdminGuard] + }, + { + path: 'accounting', + component: AccountingComponent, + canActivate: [AccountingGuard] + }, + { + path: 'about', + component: AboutComponent + }, + { + path: 'address/select', + component: AddressSelectComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/saved', + component: SavedAddressComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/create', + component: AddressCreateComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/edit/:addressId', + component: AddressCreateComponent, + canActivate: [LoginGuard] + }, + { + path: 'delivery-method', + component: DeliveryMethodComponent + }, + { + path: 'deluxe-membership', + component: DeluxeUserComponent, + canActivate: [LoginGuard] + }, + { + path: 'saved-payment-methods', + component: SavedPaymentMethodsComponent + }, + { + path: 'basket', + component: BasketComponent + }, + { + path: 'order-completion/:id', + component: OrderCompletionComponent + }, + { + path: 'contact', + component: ContactComponent + }, + { + path: 'photo-wall', + component: PhotoWallComponent + }, + { + path: 'complain', + component: ComplaintComponent + }, + { + path: 'chatbot', + component: ChatbotComponent + }, + { + path: 'order-summary', + component: OrderSummaryComponent + }, + { + path: 'order-history', + component: OrderHistoryComponent + }, + { + path: 'payment/:entity', + component: PaymentComponent + }, + { + path: 'wallet', + component: WalletComponent + }, + { + path: 'login', + component: LoginComponent + }, + { + path: 'forgot-password', + component: ForgotPasswordComponent + }, + { + path: 'recycle', + component: RecycleComponent + }, + { + path: 'register', + component: RegisterComponent + }, + { + path: 'search', + component: SearchResultComponent + }, + { + path: 'hacking-instructor', + component: SearchResultComponent + }, + { + path: 'score-board', + component: ScoreBoardComponent + }, + { + path: 'track-result', + component: TrackResultComponent + }, + { + path: 'track-result/new', + component: TrackResultComponent, + data: { + type: 'new' + } + }, + { + path: '2fa/enter', + component: TwoFactorAuthEnterComponent + }, + { + path: 'privacy-security', + component: PrivacySecurityComponent, + children: [ + { + path: 'privacy-policy', + component: PrivacyPolicyComponent + }, + { + path: 'change-password', + component: ChangePasswordComponent + }, + { + path: 'two-factor-authentication', + component: TwoFactorAuthComponent + }, + { + path: 'data-export', + component: DataExportComponent + }, + { + path: 'last-login-ip', + component: LastLoginIpComponent + } + ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + canActivate: [LoginGuard], + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() + }, + { + matcher: oauthMatcher, + data: { params: (window.location.href).substr(window.location.href.indexOf('#')) }, + component: OAuthComponent + }, + { + matcher: tokenMatcher, + component: TokenSaleComponent + }, + { + path: '403', + component: ErrorPageComponent + }, + { + path: '**', + component: SearchResultComponent + } +] \ No newline at end of file diff --git a/data/static/codefixes/web3SandboxChallenge_3.ts b/data/static/codefixes/web3SandboxChallenge_3.ts new file mode 100644 index 00000000000..5247f2f8f46 --- /dev/null +++ b/data/static/codefixes/web3SandboxChallenge_3.ts @@ -0,0 +1,192 @@ +const routes: Routes = [ + { + path: 'administration', + component: AdministrationComponent, + canActivate: [AdminGuard] + }, + { + path: 'accounting', + component: AccountingComponent, + canActivate: [AccountingGuard] + }, + { + path: 'about', + component: AboutComponent + }, + { + path: 'address/select', + component: AddressSelectComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/saved', + component: SavedAddressComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/create', + component: AddressCreateComponent, + canActivate: [LoginGuard] + }, + { + path: 'address/edit/:addressId', + component: AddressCreateComponent, + canActivate: [LoginGuard] + }, + { + path: 'delivery-method', + component: DeliveryMethodComponent + }, + { + path: 'deluxe-membership', + component: DeluxeUserComponent, + canActivate: [LoginGuard] + }, + { + path: 'saved-payment-methods', + component: SavedPaymentMethodsComponent + }, + { + path: 'basket', + component: BasketComponent + }, + { + path: 'order-completion/:id', + component: OrderCompletionComponent + }, + { + path: 'contact', + component: ContactComponent + }, + { + path: 'photo-wall', + component: PhotoWallComponent + }, + { + path: 'complain', + component: ComplaintComponent + }, + { + path: 'chatbot', + component: ChatbotComponent + }, + { + path: 'order-summary', + component: OrderSummaryComponent + }, + { + path: 'order-history', + component: OrderHistoryComponent + }, + { + path: 'payment/:entity', + component: PaymentComponent + }, + { + path: 'wallet', + component: WalletComponent + }, + { + path: 'login', + component: LoginComponent + }, + { + path: 'forgot-password', + component: ForgotPasswordComponent + }, + { + path: 'recycle', + component: RecycleComponent + }, + { + path: 'register', + component: RegisterComponent + }, + { + path: 'search', + component: SearchResultComponent + }, + { + path: 'hacking-instructor', + component: SearchResultComponent + }, + { + path: 'score-board', + component: ScoreBoardComponent + }, + { + path: 'track-result', + component: TrackResultComponent + }, + { + path: 'track-result/new', + component: TrackResultComponent, + data: { + type: 'new' + } + }, + { + path: '2fa/enter', + component: TwoFactorAuthEnterComponent + }, + { + path: 'privacy-security', + component: PrivacySecurityComponent, + children: [ + { + path: 'privacy-policy', + component: PrivacyPolicyComponent + }, + { + path: 'change-password', + component: ChangePasswordComponent + }, + { + path: 'two-factor-authentication', + component: TwoFactorAuthComponent + }, + { + path: 'data-export', + component: DataExportComponent + }, + { + path: 'last-login-ip', + component: LastLoginIpComponent + } + ] + }, + { + path: 'juicy-nft', + component: NFTUnlockComponent + }, + { + path: 'wallet-web3', + loadChildren: async () => await loadWeb3WalletModule() + }, + { + path: 'web3-sandbox', + canActivate: [AdminGuard], + loadChildren: async () => await loadWeb3SandboxtModule() + }, + { + path: 'bee-haven', + loadChildren: async () => await loadFaucetModule() + }, + { + matcher: oauthMatcher, + data: { params: (window.location.href).substr(window.location.href.indexOf('#')) }, + component: OAuthComponent + }, + { + matcher: tokenMatcher, + component: TokenSaleComponent + }, + { + path: '403', + component: ErrorPageComponent + }, + { + path: '**', + component: SearchResultComponent + } +] \ No newline at end of file diff --git a/data/static/codefixes/web3WalletChallenge.info.yml b/data/static/codefixes/web3WalletChallenge.info.yml new file mode 100644 index 00000000000..e3b3df18f81 --- /dev/null +++ b/data/static/codefixes/web3WalletChallenge.info.yml @@ -0,0 +1,13 @@ +fixes: + - id: 1 + explanation: 'Wrong!' + - id: 2 + explanation: 'Wrong!' + - id: 3 + explanation: 'Correct!' + - id: 4 + explanation: 'Wrong!' +hints: + - 'Hint1' + - 'Hint2' + - 'Hint3' diff --git a/data/static/codefixes/web3WalletChallenge_1.sol b/data/static/codefixes/web3WalletChallenge_1.sol new file mode 100644 index 00000000000..1eabd3d55e5 --- /dev/null +++ b/data/static/codefixes/web3WalletChallenge_1.sol @@ -0,0 +1,36 @@ +pragma solidity ^0.6.12; +import 'https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v3.3/contracts/math/SafeMath.sol'; + +contract ETHWalletBank { + using SafeMath for uint256; + + mapping(address => uint) public balances; + mapping(address => uint) public userWithdrawing; + + event ContractExploited(address indexed culprit); + + function ethdeposit(address _to) public payable { + balances[_to] = balances[_to].add(msg.value); + } + + function balanceOf(address _who) public view returns (uint balance) { + return balances[_who]; + } + + function withdraw(uint _amount) public { + require(_amount <= 0.1 ether, "Withdrawal amount must be less than or equal to 0.1 ether"); + require(balances[msg.sender] >= _amount, "Insufficient balance"); + if (userWithdrawing[msg.sender] <= 1) { + userWithdrawing[msg.sender] = userWithdrawing[msg.sender] + 1; + } else { + userWithdrawing[msg.sender] = 0; + return; + } + (bool result, ) = msg.sender.call{ value: _amount }(""); + require(result, "Withdrawal call failed"); + balances[msg.sender] -= _amount; + userWithdrawing[msg.sender] = 0; + } + + receive() external payable {} +} \ No newline at end of file diff --git a/data/static/codefixes/web3WalletChallenge_2.sol b/data/static/codefixes/web3WalletChallenge_2.sol new file mode 100644 index 00000000000..1eabd3d55e5 --- /dev/null +++ b/data/static/codefixes/web3WalletChallenge_2.sol @@ -0,0 +1,36 @@ +pragma solidity ^0.6.12; +import 'https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v3.3/contracts/math/SafeMath.sol'; + +contract ETHWalletBank { + using SafeMath for uint256; + + mapping(address => uint) public balances; + mapping(address => uint) public userWithdrawing; + + event ContractExploited(address indexed culprit); + + function ethdeposit(address _to) public payable { + balances[_to] = balances[_to].add(msg.value); + } + + function balanceOf(address _who) public view returns (uint balance) { + return balances[_who]; + } + + function withdraw(uint _amount) public { + require(_amount <= 0.1 ether, "Withdrawal amount must be less than or equal to 0.1 ether"); + require(balances[msg.sender] >= _amount, "Insufficient balance"); + if (userWithdrawing[msg.sender] <= 1) { + userWithdrawing[msg.sender] = userWithdrawing[msg.sender] + 1; + } else { + userWithdrawing[msg.sender] = 0; + return; + } + (bool result, ) = msg.sender.call{ value: _amount }(""); + require(result, "Withdrawal call failed"); + balances[msg.sender] -= _amount; + userWithdrawing[msg.sender] = 0; + } + + receive() external payable {} +} \ No newline at end of file diff --git a/data/static/codefixes/web3WalletChallenge_3_correct.sol b/data/static/codefixes/web3WalletChallenge_3_correct.sol new file mode 100644 index 00000000000..1eabd3d55e5 --- /dev/null +++ b/data/static/codefixes/web3WalletChallenge_3_correct.sol @@ -0,0 +1,36 @@ +pragma solidity ^0.6.12; +import 'https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v3.3/contracts/math/SafeMath.sol'; + +contract ETHWalletBank { + using SafeMath for uint256; + + mapping(address => uint) public balances; + mapping(address => uint) public userWithdrawing; + + event ContractExploited(address indexed culprit); + + function ethdeposit(address _to) public payable { + balances[_to] = balances[_to].add(msg.value); + } + + function balanceOf(address _who) public view returns (uint balance) { + return balances[_who]; + } + + function withdraw(uint _amount) public { + require(_amount <= 0.1 ether, "Withdrawal amount must be less than or equal to 0.1 ether"); + require(balances[msg.sender] >= _amount, "Insufficient balance"); + if (userWithdrawing[msg.sender] <= 1) { + userWithdrawing[msg.sender] = userWithdrawing[msg.sender] + 1; + } else { + userWithdrawing[msg.sender] = 0; + return; + } + (bool result, ) = msg.sender.call{ value: _amount }(""); + require(result, "Withdrawal call failed"); + balances[msg.sender] -= _amount; + userWithdrawing[msg.sender] = 0; + } + + receive() external payable {} +} \ No newline at end of file diff --git a/data/static/codefixes/web3WalletChallenge_4.sol b/data/static/codefixes/web3WalletChallenge_4.sol new file mode 100644 index 00000000000..1eabd3d55e5 --- /dev/null +++ b/data/static/codefixes/web3WalletChallenge_4.sol @@ -0,0 +1,36 @@ +pragma solidity ^0.6.12; +import 'https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v3.3/contracts/math/SafeMath.sol'; + +contract ETHWalletBank { + using SafeMath for uint256; + + mapping(address => uint) public balances; + mapping(address => uint) public userWithdrawing; + + event ContractExploited(address indexed culprit); + + function ethdeposit(address _to) public payable { + balances[_to] = balances[_to].add(msg.value); + } + + function balanceOf(address _who) public view returns (uint balance) { + return balances[_who]; + } + + function withdraw(uint _amount) public { + require(_amount <= 0.1 ether, "Withdrawal amount must be less than or equal to 0.1 ether"); + require(balances[msg.sender] >= _amount, "Insufficient balance"); + if (userWithdrawing[msg.sender] <= 1) { + userWithdrawing[msg.sender] = userWithdrawing[msg.sender] + 1; + } else { + userWithdrawing[msg.sender] = 0; + return; + } + (bool result, ) = msg.sender.call{ value: _amount }(""); + require(result, "Withdrawal call failed"); + balances[msg.sender] -= _amount; + userWithdrawing[msg.sender] = 0; + } + + receive() external payable {} +} \ No newline at end of file diff --git a/data/static/contractABIs.ts b/data/static/contractABIs.ts new file mode 100644 index 00000000000..0a16c138a5e --- /dev/null +++ b/data/static/contractABIs.ts @@ -0,0 +1,569 @@ +export const nftABI = [ + { + inputs: [], + stateMutability: 'nonpayable', + type: 'constructor' + }, + { + anonymous: false, + inputs: [ + { + indexed: true, + internalType: 'address', + name: 'owner', + type: 'address' + }, + { + indexed: true, + internalType: 'address', + name: 'approved', + type: 'address' + }, + { + indexed: true, + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'Approval', + type: 'event' + }, + { + anonymous: false, + inputs: [ + { + indexed: true, + internalType: 'address', + name: 'owner', + type: 'address' + }, + { + indexed: true, + internalType: 'address', + name: 'operator', + type: 'address' + }, + { + indexed: false, + internalType: 'bool', + name: 'approved', + type: 'bool' + } + ], + name: 'ApprovalForAll', + type: 'event' + }, + { + anonymous: false, + inputs: [ + { + indexed: true, + internalType: 'address', + name: 'owner', + type: 'address' + }, + { + indexed: false, + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'NFTMinted', + type: 'event' + }, + { + anonymous: false, + inputs: [ + { + indexed: true, + internalType: 'address', + name: 'previousOwner', + type: 'address' + }, + { + indexed: true, + internalType: 'address', + name: 'newOwner', + type: 'address' + } + ], + name: 'OwnershipTransferred', + type: 'event' + }, + { + anonymous: false, + inputs: [ + { + indexed: true, + internalType: 'address', + name: 'from', + type: 'address' + }, + { + indexed: true, + internalType: 'address', + name: 'to', + type: 'address' + }, + { + indexed: true, + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'Transfer', + type: 'event' + }, + { + inputs: [ + { + internalType: 'address', + name: 'to', + type: 'address' + }, + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'approve', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'owner', + type: 'address' + } + ], + name: 'balanceOf', + outputs: [ + { + internalType: 'uint256', + name: '', + type: 'uint256' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'fixedMetadataHash', + outputs: [ + { + internalType: 'string', + name: '', + type: 'string' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'getApproved', + outputs: [ + { + internalType: 'address', + name: '', + type: 'address' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'owner', + type: 'address' + }, + { + internalType: 'address', + name: 'operator', + type: 'address' + } + ], + name: 'isApprovedForAll', + outputs: [ + { + internalType: 'bool', + name: '', + type: 'bool' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'mintNFT', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [], + name: 'mintPrice', + outputs: [ + { + internalType: 'uint256', + name: '', + type: 'uint256' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'name', + outputs: [ + { + internalType: 'string', + name: '', + type: 'string' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'owner', + outputs: [ + { + internalType: 'address', + name: '', + type: 'address' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'ownerOf', + outputs: [ + { + internalType: 'address', + name: '', + type: 'address' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'renounceOwnership', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'from', + type: 'address' + }, + { + internalType: 'address', + name: 'to', + type: 'address' + }, + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'safeTransferFrom', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'from', + type: 'address' + }, + { + internalType: 'address', + name: 'to', + type: 'address' + }, + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + }, + { + internalType: 'bytes', + name: 'data', + type: 'bytes' + } + ], + name: 'safeTransferFrom', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'operator', + type: 'address' + }, + { + internalType: 'bool', + name: 'approved', + type: 'bool' + } + ], + name: 'setApprovalForAll', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'bytes4', + name: 'interfaceId', + type: 'bytes4' + } + ], + name: 'supportsInterface', + outputs: [ + { + internalType: 'bool', + name: '', + type: 'bool' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'symbol', + outputs: [ + { + internalType: 'string', + name: '', + type: 'string' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'token', + outputs: [ + { + internalType: 'contract IERC20', + name: '', + type: 'address' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'tokenURI', + outputs: [ + { + internalType: 'string', + name: '', + type: 'string' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [], + name: 'totalSupply', + outputs: [ + { + internalType: 'uint256', + name: '', + type: 'uint256' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'from', + type: 'address' + }, + { + internalType: 'address', + name: 'to', + type: 'address' + }, + { + internalType: 'uint256', + name: 'tokenId', + type: 'uint256' + } + ], + name: 'transferFrom', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: 'newOwner', + type: 'address' + } + ], + name: 'transferOwnership', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + } +] +export const web3WalletABI = [ + { + anonymous: false, + inputs: [ + { + indexed: true, + internalType: 'address', + name: 'culprit', + type: 'address' + } + ], + name: 'ContractExploited', + type: 'event' + }, + { + inputs: [ + { + internalType: 'address', + name: '_who', + type: 'address' + } + ], + name: 'balanceOf', + outputs: [ + { + internalType: 'uint256', + name: 'balance', + type: 'uint256' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: '', + type: 'address' + } + ], + name: 'balances', + outputs: [ + { + internalType: 'uint256', + name: '', + type: 'uint256' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: '_to', + type: 'address' + } + ], + name: 'ethdeposit', + outputs: [], + stateMutability: 'payable', + type: 'function' + }, + { + inputs: [ + { + internalType: 'address', + name: '', + type: 'address' + } + ], + name: 'userWithdrawing', + outputs: [ + { + internalType: 'uint256', + name: '', + type: 'uint256' + } + ], + stateMutability: 'view', + type: 'function' + }, + { + inputs: [ + { + internalType: 'uint256', + name: '_amount', + type: 'uint256' + } + ], + name: 'withdraw', + outputs: [], + stateMutability: 'nonpayable', + type: 'function' + }, + { + stateMutability: 'payable', + type: 'receive' + } +] diff --git a/data/static/i18n/ar_SA.json b/data/static/i18n/ar_SA.json index 0f2f4f0a941..a6e0636be38 100644 --- a/data/static/i18n/ar_SA.json +++ b/data/static/i18n/ar_SA.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/az_AZ.json b/data/static/i18n/az_AZ.json index 2678dc09cba..9cbe16c9f17 100644 --- a/data/static/i18n/az_AZ.json +++ b/data/static/i18n/az_AZ.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Qanuni Məlumat faylının üzərinə yazın.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Veb dükanın yeni funksionallığını tərifləyən bir tweet-ə baxın. Daha sonra onunla əlaqəli üçüncü tərəf zəif nöqtəni tapın.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Təhlükəsizlik sualına verilən orijinal cavab ilə Şifrəni Unutdum mexanizmini istifadə edərək Bjoem-in OWASP hesabını şifrəsini sıfırlayın.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Rəsmi elandan əvvəl Token Satışı haqqında öyrənin.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "Tərtibatçılar, aktual müraciət məhdudiyyətləri əvəzinə \"Qeyri-müəyyənlik ilə təhlükəsizlik\"ə həqiqətən inanırlar.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Daha az çətinləşdirilmiş tətbiqi ömürlük məşğul edəcək Uzaqdan Kod İcrası həyatı keçirin.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/bg_BG.json b/data/static/i18n/bg_BG.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/bg_BG.json +++ b/data/static/i18n/bg_BG.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/bn_BD.json b/data/static/i18n/bn_BD.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/bn_BD.json +++ b/data/static/i18n/bn_BD.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/ca_ES.json b/data/static/i18n/ca_ES.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/ca_ES.json +++ b/data/static/i18n/ca_ES.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/cs_CZ.json b/data/static/i18n/cs_CZ.json index 8149830c450..a85546089d7 100644 --- a/data/static/i18n/cs_CZ.json +++ b/data/static/i18n/cs_CZ.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Přepište soubor Právní informace.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Podívejte se na tweet chválící nové funkce eshopu. Pak najděte třetí stranu, která je s ním spojena.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Obnovení hesla k Bjoernově účtu OWASP prostřednictvím mechanismu Zapomenuté heslo s původní odpovědí na jeho bezpečnostní otázku.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Zjistěte informaci o prodeji Tokenu před oficiálním oznámením.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "Vývojáři skutečně věří v \"Bezpečnost prostřednictvím obejití\" nad konkrétními omezeními přístupu.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Použijte zastaralé rozhraní B2B, které nebylo řádně vypnuto.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Najděte skrytý easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Zbavte se všech pětihvězdičkových zpětných vazeb zákazníků.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/da_DK.json b/data/static/i18n/da_DK.json index 5fa715d4c4f..b7650020fe3 100644 --- a/data/static/i18n/da_DK.json +++ b/data/static/i18n/da_DK.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overskriv filen Juridiske oplysninger.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Kig efter et tweet som roser en ny funktionalitet i webshoppen. Find derefter en tredjepartssårbarhed relateret til den.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Nulstil adgangskoden til Björns OWASP konto via Glemt Adgangskode-funktionen ved brug af det originale svar på hans sikkerhedsspørgsmål.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Han kunne have kompromitteret den ved mindst én lejlighed, hvor et kamera kørte. Måske også andre steder.", "Learn about the Token Sale before its official announcement.": "Find ud af mere om Token-udsalget før dets officielle annoncering.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "Udviklerne tror virkelig på \"Security through Obscurity\" fremfor faktiske adgangsrestriktioner.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Udfør en Remote Code Execution, der ville holde en mindre hærdet applikation beskæftiget for evigt.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find ud af, hvor disse oplysninger kan komme fra. Udform derefter en UNION SELECT-angrebsstreng mod et endepunkt, der tilbyder en unødvendig datafiltreringsmåde.", "Use a deprecated B2B interface that was not properly shut down.": "Brug en forældet B2B-grænseflade, der ikke blev korrekt lukket.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "De udviklere, som deaktiverede grænsefladen, tror, at de kunne blive usynlige ved blot at lukke deres øjne.", - "Find the hidden easter egg.": "Find det skjulte påskeæg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "Har du løst en af de tre fil adgangsudfordringer, ved du allerede, hvor du finder påskeægget.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Udfør en uønsket informationsafsløring ved at tilgå datakrydsdomæne.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Forsøg at finde og angribe et endepunkt, der reagerer med brugeroplysninger. SQL Injection er ikke løsningen hér.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Slip af med alle 5-stjernede kundefeedbacks.", "Once you found admin section of the application, this challenge is almost trivial.": "Når først du har fundet applikationens adminsektion, er denne udfordring nærmest kedelig.", "Forge a coupon code that gives you a discount of at least 80%.": "Forfalsk en kuponkode, der giver dig en rabat på mindst 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Forsøg enten a) et kyndigt brute force-angreb eller b) reverse engineering eller c) nogle undersøgelser i skyen.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Du kan løse dette ved at manipulere med brugergrænsefladen eller ved at opsnappe kommunikationen med RESTful backend'en.", "Post a product review as another user or edit any user's existing review.": "Indsend en produktanmeldelse som en anden bruger eller redigér en brugers eksisterende anmeldelse.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Inficér serveren med saftig malware ved at misbruge vilkårlig kommandoeksekvering.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" er en klar indikator på, at dette intet har at gøre med noget Angular-relateret. Sørg også for kun at bruge vores ikke-ondsindet malware.", "Behave like any \"white-hat\" should before getting into the action.": "Agér som enhver anden \"white-hat\" bør gøre, inden der skrides til handling.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Vores sikkerhedspolitik ønskes utvivlsomt læst, før en undersøgelse af vores applikation indledes.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Udfør et vedvarende XSS-angreb med<iframe src=\"javascript:alert(`xss`)\">, der omgår en serverbaseret sikkerhedsfunktion.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "\"Kommentar\"-feltet på \"Kundefeedback\"-skærmen er stedet, der ønskes fokuseret på.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Sladr om en berygtet tegnskjulning i al åbenlyshed i butikken (nævn det nøjagtige navn på tegnet).", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Fastslå svaret på Emmas sikkerhedsspørgsmål ved at se på en upload af hende til Photo Wall og bruge denne til at nulstille hendes adgangskode via Glemt adgangskode-funktionen.", "Take a look at the details in the photo to determine the location of where it was taken.": "Tag et kig på detaljerne i billedet for at afgøre, hvor det blev taget.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Udgave", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Omgå en sikkerhedskontrol med en Poison Null Byte for at få adgang til en fil, det ikke var meningen, du skulle se.", "Best Juice Shop Salesman Artwork": "Kunstværk: Juice Shops Bedste Sælger", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unikt digitalt maleri, der afbilder Stan, vores mest kvalificerede og næsten rentable sælger. Han opnåede en succesfuld karriere gennem salg af brugte skibe, kister, krypter, kors, ejendomme, livsforsikring, restaurantforsyninger, asbest forbedret med voodoo og souvenirs fra retssale, før han endelig føjede sin ekspertise til Juice Shops marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/de_CH.json b/data/static/i18n/de_CH.json index 6b7e75975f9..f3b7f3edec4 100644 --- a/data/static/i18n/de_CH.json +++ b/data/static/i18n/de_CH.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Überschrib d'Datei wo di rächtleche Informatione drinne stöh.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Suech nachemene Tweet wo nöii Funktionalitäte vom Webshop bewirbt. När suech ä dermit verbundeni Dritabierter-Verwundbarkeit.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Setzt z'Passwort vo Björn's OWASP-Benutzerkonto via der Passwort vergässe-Funktion zrüg. Bruch derfür d'Originauantwort für sini Sicherheitsfrag.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Är chönnt se bi mindestens eire Glägeheit vor loufender Kamera verrate ha - u vilech ono nöime angers.", "Learn about the Token Sale before its official announcement.": "Erfahr vor der offizieue Akündigun vom Token-Verchouf.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "D'Entwickler gloube tatsächlech, dass \"Security through Obscurity\" besser isch, aus tatsächlechi Zuegriffsbeschränkige.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Füer ä Remote Code Execution düre, wo ä weniger gherteti Awändig für immer würd beschäftige.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Probier usezfinge wohär die Informatione chönnte cho. När ersteusch ä UNION SELECT-Agriffsstring gäge ne Ändpunkt, wo unnötigerwiis z'Fiutere vo Date ermüglecht.", "Use a deprecated B2B interface that was not properly shut down.": "Mach der ä B2B-Schnittsteu z'Nutze, wo nid richtig abgschautet worde isch.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "D'Entwickler, wo die Schnittsteu \"deaktiviert\" hei, gloube äue, sie chönnte rein dür z'schliesse vo ihre Ouge säuber unsichtbar wärde.", - "Find the hidden easter egg.": "Mach di uf d'Suechi nach em versteckte Osterei.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "We de eini vo de drü Datezuegriffs-Useforderige glöst hesch, de sötisch eigentlech scho wüsse wo de das Osterei chasch finge.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Zügle Informazione ab, i däm de domäneübergrifend (cross-domain) uf Date zuegrifsch.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Versuech ä Ändpunkt z'finge u azgrife, wo mit Benutzerinformazione antwortet. SQL Injection isch i däm Fau nid der richtig Asatz.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Wird aui 5-Stärndli Chundefeedbacks los.", "Once you found admin section of the application, this challenge is almost trivial.": "Sobau de der Adminbereich vor Awändig gfunge hesch, isch die Useforderig bau scho triviau.", "Forge a coupon code that gives you a discount of at least 80%.": "Kreier der ä Guetschiincode wo der mindestens 80% Rabatt verschafft.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Versuechs mit a) ämene schlaue Brute-Force-Agriff oder b) mit Reverse Engineering oder c) mit Nachvorschide i der Cloud.", "Post some feedback in another user's name.": "Schreibe ein Feedback im Namen eines anderen Benutzers.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Du chasch die Useforderig löse, i däm de mit em Benutzerinterface umeexperimentiersch oder d Kommunikation mit em RESTful Backend abfasch.", "Post a product review as another user or edit any user's existing review.": "Hingerla ä Produkbeurteilig im Name vomene angere Benutzer oder verändere ä bereits bestehendi vomene angere Benutzer.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infiziere den Server mit saftiger Malware, indem du dir Arbitrary Command Execution zunutze machst.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" ist ein eindeutiger Indikator, dass dies nichts mit irgendwas in Angular zu tun hat. Achte darauf, nur unsere nicht-bösartige Malware zu verwenden.", "Behave like any \"white-hat\" should before getting into the action.": "Verhalte dich wie ein \"White-Hat\" es sollte, bevor du loslegst.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Zweifellos möchtest du unsere Sicherheitsrichtlinie lesen, bevor Du irgendwelche Untersuchungen unserer Anwendung durchführst.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Führe einen persistenten XSS-Angriff mit <iframe src=\"javascript:alert(`xss`)\"> aus und umgehe dabei einen Server-seitigen Sicherheitsmechanismus.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "Du solltest deinen Fokus auf das Feld \"Kommentar\" im \"Kundenfeedback\"-Dialog setzen.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Verpetze einen berüchtigten Charakter, der sich im Laden unsichtbar gemacht hat. (Erwähne den exakten Namen des Charakters)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Bestimme die Antwort auf Emmas Sicherheitsfrage, indem du einen ihrer Uploads auf die Foto-Wand ansiehst und diese verwendest, um ihr Passwort über den Passwort vergessen-Mechanismus zurückzusetzen.", "Take a look at the details in the photo to determine the location of where it was taken.": "Wirf einen Blick auf die Details auf dem Foto, um zu bestimmen, wo es aufgenommen wurde.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020-Ausgabe", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Umgehe eine Sicherheitskontrolle mit einem Poison Null Byte, um auf eine Datei zuzugreifen, die nicht für deine Augen bestimmt ist.", "Best Juice Shop Salesman Artwork": "Bester Juice Shop-Verkäufer Kunstwerk", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Einzigartige digitale Zeichnung, die Stan, unseren qualifiziertesten und beinahe profitablen Verkäufer zeigt. Er machte erfolgreich Karriere als Verkäufer von gebrauchten Schiffen, Särgen, Krypten, Kreuzen, Immobilien, Lebensversicherungen, Restaurant-Zubehör, Voodoo-verbessertem Asbest und Gerichtssaal-Souvenirs, bevor er endlich seine Expertise dem Marketing-Team des Juice Shop hinzufügte.", "20th Anniversary Celebration Ticket": "20jährige Jubiläumsfeier-Ticket", @@ -357,29 +352,29 @@ "API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.": "API Routen müssen explizit einen Handler für HTTP-Verben definieren, wenn sie das definierte Standardverhalten \"allen alles erlauben\" überschreiben wollen.", "There is one line that is commented out for no good reason among the product-related middleware.": "Unter der produktbezogenen Middleware gibt es eine Codezeile, die ohne guten Grund auskommentiert wurde.", "While removing the commented-out line made the code cleaner, it did not change the functionality in any way and thus cannot have improved security either.": "Auch wenn das Entfernen der auskommentierten Zeile den Code sauberer gemacht hat, änderte dies die Funktionalität jedoch in keiner Weise und konnte demzufolge auch nicht die Sicherheit verbessern.", - "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.", + "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "Die dedizierte Behandlung der Produkt-API zu entfernen, hat die Sache verschlimmert, da jetzt die standardmäßigen Berechtigungen des zugrunde liegenden API-Generators verwendet werden: GET, POST, PUT und DELETE werden - ohne Einschränkungen - erlaubt.", "You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?": "Sie haben die Sicherheit ein bisschen verbessert, indem Sie PUT-Anfragen von anonymen API-Anrufern nicht mehr annehmen. Aber will der Shop seinen authentifizierten Kunden überhaupt gestatten, die Produkte selbst zu wechseln?", "Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.": "Das Deaktivieren aller anderen HTTP-Verben außer GET für die Produkte-API ist in der Tat der einzige sichere Weg, um sichere Zugriffskontrolle zu implementieren. Shop-Administratoren sollten das Webinterface des Kunden nicht verwenden, um das Inventar des Shops zu verwalten.", "Try to identify any variables in the code that might contain arbitrary user input.": "Versuchen Sie, Variablen im Code zu identifizieren, die beliebige Benutzereingaben enthalten könnten.", - "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.", - "Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "Can you spot a place where a SQL query is being cobbled together in an unsafe way?", + "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "Verfolge die Benutzereingabe durch den Funktionsaufruf und versuche die Stellen zu finden, an denen sie für böswillige Zwecke missbraucht werden kann.", + "Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "Kannst du eine Stelle erspähen, an der eine SQL-Abfrage auf unsichere Weise zusammengeschustert wird?", "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.": "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.", "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.": "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.", "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.", "Can you find a HTTP route mapping that deals with metrics?": "Kannst du ein Routen-Mapping finden, das sich mit Metriken beschäftigt?", "Remember: The default behavior of route mappings is to allow access to everyone.": "Bedenke: Das Standardverhalten der Routen-Mappings ist es, Zugriff für jeden zu erlauben.", - "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.", + "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "Die Metrik-Route bleibt öffentlich zugänglich. Diese Änderung pfuscht nur unnötig an den funktionalen Einstellungen des Messung-Frameworks herum.", "This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.": "Diese Korrektur verhindert unbefugten Zugriff auf die Metriken-Route, schießt aber über das Ziel hinaus, indem jeder - einschließlich der Administratoren - gesperrt wird.", "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.": "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.", - "Do you remember the security question that Bender used for his account?": "Do you remember the security question that Bender used for his account?", - "This question is the source of the security risk in this challenge.": "This question is the source of the security risk in this challenge.", - "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.", - "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.", + "Do you remember the security question that Bender used for his account?": "Erinnerst du dich an die Sicherheitsfrage, die Bender für sein Konto verwendet?", + "This question is the source of the security risk in this challenge.": "Diese Frage ist der Ursprung des Sicherheitsrisikos bei dieser Herausforderung.", + "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "Obwohl nicht unbedingt so trivial über das LinkedIn-Profil eines Benutzers herauszufinden, ist diese Frage immer noch leicht zu recherchieren oder durch Brute Force herauszufinden, wenn sie wahrheitsgetreu beantwortet wurde.", + "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "Der Austausch von \"Unternehmen\" mit \"Organisation\" ist nur eine Vokabel-Änderung und hat keine Auswirkungen auf die Sicherheit.", "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.": "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.", - "Can you identify the lines which have something to do with crypto currency addresses?": "Can you identify the lines which have something to do with crypto currency addresses?", - "Did you notice there is a constant containing allowed redirect web addresses?": "Did you notice there is a constant containing allowed redirect web addresses?", - "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.", - "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.", + "Can you identify the lines which have something to do with crypto currency addresses?": "Kannst du die Zeilen identifizieren, die etwas mit Kryptowährungsadressen zu tun haben?", + "Did you notice there is a constant containing allowed redirect web addresses?": "Hast du bemerkt, dass es eine Konstante mit erlaubten Weiterleitungsadressen gibt?", + "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "Stelle sicher, dass du alle drei Zeilen auswählst, die für die nicht mehr beworbenen Krypto-Währungsadressen zuständig sind.", + "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "Diese Korrektur entfernt zwar eine veraltete Kryptowährungsadresse aus der Allowlist, vergisst aber, sich um zwei andere zu kümmern.", "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.": "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.", "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.": "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.", "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.", @@ -391,13 +386,13 @@ "Do you remember the security question that Jim used for his account?": "Do you remember the security question that Jim used for his account?", "Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.": "Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.", "Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.": "Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.", - "Do you remember the security question that Bjoern used for his account?": "Do you remember the security question that Bjoern used for his account?", - "Researching someone's current place of residence is probably even easier than a past one.": "Researching someone's current place of residence is probably even easier than a past one.", - "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.": "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.", - "Do you remember the security question that Bjoern used for his OWASP account?": "Do you remember the security question that Bjoern used for his OWASP account?", + "Do you remember the security question that Bjoern used for his account?": "Erinnerst du dich an die Sicherheitsfrage, die Bjoern für sein Konto verwendet?", + "Researching someone's current place of residence is probably even easier than a past one.": "Jemandes gegenwärtigen Wohnsitz herauszufinden, ist wahrscheinlich noch einfacher als einen früheren.", + "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.": "Beim Ändern der Aufgabenstellung dieser Frage von \"Teenager\" auf \"Kleinkind\", bleibt die Suche nach einem früheren Wohnort weiterhin die einzige (niedrige) Hürde für den Angreifer.", + "Do you remember the security question that Bjoern used for his OWASP account?": "Erinnerst du dich an die Sicherheitsfrage, die Bjoern für sein OWASP-Konto verwendet?", "There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.": "There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.", - "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.": "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.", - "Do you remember the security question that Uvogin used for his account?": "Do you remember the security question that Uvogin used for his account?", + "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.": "Diese Fix-Option ist offensichtlich (?) ein Witz. Aber sie soll dennoch veranschaulichen, dass die Einschränkung des Geltungsbereichs einer Frage auch deren Lösungsraum entsprechend reduziert. Auf diese Weise wird \"Social Stalking\" und Brute Force viel einfacher.", + "Do you remember the security question that Uvogin used for his account?": "Erinnerst du dich an die Sicherheitsfrage, die Uvogin für sein Konto verwendet?", "When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.": "When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.", "Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.": "Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.", "Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?": "Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?", @@ -422,7 +417,7 @@ "The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.": "The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.", "You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.": "You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.", "Try to play through how the logical operators and used standard functions work in this situation.": "Try to play through how the logical operators and used standard functions work in this situation.", - "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?": "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?", + "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?": "Könntest du den Code irgendwie glauben lassen, dass er es mit einer explizit erlaubten URL zu tun hat, obwohl es eigentlich keine ist?", "The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.": "The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.", "Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.": "Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.", "HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.": "HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.", @@ -434,23 +429,39 @@ "Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.": "Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.", "Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.": "Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.", "Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.": "Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.", - "Find all places in the code which are handling the product descriptions.": "Find all places in the code which are handling the product descriptions.", + "Find all places in the code which are handling the product descriptions.": "Finde alle Stellen im Code, die die Produktbeschreibungen behandeln.", "Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.": "Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.", "The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.": "The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.", "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.": "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.", "Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken autheorization in this case, as users should not be allowed to change product descriptions in the first place.": "Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken autheorization in this case, as users should not be allowed to change product descriptions in the first place.", - "To find the culprit lines, you need to understand how MongoDB handles updating records.": "To find the culprit lines, you need to understand how MongoDB handles updating records.", + "To find the culprit lines, you need to understand how MongoDB handles updating records.": "Um die schuldigen Zeilen zu finden, musst du verstehen, wie MongoDB mit Datensatz-Aktualisierungen umgeht.", "Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.": "Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.", "Another problematic line you need to select, is actually missing something that ties the user to the review.": "Another problematic line you need to select, is actually missing something that ties the user to the review.", "This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.": "This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.", "Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.": "Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.", "Setting the author on server-side based on the user retrieved from the authentication token in the HTTP request is the right call. It prevents users from just passing any author email they like along with the request.": "Den Autor basierend auf dem Benutzer aus dem Authentifizierungstoken im HTTP Request auf Serverseite zu setzen, ist die richtige Entscheidung. Dies hindert Benutzer daran, einfach eine beliebige Autoren-E-Mail mit dem Request mitzuschicken.", - "Does this query really need to allow updating more than one review at once?": "Does this query really need to allow updating more than one review at once?", + "Does this query really need to allow updating more than one review at once?": "Muss diese Abfrage wirklich erlauben, mehrere Bewertungen gleichzeitig zu aktualisieren?", "Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.": "Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.", "Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.": "Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.", "Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.": "Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.", "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exakte Version von OWASP Juice Shop, die am 02.02.2020 vom GitHub Archive Program archiviert wurde und am 8. Juli 2020 in den Arctic Code Vault ging, wo sie sicher für mindestens 1000 Jahre gelagert wird.", "Close multiple \"Challenge solved\"-notifications in one go.": "Schließe mehrere \"Challenge gelöst\"-Benachrichtigungen auf einmal.", - "Either check the official documentation or inspect a notification UI element directly.": "Schau entweder in die offizielle Dokumentation, oder inspiziere ein Benachrichtigungs-UI-Element direkt." + "Either check the official documentation or inspect a notification UI element directly.": "Schau entweder in die offizielle Dokumentation, oder inspiziere ein Benachrichtigungs-UI-Element direkt.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Registriere einen Benutzer mit leerer E-Mail und leerem Passwort.", + "Consider intercepting and playing with the request payload.": "Erwäge das Abfangen von und Herumspielen mit dem Request-Payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Präge das Honey-Pot-NFT indem du BEEs aus der Bienenzuflucht sammelst.", + "Discover NFT wonders among the captivating visual memories.": "Entdecke NFT-Wunder zwischen den faszinierenden visuellen Erinnerungen.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Nimm die Brieftasche mit unserem offiziellen Soul Bound Token (NFT) in Besitz.", + "Find the seed phrase posted accidentally.": "Finde die versehentlich gepostete Seed-Phrase.", + "Withdraw more ETH from the new wallet than you deposited.": "Hebe mehr ETH von der neuen Brieftasche ab, als du hinterlegt hast.", + "Try to exploit the contract of the wallet.": "Versuche, den Contract der Brieftasche auszunutzen.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Finde eine versehentlich ausgelieferte Programmier-Sandbox zum spontanen Schreiben von Smart Contracts.", + "It is just as easy as finding the Score Board.": "Es ist genauso einfach wie die Punkteübersicht zu finden.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Er könnte ihn bei mindestens einer Gelegenheit vor laufender Kamera herausposaunt haben. Vielleicht auch noch anderswo.", + "Find the hidden easter egg.": "Finde das versteckte Ostereier.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Versuche entweder a) einen klugen Brute-Force-Angriff oder b) Reverse Engineering oder c) einige Nachforschungen in der Cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Umgehe eine Sicherheitskontrolle mit einem Poison Null Byte, um auf eine Datei zuzugreifen, die nicht für deine Augen bestimmt ist.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Zweifellos möchtest du unsere Sicherheitsrichtlinie lesen, bevor Du irgendwelche Untersuchungen unserer Anwendung durchführst." } diff --git a/data/static/i18n/de_DE.json b/data/static/i18n/de_DE.json index 6ad2d3b4952..63db8b76c4b 100644 --- a/data/static/i18n/de_DE.json +++ b/data/static/i18n/de_DE.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Überschreibe die Datei mit den rechtlichen Informationen.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Halte Ausschau nach einem Tweet, der neue Funktionalität des Webshops bewirbt. Finde dann eine hiermit verbundene Drittanbieter-Verwundbarkeit.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Setze das Passwort von Björns OWASP-Benutzerkonto in der Passwort vergessen-Funktion mittels der Original-Antwort auf seine Sicherheitsfrage zurück.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Er könnte ihn bei mindestens einer Gelegenheit vor laufender Kamera verraten haben. Vielleicht auch noch anderswo.", "Learn about the Token Sale before its official announcement.": "Erfahre vor der offiziellen Ankündigung von dem Token-Verkauf.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "Die Entwickler glauben wirklich mehr an \"Sicherheit durch Obskurität\" als an tatsächliche Zugriffsbeschränkungen.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Führe eine Remote Code Execution durch, die eine weniger gehärtete Anwendung für immer beschäftigen würde.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Finde heraus, woher diese Information kommen könnten. Erstelle dann einen UNION SELECT-Angriffsstring gegen einen Endpunkt, der unnötigerweise das Filtern von Daten ermöglicht.", "Use a deprecated B2B interface that was not properly shut down.": "Benutze eine veraltete B2B-Schnittstelle, die nicht ordentlich abgeschaltet wurde.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "Die Entwickler, die diese Schnittstelle deaktiviert haben, glauben, sie könnten nur durch das Schließen ihrer Augen unsichtbar werden.", - "Find the hidden easter egg.": "Finde das versteckte Ostereier.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "Wenn du eine der drei Dateizugriffs-Herausforderungen gelöst hast, weißt du bereits, wo das Ostereier zu finden ist.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Führe Sie eine ungewollte Informationsoffenlegung mittels eines Cross-Domain-Datenzugriffs durch.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Versuche, einen Endpunkt zu finden und anzugreifen, der mit Benutzerinformationen antwortet. SQL Injection ist hier nicht die Lösung.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Werde alle 5-Sterne Kundenfeedbacks los.", "Once you found admin section of the application, this challenge is almost trivial.": "Sobald du den Admin-Bereich der Anwendung gefunden hast, ist diese Herausforderung fast trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Fäslche einen Gutscheincode, der dir mindestens 80% Rabatt gewährt.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Versuche entweder a) einen klugen Brute-Force-Angriff oder b) Reverse Engineering oder c) einige Nachforschungen in der Cloud.", "Post some feedback in another user's name.": "Schreibe ein Feedback im Namen eines anderen Benutzers.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Du kannst diese lösen, indem du an der Benutzeroberfläche herumdokterst oder die Kommunikation mit dem RESTful Backend abfängst.", "Post a product review as another user or edit any user's existing review.": "Veröffentliche eine Produktrezension als ein anderer Benutzer oder bearbeite die bestehende Rezension eines anderen Benutzers.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infiziere den Server mit saftiger Malware, indem du dir Arbitrary Command Execution zunutze machst.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" ist ein eindeutiger Indikator, dass dies nichts mit irgendwas in Angular zu tun hat. Achte darauf, nur unsere nicht-bösartige Malware zu verwenden.", "Behave like any \"white-hat\" should before getting into the action.": "Verhalte dich wie ein \"White-Hat\" es sollte, bevor du loslegst.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Zweifellos möchtest du unsere Sicherheitsrichtlinie lesen, bevor Du irgendwelche Untersuchungen unserer Anwendung durchführst.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Führe einen persistenten XSS-Angriff mit <iframe src=\"javascript:alert(`xss`)\"> aus und umgehe dabei einen Server-seitigen Sicherheitsmechanismus.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "Du solltest deinen Fokus auf das Feld \"Kommentar\" im \"Kundenfeedback\"-Dialog setzen.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Verpetze einen berüchtigten Charakter, der sich im Laden unsichtbar gemacht hat. (Erwähne den exakten Namen des Charakters)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Bestimme die Antwort auf Emmas Sicherheitsfrage, indem du einen ihrer Uploads auf die Foto-Wand ansiehst und diese verwendest, um ihr Passwort über den Passwort vergessen-Mechanismus zurückzusetzen.", "Take a look at the details in the photo to determine the location of where it was taken.": "Wirf einen Blick auf die Details auf dem Foto, um zu bestimmen, wo es aufgenommen wurde.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020-Ausgabe", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Umgehe eine Sicherheitskontrolle mit einem Poison Null Byte, um auf eine Datei zuzugreifen, die nicht für deine Augen bestimmt ist.", "Best Juice Shop Salesman Artwork": "Bester Juice Shop-Verkäufer Kunstwerk", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Einzigartige digitale Zeichnung, die Stan, unseren qualifiziertesten und beinahe profitablen Verkäufer zeigt. Er machte erfolgreich Karriere als Verkäufer von gebrauchten Schiffen, Särgen, Krypten, Kreuzen, Immobilien, Lebensversicherungen, Restaurant-Zubehör, Voodoo-verbessertem Asbest und Gerichtssaal-Souvenirs, bevor er endlich seine Expertise dem Marketing-Team des Juice Shop hinzufügte.", "20th Anniversary Celebration Ticket": "20jährige Jubiläumsfeier-Ticket", @@ -357,29 +352,29 @@ "API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.": "API Routen müssen explizit einen Handler für HTTP-Verben definieren, wenn sie das \"allen alles erlauben\"-Standardverhalten überschreiben wollen.", "There is one line that is commented out for no good reason among the product-related middleware.": "Unter der produktbezogenen Middleware gibt es eine Codezeile, die ohne guten Grund auskommentiert wurde.", "While removing the commented-out line made the code cleaner, it did not change the functionality in any way and thus cannot have improved security either.": "Auch wenn das Entfernen der auskommentierten Zeile den Code sauberer gemacht hat, änderte dies die Funktionalität jedoch in keiner Weise und konnte demzufolge auch nicht die Sicherheit verbessern.", - "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "J ", + "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "Die dedizierte Behandlung der Produkt-API zu entfernen, hat die Sache verschlimmert, da jetzt die standardmäßigen Berechtigungen des zugrunde liegenden API-Generators verwendet werden: GET, POST, PUT und DELETE werden - ohne Einschränkungen - erlaubt.", "You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?": "Du hast die Sicherheit ein bisschen verbessert, indem PUT-Anfragen von anonymen API-Anrufern nicht mehr angenommen werden. Aber will der Shop seinen authentifizierten Kunden überhaupt gestatten, die Produkte selbst zu ändern?", "Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.": "Das Deaktivieren aller anderen HTTP-Verben außer GET für die Produkte-API ist in der Tat der einzige zuverlässige Weg, um sichere Zugriffskontrolle zu implementieren. Shop-Administratoren sollten sowieso nicht das Webinterface für Kunden verwenden, um das Inventar des Shops zu verwalten.", "Try to identify any variables in the code that might contain arbitrary user input.": "Versuche, Variablen im Code zu identifizieren, die beliebige Benutzereingaben enthalten könnten.", - "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.", - "Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "Can you spot a place where a SQL query is being cobbled together in an unsafe way?", + "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "Verfolge die Benutzereingabe durch den Funktionsaufruf und versuche die Stellen zu finden, an denen sie für böswillige Zwecke missbraucht werden kann.", + "Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "Kannst du eine Stelle erspähen, an der eine SQL-Abfrage auf unsichere Weise zusammengeschustert wird?", "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.": "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.", "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.": "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.", "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.", "Can you find a HTTP route mapping that deals with metrics?": "Kannst du ein Routen-Mapping finden, das sich mit Metriken beschäftigt?", "Remember: The default behavior of route mappings is to allow access to everyone.": "Bedenke: Das Standardverhalten der Routen-Mappings ist es, Zugriff für jeden zu erlauben.", - "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.", + "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "Die Metrik-Route bleibt öffentlich zugänglich. Diese Änderung pfuscht nur unnötig an den funktionalen Einstellungen des Messung-Frameworks herum.", "This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.": "Diese Korrektur verhindert unbefugten Zugriff auf die Metriken-Route, schießt aber über das Ziel hinaus, indem jeder - einschließlich der Administratoren - gesperrt wird.", "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.": "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.", - "Do you remember the security question that Bender used for his account?": "Do you remember the security question that Bender used for his account?", - "This question is the source of the security risk in this challenge.": "This question is the source of the security risk in this challenge.", - "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.", - "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.", + "Do you remember the security question that Bender used for his account?": "Erinnerst du dich an die Sicherheitsfrage, die Bender für sein Konto verwendet?", + "This question is the source of the security risk in this challenge.": "Diese Frage ist der Ursprung des Sicherheitsrisikos bei dieser Herausforderung.", + "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "Obwohl nicht unbedingt so trivial über das LinkedIn-Profil eines Benutzers herauszufinden, ist diese Frage immer noch leicht zu recherchieren oder durch Brute Force herauszufinden, wenn sie wahrheitsgetreu beantwortet wurde.", + "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "Der Austausch von \"Unternehmen\" mit \"Organisation\" ist nur eine Vokabel-Änderung und hat keine Auswirkungen auf die Sicherheit.", "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.": "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.", - "Can you identify the lines which have something to do with crypto currency addresses?": "Can you identify the lines which have something to do with crypto currency addresses?", - "Did you notice there is a constant containing allowed redirect web addresses?": "Did you notice there is a constant containing allowed redirect web addresses?", - "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.", - "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.", + "Can you identify the lines which have something to do with crypto currency addresses?": "Kannst du die Zeilen identifizieren, die etwas mit Kryptowährungsadressen zu tun haben?", + "Did you notice there is a constant containing allowed redirect web addresses?": "Hast du bemerkt, dass es eine Konstante mit erlaubten Weiterleitungsadressen gibt?", + "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "Stelle sicher, dass du alle drei Zeilen auswählst, die für die nicht mehr beworbenen Krypto-Währungsadressen zuständig sind.", + "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "Diese Korrektur entfernt zwar eine veraltete Kryptowährungsadresse aus der Allowlist, vergisst aber, sich um zwei andere zu kümmern.", "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.": "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.", "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.": "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.", "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.", @@ -391,13 +386,13 @@ "Do you remember the security question that Jim used for his account?": "Do you remember the security question that Jim used for his account?", "Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.": "Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.", "Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.": "Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.", - "Do you remember the security question that Bjoern used for his account?": "Do you remember the security question that Bjoern used for his account?", - "Researching someone's current place of residence is probably even easier than a past one.": "Researching someone's current place of residence is probably even easier than a past one.", - "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.": "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.", - "Do you remember the security question that Bjoern used for his OWASP account?": "Do you remember the security question that Bjoern used for his OWASP account?", + "Do you remember the security question that Bjoern used for his account?": "Erinnerst du dich an die Sicherheitsfrage, die Bjoern für sein Konto verwendet?", + "Researching someone's current place of residence is probably even easier than a past one.": "Jemandes gegenwärtigen Wohnsitz herauszufinden, ist wahrscheinlich noch einfacher als einen früheren.", + "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.": "Beim Ändern der Aufgabenstellung dieser Frage von \"Teenager\" auf \"Kleinkind\", bleibt die Suche nach einem früheren Wohnort weiterhin die einzige (niedrige) Hürde für den Angreifer.", + "Do you remember the security question that Bjoern used for his OWASP account?": "Erinnerst du dich an die Sicherheitsfrage, die Bjoern für sein OWASP-Konto verwendet?", "There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.": "There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.", - "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.": "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.", - "Do you remember the security question that Uvogin used for his account?": "Do you remember the security question that Uvogin used for his account?", + "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.": "Diese Fix-Option ist offensichtlich (?) ein Witz. Aber sie soll dennoch veranschaulichen, dass die Einschränkung des Geltungsbereichs einer Frage auch deren Lösungsraum entsprechend reduziert. Auf diese Weise wird \"Social Stalking\" und Brute Force viel einfacher.", + "Do you remember the security question that Uvogin used for his account?": "Erinnerst du dich an die Sicherheitsfrage, die Uvogin für sein Konto verwendet?", "When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.": "When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.", "Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.": "Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.", "Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?": "Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?", @@ -422,7 +417,7 @@ "The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.": "The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.", "You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.": "You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.", "Try to play through how the logical operators and used standard functions work in this situation.": "Try to play through how the logical operators and used standard functions work in this situation.", - "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?": "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?", + "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?": "Könntest du den Code irgendwie glauben lassen, dass er es mit einer explizit erlaubten URL zu tun hat, obwohl es eigentlich keine ist?", "The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.": "The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.", "Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.": "Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.", "HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.": "HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.", @@ -434,23 +429,39 @@ "Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.": "Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.", "Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.": "Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.", "Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.": "Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.", - "Find all places in the code which are handling the product descriptions.": "Find all places in the code which are handling the product descriptions.", + "Find all places in the code which are handling the product descriptions.": "Finde alle Stellen im Code, die die Produktbeschreibungen behandeln.", "Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.": "Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.", "The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.": "The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.", "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.": "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.", "Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken autheorization in this case, as users should not be allowed to change product descriptions in the first place.": "Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken autheorization in this case, as users should not be allowed to change product descriptions in the first place.", - "To find the culprit lines, you need to understand how MongoDB handles updating records.": "To find the culprit lines, you need to understand how MongoDB handles updating records.", + "To find the culprit lines, you need to understand how MongoDB handles updating records.": "Um die schuldigen Zeilen zu finden, musst du verstehen, wie MongoDB mit Datensatz-Aktualisierungen umgeht.", "Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.": "Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.", "Another problematic line you need to select, is actually missing something that ties the user to the review.": "Another problematic line you need to select, is actually missing something that ties the user to the review.", "This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.": "This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.", "Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.": "Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.", "Setting the author on server-side based on the user retrieved from the authentication token in the HTTP request is the right call. It prevents users from just passing any author email they like along with the request.": "Den Autor basierend auf dem Benutzer aus dem Authentifizierungstoken im HTTP Request auf Serverseite zu setzen, ist die richtige Entscheidung. Dies hindert Benutzer daran, einfach eine beliebige Autoren-E-Mail mit dem Request mitzuschicken.", - "Does this query really need to allow updating more than one review at once?": "Does this query really need to allow updating more than one review at once?", + "Does this query really need to allow updating more than one review at once?": "Muss diese Abfrage wirklich erlauben, mehrere Bewertungen gleichzeitig zu aktualisieren?", "Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.": "Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.", "Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.": "Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.", "Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.": "Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.", "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exakte Version von OWASP Juice Shop, die am 02.02.2020 vom GitHub Archive Program archiviert wurde und am 8. Juli 2020 in den Arctic Code Vault ging, wo sie sicher für mindestens 1000 Jahre gelagert wird.", "Close multiple \"Challenge solved\"-notifications in one go.": "Schließe mehrere \"Challenge gelöst\"-Benachrichtigungen auf einmal.", - "Either check the official documentation or inspect a notification UI element directly.": "Schau entweder in die offizielle Dokumentation, oder inspiziere ein Benachrichtigungs-UI-Element direkt." + "Either check the official documentation or inspect a notification UI element directly.": "Schau entweder in die offizielle Dokumentation, oder inspiziere ein Benachrichtigungs-UI-Element direkt.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Registriere einen Benutzer mit leerer E-Mail und leerem Passwort.", + "Consider intercepting and playing with the request payload.": "Erwäge das Abfangen von und Herumspielen mit dem Request-Payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Präge das Honey-Pot-NFT indem du BEEs aus der Bienenzuflucht sammelst.", + "Discover NFT wonders among the captivating visual memories.": "Entdecke NFT-Wunder zwischen den faszinierenden visuellen Erinnerungen.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Nimm die Brieftasche mit unserem offiziellen Soul Bound Token (NFT) in Besitz.", + "Find the seed phrase posted accidentally.": "Finde die versehentlich gepostete Seed-Phrase.", + "Withdraw more ETH from the new wallet than you deposited.": "Hebe mehr ETH von der neuen Brieftasche ab, als du hinterlegt hast.", + "Try to exploit the contract of the wallet.": "Versuche, den Contract der Brieftasche auszunutzen.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Finde eine versehentlich ausgelieferte Programmier-Sandbox zum spontanen Schreiben von Smart Contracts.", + "It is just as easy as finding the Score Board.": "Es ist genauso einfach wie die Punkteübersicht zu finden.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Er könnte ihn bei mindestens einer Gelegenheit vor laufender Kamera herausposaunt haben. Vielleicht auch noch anderswo.", + "Find the hidden easter egg.": "Finde das versteckte Ostereier.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Versuche entweder a) einen klugen Brute-Force-Angriff oder b) Reverse Engineering oder c) einige Nachforschungen in der Cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Umgehe eine Sicherheitskontrolle mit einem Poison Null Byte, um auf eine Datei zuzugreifen, die nicht für deine Augen bestimmt ist.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Zweifellos möchtest du unsere Sicherheitsrichtlinie lesen, bevor Du irgendwelche Untersuchungen unserer Anwendung durchführst." } diff --git a/data/static/i18n/el_GR.json b/data/static/i18n/el_GR.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/el_GR.json +++ b/data/static/i18n/el_GR.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/en.json b/data/static/i18n/en.json index f7bd53d3361..0fbfedefbd2 100644 --- a/data/static/i18n/en.json +++ b/data/static/i18n/en.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/es_ES.json b/data/static/i18n/es_ES.json index 099ee8f5c7f..5389cf05b43 100644 --- a/data/static/i18n/es_ES.json +++ b/data/static/i18n/es_ES.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Sobrescribe el archivo Legal Information.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Busca un tweet elogiando la nueva funcionalidad de la tienda web. Luego encuentra una vulnerabilidad de terceros asociada a ella.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Restablece la contraseña de la cuenta OWASP de Bjoern a través del mecanismo Forgot Password con la respuesta original a su pregunta de seguridad.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Podría haberlo revelado al menos en una ocasión cuando una cámara estaba funcionando. Quizás también en otro lado.", "Learn about the Token Sale before its official announcement.": "Conozca la venta de tokens antes de su anuncio oficial.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "Los desarrolladores realmente creen en \"Seguridad a través de la oscuridad\" sobre las restricciones de acceso reales.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Realiza una ejecución remota de código que mantendría ocupada para siempre a una aplicación menos resistente.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Descubre de dónde podría venir esta información. Luego, crea una cadena de ataque UNION SELECT contra un endpoint que ofrezca una forma innecesaria de filtrar datos.", "Use a deprecated B2B interface that was not properly shut down.": "Usa una interfaz B2B obsoleta que no fué correctamente deshabilitada.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "Los desarrolladores que desactivaron la interfaz piensan que pueden ser invisibles con solo cerrar sus ojos.", - "Find the hidden easter egg.": "Encuentra el huevo de Pascua oculto.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "Si resolviste uno de los tres desafíos de acceso a archivos, ya sabes donde encontrar el huevo de Pascua.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Realiza una divulgación de información no deseada accediendo a datos entre dominios.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Intenta encontrar y atacar un endpoint que responda con información del usuario. La inyección SQL no es la solución aquí.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Deshazte de todos los comentarios de 5 estrellas de los clientes .", "Once you found admin section of the application, this challenge is almost trivial.": "Una vez que hayas encontrado la sección de administración de la aplicación, este desafío es casi trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Falsifica un código de cupón que te dé un descuento de al menos un 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Prueba a) un ataque informado de fuerza bruta o b) ingeniería inversa o c) alguna investigación en la nube.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Puedes resolver esto manipulando la interfaz de usuario o interceptando la comunicación con el backend RESTful.", "Post a product review as another user or edit any user's existing review.": "Publica una reseña de producto como otro usuario o edita la reseña existente de cualquier usuario.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infecta al servidor con malware jugoso al abusar de la ejecución de comandos arbitrarios.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" es un claro indicador de que esto no tiene nada que ver con nada de Angular. También asegúrese de usar sólo nuestro malware no malicioso.", "Behave like any \"white-hat\" should before getting into the action.": "Compórtate como cualquier \"sombrero blanco\" debería hacerlo antes de entrar en acción.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Sin duda querrás leer nuestra política de seguridad antes de realizar cualquier investigación sobre nuestra aplicación.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Ejecuta un ataque XSS persistente con <iframe src=\"javascript:alert(`xss`)\"> evadiendo un mecanismo de seguridad del lado del cliente.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "El campo \"Comentario\" en la pantalla \"Comentarios del cliente\" es donde quieres centrar tu atención.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Descubre un personaje notorio oculto a simple vista en la tienda. (Menciona el nombre exacto del personaje)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/et_EE.json b/data/static/i18n/et_EE.json index e623f35f421..156b0726f29 100644 --- a/data/static/i18n/et_EE.json +++ b/data/static/i18n/et_EE.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Kirjuta üle Juriidiline Teave fail.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Otsi säutsu, mis kiidab veebipoe uusi funktsioone. Seejärel leidke sellega seotud kolmanda osapoole haavatavus.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Lähtestage Bjoerni OWASP-i konto salasõna Unustatud parooli mehanismi abil, kasutades tema algset turbeküsimuse vastust.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Teosta koodi kaugkäivitus, mis hoiab vähem karastatud rakenduse hõivatud igavesti. ", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Vabanege kõigist viietärni tagasisidest.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Saad selle lahendada kasutajaliidese manipuleerimisega või RESTful rakendusliidese pealtkuulamisega.", "Post a product review as another user or edit any user's existing review.": "Postita tootearvustus teise kasutajana või muutke mõne kasutaja olemasolevat arvustust.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Igikeltsa\" 2020 Väljaanne", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Parima mahlapoe müügimehe kunstiteos", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/fi_FI.json b/data/static/i18n/fi_FI.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/fi_FI.json +++ b/data/static/i18n/fi_FI.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/fr_FR.json b/data/static/i18n/fr_FR.json index 7be04f2a756..aef722f0583 100644 --- a/data/static/i18n/fr_FR.json +++ b/data/static/i18n/fr_FR.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Écraser le fichier Informations juridiques.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Cherchez un tweet qui fait l'éloge d'une nouvelle fonctionnalité de la boutique en ligne, puis trouvez une vulnérabilité de tierce partie associée à celle-ci.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Réinitialiser le mot de passe du compte OWASP de Bjoern via le mécanisme Mot de passe oublié avec la réponse originale à sa question de sécurité.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Il aurait pu le gâcher au moins une fois quand une caméra était en marche, et peut-être aussi ailleurs.", "Learn about the Token Sale before its official announcement.": "En savoir plus sur la vente de jetons avant son annonce officielle.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "Les développeurs croient vraiment en la \"sécurité par l'obscurité\" plutôt qu'à de vraies restrictions d'accès.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Effectue une exécution de code à distance qui garderait une application moins endurcie occupée pour toujours.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Renseignez-vous sur l'origine de ces informations. Concevez ensuite une chaîne d'attaque UNION SELECT contre un endpoint qui offre un moyen inutile de filtrer les données.", "Use a deprecated B2B interface that was not properly shut down.": "Utilisez une interface B2B obsolète qui n'a pas été correctement arrêtée.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "Les développeurs qui ont désactivé l'interface pensent qu'ils pourraient être invisibles en fermant les yeux.", - "Find the hidden easter egg.": "Trouvez l'easter egg caché.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "Si vous avez résolu l'un des trois défis liés à l'accès aux fichiers, vous savez déjà où trouver l'easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Effectuez une divulgation d'informations non souhaitées en accédant à des données inter-domaine.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Essayez de trouver et d'attaquer un endpoint qui répond avec les informations de l'utilisateur. Une injection SQL n'est pas la solution ici.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Vous pouvez vous débarrasser de tous les avis 5 étoiles.", "Once you found admin section of the application, this challenge is almost trivial.": "Une fois que vous avez trouvé la section admin de l'application, ce défi est presque trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forgez un code coupon qui vous donne une réduction d'au moins 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Essayez soit a) une attaque de force brute bien connue soit b) du reverse engineering ou c) quelques recherches dans le cloud.", "Post some feedback in another user's name.": "Postez un avis avec le nom d'utilisateur de quelqu'un d'autre", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Vous pouvez résoudre cela en altérant l'interface utilisateur ou en interceptant la communication avec le backend RESTful.", "Post a product review as another user or edit any user's existing review.": "Postez un avis de produit en tant qu'un autre utilisateur ou modifiez un avis déjà existant d'un utilisateur.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out un personnage notoire caché dans la boutique. (Mentionnez le nom exact du personnage)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Trouvez la réponse à la question de sécurité d'Emma en regardant son image dans le mur des images et utilisez-la pour réinitialiser son mot de passe via lien Mot de passe oublié.", "Take a look at the details in the photo to determine the location of where it was taken.": "Regarder attentivement la photo pour déterminer l'endroit où elle a été prise.", "Juice Shop \"Permafrost\" 2020 Edition": "\"Permafrost\" Édition 2020", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Meilleure œuvre d'un vendeur", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/ga_IE.json b/data/static/i18n/ga_IE.json index 22464e1eb7f..641e6c47d62 100644 --- a/data/static/i18n/ga_IE.json +++ b/data/static/i18n/ga_IE.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/he_IL.json b/data/static/i18n/he_IL.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/he_IL.json +++ b/data/static/i18n/he_IL.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/hi_IN.json b/data/static/i18n/hi_IN.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/hi_IN.json +++ b/data/static/i18n/hi_IN.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/hu_HU.json b/data/static/i18n/hu_HU.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/hu_HU.json +++ b/data/static/i18n/hu_HU.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/id_ID.json b/data/static/i18n/id_ID.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/id_ID.json +++ b/data/static/i18n/id_ID.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/it_IT.json b/data/static/i18n/it_IT.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/it_IT.json +++ b/data/static/i18n/it_IT.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/ja_JP.json b/data/static/i18n/ja_JP.json index 484f6bc6ce8..018e276b263 100644 --- a/data/static/i18n/ja_JP.json +++ b/data/static/i18n/ja_JP.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Legal Informationファイルを上書きします。", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "ウェブショップの新しい機能を称賛するツイートを探してください。その後、それに関連付けられたサードパーティの脆弱性を見つけてください。", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "パスワード忘れた場合のメカニズムからセキュリティの質問に対する元々の答を使って、BjoernのOWASPアカウントのパスワードをリセットしてください。", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "公式発表の前にトークンセールについて学びましょう。", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "これらの開発者は、実際のアクセス制限よりも「隠蔽によるセキュリティ」を信じこんでいます。", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "リモートコード実行 (RCE) の攻撃を行い、堅牢化されていないアプリケーションに対して永遠に負荷をかけ続けましょう。", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "適切にシャットダウンされなかった非推奨のB2Bインターフェースを使用してください。", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "インターフェイスを無効にした開発者は、目を閉じるだけで周りから自分が見えなくなると考えています。", - "Find the hidden easter egg.": "隠れたイースターエッグを見つける。", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "3つのファイルアクセスの課題のうちの1つを解決すれば、イースターエッグの場所はすでにわかります。", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/ka_GE.json b/data/static/i18n/ka_GE.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/ka_GE.json +++ b/data/static/i18n/ka_GE.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/ko_KR.json b/data/static/i18n/ko_KR.json index 34afcc1c60f..caf64d8c979 100644 --- a/data/static/i18n/ko_KR.json +++ b/data/static/i18n/ko_KR.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/lv_LV.json b/data/static/i18n/lv_LV.json index 3493c66c427..231c7d68d1b 100644 --- a/data/static/i18n/lv_LV.json +++ b/data/static/i18n/lv_LV.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/my_MM.json b/data/static/i18n/my_MM.json index 22dc6bf17a6..c6f3e555ccc 100644 --- a/data/static/i18n/my_MM.json +++ b/data/static/i18n/my_MM.json @@ -12,7 +12,6 @@ "Overwrite the Legal Information file.": "Overwrite the Legal Information file.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.", "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.", "Learn about the Token Sale before its official announcement.": "Learn about the Token Sale before its official announcement.", "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Perform a Remote Code Execution that would keep a less hardened application busy forever.", @@ -35,7 +34,6 @@ "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.", "Use a deprecated B2B interface that was not properly shut down.": "Use a deprecated B2B interface that was not properly shut down.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "The developers who disabled the interface think they could go invisible by just closing their eyes.", - "Find the hidden easter egg.": "Find the hidden easter egg.", "If you solved one of the three file access challenges, you already know where to find the easter egg.": "If you solved one of the three file access challenges, you already know where to find the easter egg.", "Perform an unwanted information disclosure by accessing data cross-domain.": "Perform an unwanted information disclosure by accessing data cross-domain.", "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.", @@ -50,7 +48,6 @@ "Get rid of all 5-star customer feedback.": "Get rid of all 5-star customer feedback.", "Once you found admin section of the application, this challenge is almost trivial.": "Once you found admin section of the application, this challenge is almost trivial.", "Forge a coupon code that gives you a discount of at least 80%.": "Forge a coupon code that gives you a discount of at least 80%.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.", "Post some feedback in another user's name.": "Post some feedback in another user's name.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Post a product review as another user or edit any user's existing review.", @@ -138,7 +135,6 @@ "Infect the server with juicy malware by abusing arbitrary command execution.": "Infect the server with juicy malware by abusing arbitrary command execution.", "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.", "Behave like any \"white-hat\" should before getting into the action.": "Behave like any \"white-hat\" should before getting into the action.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Undoubtably you want to read our security policy before conducting any research on our application.", "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.", "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.", "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", @@ -310,7 +306,6 @@ "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.", "Take a look at the details in the photo to determine the location of where it was taken.": "Take a look at the details in the photo to determine the location of where it was taken.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Edition", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", @@ -452,5 +447,21 @@ "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.", "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of OWASP Juice Shop that was archived on 02/02/2020 by the GitHub Archive Program and ultimately went into the Arctic Code Vault on July 8. 2020 where it will be safely stored for at least 1000 years.", "Close multiple \"Challenge solved\"-notifications in one go.": "Close multiple \"Challenge solved\"-notifications in one go.", - "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly." + "Either check the official documentation or inspect a notification UI element directly.": "Either check the official documentation or inspect a notification UI element directly.", + "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.", + "Register a user with an empty email and password.": "Register a user with an empty email and password.", + "Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.", + "Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.", + "Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.", + "Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).", + "Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.", + "Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.", + "Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.", + "Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.", + "It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.", + "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.", + "Find the hidden easter egg.": "Find the hidden easter egg.", + "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.", + "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.", + "Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application." } diff --git a/data/static/i18n/nl_NL.json b/data/static/i18n/nl_NL.json index 50efec12a8e..9b50f165019 100644 --- a/data/static/i18n/nl_NL.json +++ b/data/static/i18n/nl_NL.json @@ -1,456 +1,467 @@ { "Find the carefully hidden 'Score Board' page.": "Vind de zorgvuldige verborgen 'Scorebord' pagina.", "Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.": "Probeer in de broncode een referentie of een aanwijzing te vinden. Of raad gewoon welke URL het scorebord zou kunnen hebben.", - "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> without using the frontend application at all.": "Voer een persistente XSS aanval met <iframe src=\"javascript:alert(`xss`)\"> uit zonder gebruik te maken van de frontend applicatie.", - "You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.": "U moet direct met de server-side API werken. Probeer verschillende HTTP woorden uit op verschillende entiteiten die weergeven via de API.", - "Gain access to any access log file of the server.": "Krijg toegang tot elke toegangslog bestand van de server.", + "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> without using the frontend application at all.": "Voer een persistente XSS-aanval met <iframe src=\"javascript:alert(`xss`)\"> uit zonder gebruik te maken van de frontend applicatie.", + "You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.": "Je moet direct met de server-side API werken. Probeer verschillende HTTP-woorden uit op de verschillende entiteiten die bereikbaar zijn via de API.", + "Gain access to any access log file of the server.": "Krijg toegang tot elke toegangslog-bestand van de server.", "Who would want a server access log to be accessible through a web application?": "Wie wil dat een servertoegangslogboek toegankelijk is via een webapplicatie?", "Register as a user with administrator privileges.": "Registreer als een gebruiker met beheerdersrechten.", "You have to assign the unassignable.": "Je moet het niet-toewijsbare toewijzen.", - "Access the administration section of the store.": "Toegang tot het beheer gedeelte van de winkel.", + "Access the administration section of the store.": "Toegang tot het beheergedeelte van de winkel.", "It is just slightly harder to find than the score board link.": "Het is net iets moeilijker om te vinden dan de link van het scorebord.", "Overwrite the Legal Information file.": "Overschrijf het Legal Information bestand.", "Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "Kijk uit naar een tweet waarin de nieuwe functionaliteit van de webshop wordt geprezen. Zoek vervolgens een kwetsbaarheid van een derde partij erbij.", - "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Björn's OWASP account via het Wachtwoord mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", - "He might have spoilered it on at least one occasion where a camera was running. Maybe elsewhere as well.": "Hij had het ten minste één keer kunnen vrijgeven toen er een camera actief was. Misschien ook nog wel elders.", - "Learn about the Token Sale before its official announcement.": "Meer informatie over de Token Verkoop vóór de officiële aankondiging.", - "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "De ontwikkelaars geloven echt in \"Veiligheid via Obscurity\" boven werkelijke toegangsbeperkingen.", + "Reset the password of Bjoern's OWASP account via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Björn's OWASP account via het Wachtwoord-mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", + "Learn about the Token Sale before its official announcement.": "Meer informatie over de Tokenverkoop vóór de officiële aankondiging.", + "The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "De ontwikkelaars geloven echt in \"Veiligheid door Vaagheid\" boven werkelijke toegangsbeperkingen.", "Perform a Remote Code Execution that would keep a less hardened application busy forever.": "Voer een Remote Code Execution uit die een minder gehard programma voor altijd zal bezighouden.", "The feature you need to exploit for this challenge is not directly advertised anywhere.": "De functie die je moet exploiten voor deze uitdaging wordt nergens direct aangegeven.", - "Submit 10 or more customer feedbacks within 20 seconds.": "Submit 10 or more customer feedbacks within 20 seconds.", - "After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.": "Schrijf een script die automatisch feedback kan submitten na het vinden van een CAPTCHA bypass. Of open veel browser tabbladen en probeer het snel.", + "Submit 10 or more customer feedbacks within 20 seconds.": "Dien minstens 10 klantenfeedbacks in binnen 20 seconden.", + "After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.": "Schrijf een script dat automatisch feedback kan submitten na het vinden van een CAPTCHA bypass. Of open veel browser tabbladen en probeer het snel.", "Change Bender's password into slurmCl4ssic without using SQL Injection or Forgot Password.": "Wijzig Bender zijn wachtwoord in slurmCl4ssic zonder gebruik te maken van SQL Injectie of wachtwoord vergeten.", "In previous releases this challenge was wrongly accused of being based on CSRF.": "In eerdere releases werd deze challenge ten onrechte beschuldigd van het feit dat het gebaseerd was op CSRF.", "Order the Christmas special offer of 2014.": "Bestel de speciale kerstaanbieding van 2014.", "Find out how the application handles unavailable products and try to find a loophole.": "Ontdek hoe de applicatie omgaat met niet-beschikbare producten en probeer een loophole te vinden.", - "Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script> on a legacy page within the application.": "Omzeil het Content Security Policy en voer een XSS aanval uit met <script>alert(`xss`)</script> op een legacy pagina binnen de toepassing.", - "What is even \"better\" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!": "Wat is zelfs \"beter\" dan een oudere pagina met een homegrown RegEx sanitizer? Het hebben van CSP injectie problemen op precies dezelfde pagina!", - "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a client-side security mechanism.": "Voer een persistente XSS aanval met <iframe src=\"javascript:alert(`xss`)\"> uit zonder gebruik te maken van de frontend applicatie.", + "Bypass the Content Security Policy and perform an XSS attack with <script>alert(`xss`)</script> on a legacy page within the application.": "Omzeil de Content Security Policy en voer een XSS-aanval uit met <script>alert(`xss`)</script> op een vervallen pagina binnen de toepassing.", + "What is even \"better\" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!": "Wat is zelfs \"beter\" dan een oudere pagina met een homegrown RegEx sanitizer? Het hebben van CSP-injectie problemen op precies dezelfde pagina!", + "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a client-side security mechanism.": "Voer een persistente XSS-aanval met <iframe src=\"javascript:alert(`xss`)\"> uit zonder gebruik te maken van de frontend-applicatie.", "Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.": "Slechts enkele invoervelden valideren hun input. Nog minder van deze velden worden gebruikt op een manier waarop hun inhoud wordt weergegeven op een ander scherm.", "Access a confidential document.": "Toegang tot een vertrouwelijk document.", "Analyze and tamper with links in the application that deliver a file directly.": "Analyseer en manipuleer de links in de applicatie die direct een bestand leveren.", - "Perform a DOM XSS attack with <iframe src=\"javascript:alert(`xss`)\">.": "Voer een DOM XSS aanval uit met <iframe src=\"javascript:alert(`xss`)\">.", - "Look for an input field where its content appears in the HTML when its form is submitted.": "Zoek naar een invoerveld waar de inhoud wordt weergegeven in de HTML wanneer het formulier wordt ingediend.", - "Exfiltrate the entire DB schema definition via SQL Injection.": "Exfiltreer de gehele DB-schema definitie via SQL Injection.", + "Perform a DOM XSS attack with <iframe src=\"javascript:alert(`xss`)\">.": "Voer een DOM XSS-aanval uit met <iframe src=\"javascript:alert(`xss`)\">.", + "Look for an input field where its content appears in the HTML when its form is submitted.": "Zoek naar een invoerveld waarvan de inhoud wordt weergegeven in de HTML wanneer het formulier wordt ingediend.", + "Exfiltrate the entire DB schema definition via SQL Injection.": "Exfiltreer de gehele DB-schema definitie via SQL-injection.", "Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "Ontdek waar deze informatie vandaan zou kunnen komen. Maak dan een UNION SELECT string die gebruikt kan worden tegen een eindpunt dat een onnodige manier biedt om gegevens te filteren.", - "Use a deprecated B2B interface that was not properly shut down.": "Gebruik een verouderde B2B interface die niet goed is afgesloten.", + "Use a deprecated B2B interface that was not properly shut down.": "Gebruik een verouderde B2B-interface die niet goed is afgesloten.", "The developers who disabled the interface think they could go invisible by just closing their eyes.": "De ontwikkelaars die de interface hebben uitgeschakeld denken dat ze onzichtbaar kunnen worden door gewoon hun ogen te sluiten.", - "Find the hidden easter egg.": "Vind de verborgen Pasen ei.", - "If you solved one of the three file access challenges, you already know where to find the easter egg.": "Als je een van de drie file access challenges hebt kunnen oplossen, weet je al waar je het easteregg kan vinden.", - "Perform an unwanted information disclosure by accessing data cross-domain.": "Krijg ongevraagde informatie door middel van cross-domain data toegang.", - "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Probeer een eindpunt te vinden en voer een aanval hierop uit dat reageert met gebruikersinformatie. SQL Injectie is hier niet de oplossing.", - "Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.": "Log in met de (niet-bestaande) accountant acc0unt4nt@juice-sh.op zonder deze gebruiker ooit te registreren.", - "Try to create the needed user \"out of thin air\".": "Probeer de benodigde gebruiker \"uit dun lucht\" te maken.", + "If you solved one of the three file access challenges, you already know where to find the easter egg.": "Als je een van de drie bestandstoegang challenges hebt kunnen oplossen, weet je al waar je het paasei kan vinden.", + "Perform an unwanted information disclosure by accessing data cross-domain.": "Krijg ongevraagde informatie door middel van cross-domain datatoegang.", + "Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "Zoek een eindpunt dat reageert met gebruikersinformatie en val dit aan. SQL-injectie is hier niet de oplossing.", + "Log in with the (non-existing) accountant acc0unt4nt@juice-sh.op without ever registering that user.": "Log in met de (niet-bestaande) account acc0unt4nt@juice-sh.op zonder deze gebruiker ooit te registreren.", + "Try to create the needed user \"out of thin air\".": "Probeer de benodigde gebruiker \"uit het niets\" te maken.", "Provoke an error that is neither very gracefully nor consistently handled.": "Veroorzaak een fout aan die niet erg veilig en consequent wordt behandeld.", "Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.": "Probeer foutieve invoer in te dienen op formulieren. Een alternatief is het manipuleren van een URL of de parameters ervan.", - "Successfully redeem an expired campaign coupon code.": "Succesvol een verlopen campagne coupon code ingewisseld.", + "Successfully redeem an expired campaign coupon code.": "Wissel de verlopen code van een campagnecoupon succesvol in.", "Try to identify past special event or holiday campaigns of the shop first.": "Probeer eerst de geschiedenis van speciale evenementen of vakantiecampagnes van de winkel te identificeren.", - "Retrieve the language file that never made it into production.": "Haal het taalbestand op dat het nooit tot productie heeft gemaakt.", + "Retrieve the language file that never made it into production.": "Haal het taalbestand op dat nooit in productie is genomen.", "Brute force is not the only option for this challenge, but a perfectly viable one.": "Brute force is niet de enige optie voor deze uitdaging, maar het is wel degelijk mogelijk.", "Get rid of all 5-star customer feedback.": "Verwijder alle 5-sterren klantenfeedback.", - "Once you found admin section of the application, this challenge is almost trivial.": "Wanneer je een admin gedeelte van de applicatie hebt gevonden, is deze uitdaging bijna triviaal.", - "Forge a coupon code that gives you a discount of at least 80%.": "Maak een couponcode die je een korting van minstens 80% geeft.", - "Try either a) a knowledgable brute force attack or b) reverse engineering or c) some research in the cloud.": "Probeer a) een knowledgable brute force attack of b) reverse engineering of c) doe onderzoek in de cloud.", - "Post some feedback in another user's name.": "Post some feedback in another user's name.", + "Once you found admin section of the application, this challenge is almost trivial.": "Wanneer je het admin-gedeelte van de applicatie hebt gevonden, is deze uitdaging bijna triviaal.", + "Forge a coupon code that gives you a discount of at least 80%.": "Maak een couponcode die je een korting geeft van minstens 80%.", + "Post some feedback in another user's name.": "Plaats klantenfeedback uit naam van een andere gebruiker.", "You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "Je kunt dit oplossen door te knoeien met de gebruikersinterface of door de verbinding te onderscheppen met de RESTful backend.", "Post a product review as another user or edit any user's existing review.": "Plaats een productbeoordeling als een andere gebruiker of bewerk de bestaande beoordeling van een gebruiker.", - "Observe the flow of product review posting and editing and see if you can exploit it.": "Observeer de flow van product beoordelingen plaatsen en bewerken en kijk of je het kunt exploiten.", - "Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.": "Vekrijg een bijna juist RSA-ondertekend JWT token dat de (niet-bestaande) gebruiker rsa_lord@juice-sh.op nabootst.", + "Observe the flow of product review posting and editing and see if you can exploit it.": "Observeer hoe productbeoordelingen geplaatst en bewerkt worden en kijk of je dit kunt gebruiken.", + "Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.": "Vekrijg een bijna correct RSA-ondertekend JWT-token dat de (niet-bestaande) gebruiker rsa_lord@juice-sh.op nabootst.", "This challenge is explicitly not about acquiring the RSA private key used for JWT signing.": "Deze uitdaging gaat expliciet niet over het verkrijgen van de RSA private key die wordt gebruikt voor JWT signing.", - "Access a developer's forgotten backup file.": "Vekrijg toegang tot het vergeten backup bestand van een ontwikkelaar.", + "Access a developer's forgotten backup file.": "Vekrijg toegang tot het vergeten backup-bestand van een ontwikkelaar.", "You need to trick a security mechanism into thinking that the file you want has a valid file type.": "Je moet een beveiligingsmechanisme misleiden om te denken dat het bestand dat je wilt een geldig bestandstype heeft.", - "Access a salesman's forgotten backup file.": "Verkrijg toegang tot het vergeten backup bestand van een salesman.", - "Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)": "Informeer de shop over een typosquatting imposter dat diep in de frontend zit verwerkt. (Vermeld de exacte naam van de auteur)", - "This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?": "Deze uitdaging heeft niets te maken met het verkeerd typen van URLs. Er is ook geen misplaatst bestand dat je helpt met dit. Of is die er toch?", - "Log in with Chris' erased user account.": "Log in met Chris zijn verwijderde gebruikersaccount.", - "Turns out that something is technically and legally wrong with the implementation of the \"right to be forgotten\" for users.": "Blijkt dat er zowel legaal als technisch iets mis is met de de implementatie van het \"Recht op vergeten te worden\" van gebruikers.", + "Access a salesman's forgotten backup file.": "Verkrijg toegang tot het vergeten backup-bestand van een verkoper.", + "Inform the shop about a typosquatting imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)": "Informeer de shop over een typosquatting bedrieger die diep in de frontend zit verwerkt. (Vermeld de exacte naam van de dader)", + "This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?": "Deze uitdaging heeft niets te maken met het verkeerd typen van URLs. Er is ook geen misplaatst bestand dat je hiermee helpt. Of is die er toch?", + "Log in with Chris' erased user account.": "Log in met het verwijderde gebruikersaccount van Chris.", + "Turns out that something is technically and legally wrong with the implementation of the \"right to be forgotten\" for users.": "Blijkt dat er zowel juridisch als technisch iets mis is met de de implementatie van het \"Recht op vergeten te worden\" van gebruikers.", "Steal someone else's personal data without using Injection.": "Steel iemands persoonlijke gegevens zonder Injectie te gebruiken.", - "Trick the regular Data Export to give you more than actually belongs to you.": "Manipuleer de reguliere gegevensexport om meer gegevens te krijgen dan dat ze tot jou toe behoren.", - "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> through an HTTP header.": "Voer een persistente XSS aanval met <iframe src=\"javascript:alert(`xss`)\"> uit door middel van een HTTP Header.", + "Trick the regular Data Export to give you more than actually belongs to you.": "Manipuleer de reguliere gegevensexport zodat je meer dan alleen jouw eigen gegevens krijgt.", + "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> through an HTTP header.": "Voer een persistente XSS-aanval uit met <iframe src=\"javascript:alert(`xss`)\"> in een HTTP-header.", "Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.": "Een stuk weergegeven informatie vinden dat uit een HTTP-header kan komen maakt deel uit van deze challenge.", - "Solve challenge #999. Unfortunately, this challenge does not exist.": "los uitdaging #999 op. Helaas bestaat deze uitdaging niet.", - "You need to trick the hacking progress persistence feature into thinking you solved challenge #999.": "Je moet de hacking progress feature manipuleren zodat hij denkt dat je challenge #999 hebt opgelost.", - "Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)": "Zoek over het internet naar een gelekt wachtwoord en log in met het originele account dat hieraan verbonden is. (Een nieuw account aanmaken met hetzelfde wachtwoord telt niet als een oplossing.)", + "Solve challenge #999. Unfortunately, this challenge does not exist.": "Los uitdaging #999 op. Helaas bestaat deze uitdaging niet.", + "You need to trick the hacking progress persistence feature into thinking you solved challenge #999.": "Je moet de hacking progress registratiefunctie manipuleren, zodat hij denkt dat je challenge #999 hebt opgelost.", + "Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)": "Doorzoek het internet naar een gelekt wachtwoord en log in met het originele account dat hieraan verbonden is. (Een nieuw account aanmaken met hetzelfde wachtwoord telt niet als een oplossing.)", "Once you have it, a technique called \"Password Spraying\" might prove useful.": "Zodra je het hebt, kan een techniek met de naam \"Password Spraying\" nuttig zijn.", "Identify an unsafe product that was removed from the shop and inform the shop which ingredients are dangerous.": "Identificeer een onveilig product dat is verwijderd uit de winkel en informeer de winkel welke ingrediënten gevaarlijk zijn.", - "Your own SQLi and someone else's Ctrl-V will be your accomplices in this challenge!": "Je eigen SQLi en iemand anders Ctrl-V zijn jouw verdiensten in deze uitdaging!", - "Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)": "Informeer de winkel over een typosquatting truc waarvan het ten minste het slachtoffer is geworden in v6.2.0-SNAPSHOT. (Vermeld de exacte naam van de auteur)", - "This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer's backup file instead.": "Deze uitdaging heeft niets te maken met veranderen van URLs. Onderzoek in plaats daarvan het back-upbestand dat de ontwikkelaar is vergeten te verwijderen.", + "Your own SQLi and someone else's Ctrl-V will be your accomplices in this challenge!": "Je eigen SQLi en de Ctrl-V van iemand anders zijn jouw handlangers in deze uitdaging!", + "Inform the shop about a typosquatting trick it has been a victim of at least in v6.2.0-SNAPSHOT. (Mention the exact name of the culprit)": "Informeer de winkel over een typosquatting truc waarvan het in ieder geval in v6.2.0-SNAPSHOT het slachtoffer is geweest. (Vermeld de exacte naam van de dader)", + "This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer's backup file instead.": "Deze uitdaging heeft niets te maken met typfouten in domeinnamen. Onderzoek in plaats daarvan het back-upbestand dat de ontwikkelaar is vergeten te verwijderen.", "Log in with the administrator's user account.": "Log in met het gebruikersaccount van de beheerder.", - "Try different SQL Injection attack patterns depending whether you know the admin's email address or not.": "Probeer verschillende SQL Injection aanvalspatronen ondanks of je het emailadres van de beheerder hebt of niet.", - "Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the \"One Important Final Note\")": "Log in met de originele gebruikersgegevens van Amy. (Dit kan 93.83 biljoen triljoen triljoen jaar duren om te brute forcen, maar gelukkig las ze de \"Eén belangrijke slotopmerking\" niet.).", + "Try different SQL Injection attack patterns depending whether you know the admin's email address or not.": "Probeer verschillende aanvalspatronen voor SQL-injectie, afhankelijk van of je het emailadres van de beheerder wel of niet hebt.", + "Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the \"One Important Final Note\")": "Log in met de originele gebruikersgegevens van Amy. (Dit kan 93.83 miljard biljoen biljoen eeuwen duren om te brute forcen, maar gelukkig las ze de \"Eén belangrijke slotopmerking\" niet.).", "This challenge will make you go after a needle in a haystack.": "Door deze uitdaging ga je zoeken naar een naald in een hooiberg.", - "Log in with Bender's user account.": "Log in met Bender zijn gebruikersaccount.", - "If you know Bender's email address, try SQL Injection. Bender's password hash might not help you very much.": "Als je het e-mailadres van Bender weet, probeer dan SQL Injectie. Het wachtwoord hash zal je niet heel erg helpen.", + "Log in with Bender's user account.": "Log in met het gebruikersaccount van Bender.", + "If you know Bender's email address, try SQL Injection. Bender's password hash might not help you very much.": "Als je het e-mailadres van Bender weet, probeer dan SQL-injectie. De hash van zijn wachtwoord zal je niet heel erg helpen.", "Log in with Bjoern's Gmail account without previously changing his password, applying SQL Injection, or hacking his Google account.": "Log in met Björn's Gmail account zonder eerder zijn wachtwoord te wijzigen, SQL Injectie toe te passen of zijn Google-account te hacken.", "The security flaw behind this challenge is 100% OWASP Juice Shop's fault and 0% Google's.": "De beveiligingsfout achter deze uitdaging is 100% een fout van de OWASP Juice Shop en 0% van Google's.", - "Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account.": "Exploit OAuth 2.0 om in te loggen met de Chief Information Security Officer's gebruikersaccount.", - "Don't try to beat Google's OAuth 2.0 service. Rather investigate implementation flaws on OWASP Juice Shop's end.": "Probeer de OAuth 2.0-service van Google niet te verslaan. Onderzoek eerder de implementatiefouten van de OWASP Juice Shop.", - "Log in with Jim's user account.": "Log in met Jim's gebruikersaccount.", + "Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account.": "Gebruik OAuth 2.0 om in te loggen met het gebruikersaccount van de Chief Information Security Officer.", + "Don't try to beat Google's OAuth 2.0 service. Rather investigate implementation flaws on OWASP Juice Shop's end.": "Probeer niet de OAuth 2.0-service van Google te verslaan. Onderzoek in plaats daarvan de implementatiefouten van de OWASP Juice Shop.", + "Log in with Jim's user account.": "Log in met het gebruikersaccount van Jim.", "Try cracking Jim's password hash if you harvested it already. Alternatively, if you know Jim's email address, try SQL Injection.": "Probeer Jim's wachtwoord hash te kraken als je deze al hebt verkegen. Als je ook het e-mailadres van Jim weet, probeer dan SQL Injection.", - "Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.": "Log in met de originele gebruikersgegevens van MC SafeSearch zonder SQL Injectie of andere bypass toe te passen.", - "You should listen to MC's hit song \"Protect Ya Passwordz\".": "Je moet luisteren naar het hit nummer van MC: \"Protect Ya Passwordz\".", - "Log in with the support team's original user credentials without applying SQL Injection or any other bypass.": "Log in met de originele gebruikersgegevens van het supportteam zonder SQL Injectie of andere bypass toe te passen.", - "The underlying flaw of this challenge is a lot more human error than technical weakness.": "De onderliggende fout van deze uitdaging is veel meer menselijke fouten dan technische zwakheid.", + "Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.": "Log in met de originele gebruikersgegevens van MC SafeSearch zonder SQL-injectie of andere bypass toe te passen.", + "You should listen to MC's hit song \"Protect Ya Passwordz\".": "Je zou moeten luisteren naar het hit nummer van MC: \"Protect Ya Passwordz\".", + "Log in with the support team's original user credentials without applying SQL Injection or any other bypass.": "Log in met de originele gebruikersgegevens van het supportteam zonder SQL-injectie of andere bypass toe te passen.", + "The underlying flaw of this challenge is a lot more human error than technical weakness.": "De onderliggende fout van deze uitdaging is meer een menselijke fout dan een technische zwakheid.", "Put an additional product into another user's shopping basket.": "Plaats een extra product in het winkelmandje van een andere gebruiker.", - "Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn't count.": "Houd rekening met het HTTP-verkeer tijdens het toevoegen van producten in de winkelwagen. Het wijzigen van de hoeveelheid producten die al in de mand staan telt niet mee.", - "Access a misplaced SIEM signature file.": "Krijg toegang tot een verkeerd geplaatst SIEM signature bestand.", - "Like any review at least three times as the same user.": "Like een willekeurige recensie ten minste drie keer als dezelfde gebruiker.", + "Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn't count.": "Let op het HTTP-verkeer tijdens het toevoegen van producten aan het winkelmandje. Het wijzigen van het aantal van een product in het mandje telt niet mee.", + "Access a misplaced SIEM signature file.": "Krijg toegang tot een verkeerd geplaatst SIEM signature-bestand.", + "Like any review at least three times as the same user.": "Like een willekeurige productbeoordeling ten minste drie keer als dezelfde gebruiker.", "Punctuality is the politeness of kings.": "Punctualiteit is de beleefdheid van koningen.", - "Apply some advanced cryptanalysis to find the real easter egg.": "Pas geavanceerde cryptanalyse toe om de echte easter egg te vinden.", - "You might have to peel through several layers of tough-as-nails encryption for this challenge.": "Mogelijk moet je door verschillende lagen tough-as-nails encryptie heen gaan voor deze challenge.", + "Apply some advanced cryptanalysis to find the real easter egg.": "Pas geavanceerde cryptanalyse toe om het echte paasei te vinden.", + "You might have to peel through several layers of tough-as-nails encryption for this challenge.": "Mogelijk moet je door verschillende lagen spijkerharde encryptie breken voor deze challenge.", "Let the server sleep for some time. (It has done more than enough hard work for you)": "Laat de server even rusten. (Het heeft meer dan genoeg werk voor je gedaan)", - "This challenge is essentially a stripped-down Denial of Service (DoS) attack.": "Deze uitdaging is in wezen een gestripte variant van de Service (DoS)-aanval.", - "All your orders are belong to us! Even the ones which don't.": "Al je bestellingen horen bij ons! Zelfs zij die dat niet doen.", - "Take a close look on how the $where query operator works in MongoDB.": "Kijk eens hoe de $where query operator in MongoDB werkt.", + "This challenge is essentially a stripped-down Denial of Service (DoS) attack.": "Deze uitdaging is in wezen een uitgeklede Denial of Service (DoS)-aanval.", + "All your orders are belong to us! Even the ones which don't.": "Al jouw bestellingen zijn behoren van ons! Zelfs die die dat niet zijn.", + "Take a close look on how the $where query operator works in MongoDB.": "Kijk eens goed hoe de $where query-operator van MongoDB werkt.", "Update multiple product reviews at the same time.": "Update meerdere productbeoordelingen tegelijkertijd.", - "Take a close look on how the equivalent of UPDATE-statements in MongoDB work.": "Kijk eens hoe het equivalent van UPDATE-statements in MongoDB wordt gebruikt.", - "Let us redirect you to one of our crypto currency addresses which are not promoted any longer.": "Laten ons je omleiden naar een van onze crypto valutaadressen die niet langer worden gebruikt.", - "We might have failed to take this out of our code properly.": "Misschien was het niet goed gelukt om dit uit onze code te halen.", - "Log in with the administrator's user credentials without previously changing them or applying SQL Injection.": "Log in met de gebruikersgegevens van de beheerder, zonder deze eerder te wijzigen of SQL Injectie toe te passen.", - "This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.": "Dit zou net zo gemakkelijk moeten zijn als a) brute force, b) het wachtwoord hash kraken of c) simpelweg raden.", + "Take a close look on how the equivalent of UPDATE-statements in MongoDB work.": "Kijk eens goed hoe het equivalent van UPDATE-statements in MongoDB wordt gebruikt.", + "Let us redirect you to one of our crypto currency addresses which are not promoted any longer.": "Laat ons je doorverwijzen naar een van onze cryptovaluta-adressen die niet langer worden gebruikt.", + "We might have failed to take this out of our code properly.": "Misschien is het niet goed gelukt om dit uit onze code te halen.", + "Log in with the administrator's user credentials without previously changing them or applying SQL Injection.": "Log in met de gebruikersgegevens van de beheerder, zonder deze eerder te wijzigen of SQL-injectie toe te passen.", + "This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.": "Dit zou even gemakkelijk moeten zijn a) te brute forcen, b) het wachtwoord-hash te kraken of c) simpelweg te raden.", "Place an order that makes you rich.": "Plaats een bestelling die je rijk maakt.", - "You literally need to make the shop owe you any amount of money.": "Je moet ervoor zorgen dat de winkel een bedrag aan jou verschuldigd is.", + "You literally need to make the shop owe you any amount of money.": "Je moet ervoor zorgen dat de winkel jou een bedrag verschuldigd is.", " Unlock Premium Challenge to access exclusive content.": " Ontgrendel Premium Challenge om toegang te krijgen tot exclusieve content.", "You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.": "Je hoeft niets te betalen om deze uitdaging te ontgrendelen! Toch worden donaties zeer gewaardeerd.", "Read our privacy policy.": "Lees onze privacyverklaring.", "We won't even ask you to confirm that you did. Just read it. Please. Pretty please.": "We zullen je zelfs niet vragen om te bevestigen dat je het gedaan hebt. Lees het. Alstublieft.", - "Prove that you actually read our privacy policy.": "Bewijs dat je onze privacybeleid echt leest.", - "Only by visiting a special URL you can confirm that you read it carefully.": "Alleen door een speciale URL te bezoeken kunt u bevestigen dat u het zorgvuldig leest.", - "Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.": "Wijzig de href van de OWASP SSL Advanced Forensic Tool (O-Saft) productbeschrijving naar https://owasp.slack.com.", - "Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.": "Zoek naar een van de volgende: a) defecte admin functionaliteit, b) gaten in de RESTful API of c) mogelijkheid voor SQL Injectie.", - "Perform a reflected XSS attack with <iframe src=\"javascript:alert(`xss`)\">.": "Voer een DOM XSS aanval uit met <iframe src=\"javascript:alert(`xss`)\">.", - "Look for an input field where its content appears in the response HTML when its form is submitted.": "Zoek naar een invoerveld waar de inhoud wordt weergegeven in de HTML wanneer het formulier wordt ingediend.", + "Prove that you actually read our privacy policy.": "Bewijs dat je onze privacyverklaring echt gelezen hebt.", + "Only by visiting a special URL you can confirm that you read it carefully.": "Alleen door een speciale URL te bezoeken kan je bevestigen dat je het zorgvuldig gelezen hebt.", + "Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into https://owasp.slack.com.": "Wijzig de href van de productbeschrijving van OWASP SSL Advanced Forensic Tool (O-Saft) naar https://owasp.slack.com.", + "Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.": "Zoek naar: a) een defecte beheerfunctionaliteit, b) gaten in de RESTful API of c) een mogelijkheid voor SQL-injectie.", + "Perform a reflected XSS attack with <iframe src=\"javascript:alert(`xss`)\">.": "Voer een reflexieve XSS-aanval uit met <iframe src=\"javascript:alert(`xss`)\">.", + "Look for an input field where its content appears in the response HTML when its form is submitted.": "Zoek naar een invoerveld waarvan de inhoud wordt weergegeven in het HTML-antwoord wanneer het formulier wordt ingediend.", "Follow the DRY principle while registering a user.": "Volg het DRY principe bij het registreren van een gebruiker.", "You can solve this by cleverly interacting with the UI or bypassing it altogether.": "Je kunt dit oplossen door slim gebruik te maken van de UI of door deze volledig te omzeilen.", - "Reset Bender's password via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Bender's OWASP account via het Wachtwoord mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", - "Not as trivial as Jim's but still not too difficult with some \"Futurama\" background knowledge.": "Niet zo triviaal als Jim maar nog steeds niet zo moeilijk met wat \"Futurama\" achtergrondkennis.", - "Reset the password of Bjoern's internal account via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Björn's OWASP account via het Wachtwoord mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", - "Nothing a little bit of Facebook stalking couldn't reveal. Might involve a historical twist.": "Niets wat een beetje Facebook-stalking kon onthullen. Het kan een historische omwenteling met zich meebrengen.", - "Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Jim's OWASP account via het Wachtwoord mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", - "It's hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.": "Het is moeilijk voor beroemdheden om een veiligheidsvraag te kiezen uit een vooraf ingevulde lijst waar het antwoord niet publiekelijk wordt onthuld.", - "Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question.": "Reset het wachtwoord van Morty's OWASP account via het Wachtwoord mechanisme met het gehusselde antwoord op zijn beveiligingsvraag.", - "Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty's security question.": "Zoek een manier om de rate limit te omzeilen en brute force het gehusselde antwoord van Morty's beveiligingsvraag.", - "Deprive the shop of earnings by downloading the blueprint for one of its products.": "Verminder de winstwinkel door de blauwdruk voor een van zijn producten te downloaden.", + "Reset Bender's password via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van het OWASP-account van Bender via het Wachtwoord Vergeten-mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", + "Not as trivial as Jim's but still not too difficult with some \"Futurama\" background knowledge.": "Niet zo triviaal als bij Jim, maar nog steeds niet zo moeilijk met wat \"Futurama\" achtergrondkennis.", + "Reset the password of Bjoern's internal account via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van het OWASP-account van Björn via het Wachtwoord Vergeten-mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", + "Nothing a little bit of Facebook stalking couldn't reveal. Might involve a historical twist.": "Niets wat een beetje Facebook-stalking niet kan onthullen. Er kan een historische draai nodig zijn.", + "Reset Jim's password via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van het OWASP-account van Jim via het Wachtwoord Vergeten-mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", + "It's hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.": "Het is moeilijk voor beroemdheden om een veiligheidsvraag te kiezen uit een vaste lijst, zonder dat het antwoord publiekelijk bekend is.", + "Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question.": "Reset het wachtwoord van het OWASP-account van Morty via het Wachtwoord Vergeten-mechanisme met zijn versluierde antwoord op zijn beveiligingsvraag.", + "Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty's security question.": "Zoek een manier om de beperkingen op herhaald proberen te omzeilen en brute force het versluierde antwoord van Mortys beveiligingsvraag.", + "Deprive the shop of earnings by downloading the blueprint for one of its products.": "Beroof de winkel van zijn winst, door de blauwdruk van een van zijn producten te downloaden.", "The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).": "Het product dat je misschien wat nauwkeuriger wilt bekijken is het OWASP Juice Shop Logo (3D-geprint).", - "Request a hidden resource on server through server.": "Vraag een verborgen bron aan op server via de server.", + "Request a hidden resource on server through server.": "Vraag de server om een verborgen bron via de server.", "Reverse engineering something bad can make good things happen.": "Met Reverse Engineering kan je van iets slechts wat goeds maken.", - "Infect the server with juicy malware by abusing arbitrary command execution.": "Infecteer de server met sappige malware door het misbruiken van willekeurige commando-executie.", - "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is een duidelijke indicator dat dit niets met Angular te maken heeft. Zorg ervoor dat je alleen onze niet-kwaadaardige malware gebruikt.", + "Infect the server with juicy malware by abusing arbitrary command execution.": "Infecteer de server met sappige malware door het misbruik te maken van de mogelijkheid een willekeurige commando uit te voeren.", + "\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "\"SSTi\" is een duidelijke indicatie dat dit niets met Angular te maken heeft. Zorg ervoor dat je alleen onze niet-kwaadaardige malware gebruikt.", "Behave like any \"white-hat\" should before getting into the action.": "Gedraag je als een \"white-hat\" voordat je in actie komt.", - "Undoubtably you want to read our security policy before conducting any research on our application.": "Je zal ongetwijfeld ons veiligheidsbeleid willen lezen voordat je de applicatie zal gaan onderzoeken.", - "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Voer een persistente XSS aanval met <iframe src=\"javascript:alert(`xss`)\"> uit zonder gebruik te maken van de backend applicatie.", - "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "Het veld \"Commentaar\" in het scherm \"Klant Feedback\" is waar je je focus op wilt hebben.", - "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)", - "No matter how good your eyes are, you will need tool assistance for this challenge.": "No matter how good your eyes are, you will need tool assistance for this challenge.", - "Perform a Remote Code Execution that occupies the server for a while without using infinite loops.": "Perform a Remote Code Execution that occupies the server for a while without using infinite loops.", - "Your attack payload must not trigger the protection against too many iterations.": "Your attack payload must not trigger the protection against too many iterations.", - "This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.": "This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.", - "Solve the 2FA challenge for user \"wurstbrot\". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)": "Solve the 2FA challenge for user \"wurstbrot\". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)", - "The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.": "The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.", - "Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.": "Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.", - "This challenge exploits a weird option that is supported when signing tokens with JWT.": "This challenge exploits a weird option that is supported when signing tokens with JWT.", - "Upload a file larger than 100 kB.": "Upload a file larger than 100 kB.", - "You can attach a small file to the \"Complaint\" form. Investigate how this upload actually works.": "You can attach a small file to the \"Complaint\" form. Investigate how this upload actually works.", - "Upload a file that has no .pdf or .zip extension.": "Upload a file that has no .pdf or .zip extension.", - "You can attach a PDF or ZIP file to the \"Complaint\" form. Investigate how this upload actually works.": "You can attach a PDF or ZIP file to the \"Complaint\" form. Investigate how this upload actually works.", - "Retrieve a list of all user credentials via SQL Injection.": "Retrieve a list of all user credentials via SQL Injection.", - "Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.": "Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.", - "Embed an XSS payload </script><script>alert(`xss`)</script> into our promo video.": "Embed an XSS payload </script><script>alert(`xss`)</script> into our promo video.", - "You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.": "You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.", - "View another user's shopping basket.": "View another user's shopping basket.", - "Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.": "Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.", - "Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)": "Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)", + "Perform a persisted XSS attack with <iframe src=\"javascript:alert(`xss`)\"> bypassing a server-side security mechanism.": "Voer een persistente XSS-aanval met <iframe src=\"javascript:alert(`xss`)\"> uit, zonder gebruik te maken van de backend-applicatie.", + "The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "Het veld \"Commentaar\" in het scherm \"Klantfeedback\" is waar je je focus op wilt hebben.", + "Rat out a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "Ontdek een berucht personage dat zich in het volle zicht schuilhoudt in de shop. (Noem de precieze naam van het personage)", + "No matter how good your eyes are, you will need tool assistance for this challenge.": "Hoe goed je ogen ook zijn, je hebt hulp van een tool nodig voor deze uitdaging.", + "Perform a Remote Code Execution that occupies the server for a while without using infinite loops.": "Voer een Remote Code Execution zonder oneindige loops uit, die de server een tijdje bezighoudt.", + "Your attack payload must not trigger the protection against too many iterations.": "De data die je als onderdeel van je aanval stuurt mag de bescherming tegen teveel pogingen niet activeren.", + "This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.": "Deze kwetsbaarheid heeft geen effect op de winkel en is uitsluitend gericht op de ontwikkelaars van de winkel.", + "Solve the 2FA challenge for user \"wurstbrot\". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)": "Los de 2FA-uitdaging voor gebruiker \"wurstbrot\" op. (Uitschakelen, omzeilen of overschrijven van zijn 2FA-instellingen telt niet als een oplossing)", + "The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.": "De 2FA-implementatie vereist dat voor elke gebruiker een geheim wordt opgeslagen. Je moet een manier vinden om deze geheimen te lezen om deze uitdaging te voltooien.", + "Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.": "Vervals een feitelijk niet-ondertekend JWT-token dat van de (niet-bestaande) gebruiker jwtn3d@juice-sh.op lijkt te zijn.", + "This challenge exploits a weird option that is supported when signing tokens with JWT.": "Deze uitdaging maakt gebruik van een merkwaardige optie in het ondertekenen van tokens met JWT.", + "Upload a file larger than 100 kB.": "Upload een file van meer dan 100 kB.", + "You can attach a small file to the \"Complaint\" form. Investigate how this upload actually works.": "Je kunt een klein bestand meesturen met het \"Klachten\"-formulier. Onderzoek hoe dit feitelijk werkt.", + "Upload a file that has no .pdf or .zip extension.": "Upload een bestand zonder extensie .pdf of .zip.", + "You can attach a PDF or ZIP file to the \"Complaint\" form. Investigate how this upload actually works.": "Je kunt een PDF- of ZIP-bestand meesturen met het \"Klachten\"-formulier. Onderzoek hoe dit feitelijk werkt.", + "Retrieve a list of all user credentials via SQL Injection.": "Haal de lijst met alle gebruikerscredentials op met behulp van SQL-injection.", + "Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.": "Verzamel informatie over de locatie en ontsluiting van gebruikersgegevens. Zet daarna een bijbehorende UNION SELECT-aanval op.", + "Embed an XSS payload </script><script>alert(`xss`)</script> into our promo video.": "Plaats een XSS-payload </script><script>alert(`xss`)</script> in onze promo-video.", + "You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.": "Je moet opnieuw gebruik maken van een kwetsbaarheid uit een van de andere 6-sterren uitdagingen voor de oplossing van deze uitdaging.", + "View another user's shopping basket.": "Bekijk het winkelmandje van een andere gebruiker.", + "Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.": "Kijk naar het HTTP-verkeer terwijl je winkelt. Je kunt ook kijken naar de relatie van een klant met diens winkelmandje.", + "Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)": "Informeer de winkel over een kwetsbaarheid in een bibliotheek die ze gebruiken. (Noem de precieze bibliotheek en versie in je melding)", "Report one of two possible answers via the \"Customer Feedback\" form. Do not forget to submit the library's version as well.": "Report one of two possible answers via the \"Customer Feedback\" form. Do not forget to submit the library's version as well.", - "Inform the shop about an algorithm or library it should definitely not use the way it does.": "Inform the shop about an algorithm or library it should definitely not use the way it does.", - "Report one of four possible answers via the \"Customer Feedback\" form.": "Report one of four possible answers via the \"Customer Feedback\" form.", - "Enforce a redirect to a page you are not supposed to redirect to.": "Enforce a redirect to a page you are not supposed to redirect to.", - "You have to find a way to beat the allowlist of allowed redirect URLs.": "You have to find a way to beat the allowlist of allowed redirect URLs.", - "Retrieve the content of C:\\Windows\\system.ini or /etc/passwd from the server.": "Retrieve the content of C:\\Windows\\system.ini or /etc/passwd from the server.", - "The leverage point for this challenge is the deprecated B2B interface.": "The leverage point for this challenge is the deprecated B2B interface.", - "Give the server something to chew on for quite a while.": "Give the server something to chew on for quite a while.", - "It is not as easy as sending a large amount of data directly to the deprecated B2B interface.": "It is not as easy as sending a large amount of data directly to the deprecated B2B interface.", - "Give a devastating zero-star feedback to the store.": "Give a devastating zero-star feedback to the store.", - "Before you invest time bypassing the API, you might want to play around with the UI a bit.": "Before you invest time bypassing the API, you might want to play around with the UI a bit.", - "Your eldest siblings middle name?": "Your eldest siblings middle name?", - "Mother's maiden name?": "Mother's maiden name?", - "Mother's birth date? (MM/DD/YY)": "Mother's birth date? (MM/DD/YY)", - "Father's birth date? (MM/DD/YY)": "Father's birth date? (MM/DD/YY)", - "Maternal grandmother's first name?": "Maternal grandmother's first name?", - "Paternal grandmother's first name?": "Paternal grandmother's first name?", - "Name of your favorite pet?": "Name of your favorite pet?", - "Last name of dentist when you were a teenager? (Do not include 'Dr.')": "Last name of dentist when you were a teenager? (Do not include 'Dr.')", - "Your ZIP/postal code when you were a teenager?": "Your ZIP/postal code when you were a teenager?", - "Company you first work for as an adult?": "Company you first work for as an adult?", - "Your favorite book?": "Your favorite book?", - "Your favorite movie?": "Your favorite movie?", - "Number of one of your customer or ID cards?": "Number of one of your customer or ID cards?", - "Apple Juice (1000ml)": "Apple Juice (1000ml)", - "The all-time classic.": "The all-time classic.", - "Orange Juice (1000ml)": "Orange Juice (1000ml)", - "Made from oranges hand-picked by Uncle Dittmeyer.": "Made from oranges hand-picked by Uncle Dittmeyer.", - "Eggfruit Juice (500ml)": "Eggfruit Juice (500ml)", - "Now with even more exotic flavour.": "Nu met nog meer exotische smaak.", - "Raspberry Juice (1000ml)": "Raspberry sap (1000ml)", - "Made from blended Raspberry Pi, water and sugar.": "Gemaakt van gemengd Raspberry Pi, water en suiker.", + "Inform the shop about an algorithm or library it should definitely not use the way it does.": "Informeer de winkel over een algoritme of bibliotheek welke ze zeker niet moeten gebruiken zoals ze doen.", + "Report one of four possible answers via the \"Customer Feedback\" form.": "Rapporteer een van de vier mogelijke antwoorden met het \"Klantfeedback\"-formulier.", + "Enforce a redirect to a page you are not supposed to redirect to.": "Dwing een doorverwijzing af naar een pagina waar je niet naartoe verwezen zou moeten worden.", + "You have to find a way to beat the allowlist of allowed redirect URLs.": "Je moet een manier vinden om de allowlist met toegestane verwijs-URLs te slim af te zijn.", + "Retrieve the content of C:\\Windows\\system.ini or /etc/passwd from the server.": "Haal van de server de inhoud op van C:\\Windows\\system.ini of /etc/passwd.", + "The leverage point for this challenge is the deprecated B2B interface.": "In deze uitdaging is een verouderde B2B-interface het aangrijpingspunt.", + "Give the server something to chew on for quite a while.": "Geef de server iets te doen waarmee het een flinke tijd bezig is.", + "It is not as easy as sending a large amount of data directly to the deprecated B2B interface.": "Het is niet zo eenvoudig als het rechtstreeks naar het versturen verouderde B2B-interface van een grote hoeveelheid data.", + "Give a devastating zero-star feedback to the store.": "Geef een vernietigende nul-sterren beoordeling aan de winkel.", + "Before you invest time bypassing the API, you might want to play around with the UI a bit.": "Voordat je probeert de API te omzeilen doe je er goed aan eens goed naar de UI te kijken.", + "Your eldest siblings middle name?": "Tweede naam van je oudste broer of zus?", + "Mother's maiden name?": "Meisjesnaam van je moeder?", + "Mother's birth date? (MM/DD/YY)": "Geboortedatum van je moeder? (MM/DD/YY)", + "Father's birth date? (MM/DD/YY)": "Geboortedatum van je vader? (MM/DD/YY)", + "Maternal grandmother's first name?": "Voornaam van je oma van moederskant?", + "Paternal grandmother's first name?": "Voornaam van je opa van vaderskant?", + "Name of your favorite pet?": "Naam van je favoriete huisdier?", + "Last name of dentist when you were a teenager? (Do not include 'Dr.')": "Achternaam van de tandarts uit je tienerjaren? (zonder titels)", + "Your ZIP/postal code when you were a teenager?": "Postcode uit je tienerjaren?", + "Company you first work for as an adult?": "Eerste werkgever als volwassene?", + "Your favorite book?": "Je favoriete boek?", + "Your favorite movie?": "Je favoriete film?", + "Number of one of your customer or ID cards?": "Kaartnummer van een van je klantenkaarten of ID-bewijzen?", + "Apple Juice (1000ml)": "Appelsap (1000ml)", + "The all-time classic.": "The klassieker.", + "Orange Juice (1000ml)": "Jus d'Orange (1000ml)", + "Made from oranges hand-picked by Uncle Dittmeyer.": "Van handgeplukte sinaasappels van Oom Dittmeyer.", + "Eggfruit Juice (500ml)": "Canistelsap (500ml)", + "Now with even more exotic flavour.": "Nu met nog exotischer smaak.", + "Raspberry Juice (1000ml)": "Frambozensap (1000ml)", + "Made from blended Raspberry Pi, water and sugar.": "Van gepureerde Raspberry Pi, water en suiker.", "Lemon Juice (500ml)": "Citroensap (500ml)", - "Sour but full of vitamins.": "Zuur maar vol vitaminen.", + "Sour but full of vitamins.": "Zuur, maar vol vitaminen.", "Banana Juice (1000ml)": "Bananensap (1000ml)", - "Monkeys love it the most.": "Apen houden er het meest van.", + "Monkeys love it the most.": "Favoriet bij apen.", "OWASP Juice Shop T-Shirt": "OWASP Juice Shop T-shirt", "Real fans wear it 24/7!": "Echte fans dragen het 24/7!", - "OWASP Juice Shop CTF Girlie-Shirt": "OWASP Juice Shop CTF Girlie-shirt", + "OWASP Juice Shop CTF Girlie-Shirt": "OWASP Juice Shop CTF meidenshirt", "For serious Capture-the-Flag heroines only!": "Alleen voor serieuze Capture-the-Flag heldinnen!", - "OWASP SSL Advanced Forensic Tool (O-Saft)": "OWASP SSL Geavanceerd Forensic Tool (O-Saft)", - "O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. More...": "O-Saft is een makkelijk te gebruiken tool voor het tonen van informatie over een SSL-certificaat en test de SSL-verbinding volgens bepaalde coderingen en diverse SSL-configuraties. Meer...", + "OWASP SSL Advanced Forensic Tool (O-Saft)": "OWASP SSL Geavanceerd Forensisch Tool (O-Saft)", + "O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. More...": "O-Saft is een makkelijk te gebruiken tool voor het tonen van informatie over een SSL-certificaat en test de SSL-verbinding volgens ingestelde encryptiemethoden en verschillende SSL-configuraties. Meer...", "Christmas Super-Surprise-Box (2014 Edition)": "Kerstmis Super-Surprise-Box (2014 Editie)", - "Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price! (Seasonal special offer! Limited availability!)": "Bevat een willekeurige selectie van 10 flessen (elk 500ml) van onze meest smaakvolle sappen en een extra fan shirt voor een onverslaanbare prijs! (Seizoensgebonden speciale aanbieding! Beperkt beschikbaar!)", - "Rippertuer Special Juice": "Rippertuer speciale sap", - "Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price!
This item has been made unavailable because of lack of safety standards. (This product is unsafe! We plan to remove it from the stock!)": "Bevat een magische verzameling van de zeldzame vruchten die over de hele wereld zijn verzameld, zoals Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... en anderen, tegen een ongelooflijke prijs!
Dit artikel is niet beschikbaar gemaakt omdat er te weinig veiligheidsnormen zijn. (Dit product is niet veilig! We zijn van plan het uit de voorraad te verwijderen!)", - "OWASP Juice Shop Sticker (2015/2016 design)": "OWASP Juice Shop Sticker (2015/2016 design)", - "Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. Out of stock!": "Die-cut sticker met het officiële 2015/2016 logo. Hierdoor is dit een zeldzame verzamelaars item. Niet op voorraad!", + "Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price! (Seasonal special offer! Limited availability!)": "Bevat een willekeurige selectie van 10 flessen (elk 500ml) van onze meest smaakvolle sappen en een extra fan-shirt voor een onverslaanbare prijs! (Seizoensgebonden speciale aanbieding! Beperkt beschikbaar!)", + "Rippertuer Special Juice": "Rippertuer speciaal sap", + "Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price!
This item has been made unavailable because of lack of safety standards. (This product is unsafe! We plan to remove it from the stock!)": "Bevat een magische verzameling van de zeldzame vruchten van over de hele wereld, zoals Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... en anderen, tegen een ongelooflijke prijs!
Dit artikel is niet beschikbaar gemaakt omdat er te weinig veiligheidsnormen zijn. (Dit product is niet veilig! We zijn van plan het uit de voorraad te verwijderen!)", + "OWASP Juice Shop Sticker (2015/2016 design)": "OWASP Juice Shop Sticker (2015/2016 ontwerp)", + "Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. Out of stock!": "Gestanste sticker met het officiële logo uit 2015/2016. Inmiddels een zeldzaam verzamelitem. Niet op voorraad!", "OWASP Juice Shop Iron-Ons (16pcs)": "OWASP Juice Shop Iron-Ons (16 stuks)", - "Upgrade your clothes with washer safe iron-ons of the OWASP Juice Shop or CTF Extension logo!": "Upgrade je kleren met wasmachine veilige iron-ons van de OWASP Juice Shop of CTF Extensie logo!", + "Upgrade your clothes with washer safe iron-ons of the OWASP Juice Shop or CTF Extension logo!": "Upgrade je kleren met wasmachine bestendige strijkplaatjes van het logo van de OWASP Juice Shop of de CTF Extensie!", "OWASP Juice Shop Magnets (16pcs)": "OWASP Juice Shop magneten (16 stuks)", - "Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo magnets!": "Je koelkast zal nog cooler zijn met deze OWASP Juice Shop of CTF Extension logo magneten!", - "OWASP Juice Shop Sticker Page": "OWASP Juice Shop Sticker Pagina", - "Massive decoration opportunities with these OWASP Juice Shop or CTF Extension sticker pages! Each page has 16 stickers on it.": "Enorme decoratie mogelijkheden met deze OWASP Juice Shop of CTF Extensie sticker vel! Elk vel heeft 16 stickers erop.", - "OWASP Juice Shop Sticker Single": "Enkele OWASP Juice Shop Sticker", - "Super high-quality vinyl sticker single with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!": "Super hoge kwaliteit vinyl enkele sticker met de OWASP Juice Shop of CTF Extensie logo! De ultieme laptop decal!", + "Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo magnets!": "Je koelkast is nog cooler met deze magneten met logo van de OWASP Juice Shop of de CTF Extension!", + "OWASP Juice Shop Sticker Page": "OWASP Juice Shop Sticker-pagina", + "Massive decoration opportunities with these OWASP Juice Shop or CTF Extension sticker pages! Each page has 16 stickers on it.": "Enorme decoratie mogelijkheden met deze OWASP Juice Shop of CTF Extensie sticker vellen! Elk vel heeft 16 stickers.", + "OWASP Juice Shop Sticker Single": "Enkele OWASP Juice Shop-sticker", + "Super high-quality vinyl sticker single with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!": "Superhoge kwaliteit vinyl enkele sticker met het logo van de OWASP Juice Shop of de CTF Extensie! De ultieme laptop decal!", "OWASP Juice Shop Temporary Tattoos (16pcs)": "OWASP Juice Shop Tijdelijke Tattoos (16 stuks)", - "Get one of these temporary tattoos to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention @owasp_juiceshop in your tweet!": "Krijg een van deze tijdelijke tattoos om met trots het OWASP Juice Shop of CTF Extensie logo op je huid te dragen! Als je een foto van jezelf tweet met de tatoeage, krijg je gratis een paar van onze stickers! Gebruik @owasp_juiceshop in je tweet!", - "OWASP Juice Shop Mug": "OWASP Juice Shop Mok", + "Get one of these temporary tattoos to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention @owasp_juiceshop in your tweet!": "Neem een van deze tijdelijke tattoos om met trots het logo van de OWASP Juice Shop of de CTF Extensie op je huid te dragen! Als je een foto van jezelf tweet met de tatoeage, krijg je gratis een paar van onze stickers! Gebruik @owasp_juiceshop in je tweet!", + "OWASP Juice Shop Mug": "OWASP Juice Shop-mok", "Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!": "Zwarte mok met het normale logo aan de ene kant en het CTF logo aan de andere kant! Je collega's zullen jaloers zijn!", - "OWASP Juice Shop Hoodie": "OWASP Juice Shop Hoodie", - "Mr. Robot-style apparel. But in black. And with logo.": "Mr. Robot-stijl. Maar in het zwart. En met logo.", - "OWASP Juice Shop-CTF Velcro Patch": "OWASP Juice Shop-CTF Embleem", - "4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!": "4x3.5\" embleem met klittenbandachterzijde. De ultieme decal voor elke tactische zak of rugzak!", - "Woodruff Syrup \"Forest Master X-Treme\"": "Woodruff siroop \"Forest Master X-Treme\"", - "Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.": "Geoogst en geproduceerd in het Zwarte Woud, Duitsland. Kan hyperactief gedrag veroorzaken bij kinderen. Kan permanente groene tong veroorzaken wanneer het verbruikt niet wordt gematigd.", + "OWASP Juice Shop Hoodie": "OWASP Juice Shop-hoodie", + "Mr. Robot-style apparel. But in black. And with logo.": "Mr. Robot-stijl kleding. Maar in het zwart. En met logo.", + "OWASP Juice Shop-CTF Velcro Patch": "OWASP Juice Shop-CTF Embleem met klittenband", + "4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!": "4x3.5\" geborduurd embleem met klittenbandachterzijde. De ultieme decal voor elke tactische tas of rugzak!", + "Woodruff Syrup \"Forest Master X-Treme\"": "Woodruff-siroop \"Forest Master X-Treme\"", + "Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.": "Geoogst en geproduceerd in het Zwarte Woud, Duitsland. Kan hyperactief gedrag veroorzaken bij kinderen. Kan permanente groene tong veroorzaken wanneer het onverdund gebruikt wordt.", "Green Smoothie": "Groene Smoothie", - "Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.": "Ziet er giftig uit, maar is eigenlijk heel goed voor je gezondheid! Gemaakt van groene kool, spinazie, kiwi en gras.", - "Quince Juice (1000ml)": "Quince sap (1000ml)", - "Juice of the Cydonia oblonga fruit. Not exactly sweet but rich in Vitamin C.": "SAP van het Cydonia oblonga fruit. Niet precies zoet, maar rijk aan Vitamine C.", - "Apple Pomace": "Appel Overblijfsel", - "Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be sent back to us for recycling.": "Best geperste appels. Allergische disclaimer: Kunnen sporen van wormen bevatten. Kan worden teruggestuurd naar ons voor recycling.", - "Fruit Press": "Fruit Perser", - "Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.": "Fruit gaat erin. Sap komt eruit. Overblijfsel kunt u terugsturen voor recyclingdoeleinden.", - "OWASP Juice Shop Logo (3D-printed)": "OWASP Juice Shop Logo (3D-geprint)", - "This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.": "Dit zeldzame product is in Zweden ontworpen en zorgvuldig gemaakt en daarom is het zo ontzettend duur ondanks het totale gebrek aan bruikbaarheid.", + "Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.": "Ziet er giftig uit, maar is juist heel goed voor je gezondheid! Gemaakt van groene kool, spinazie, kiwi en gras.", + "Quince Juice (1000ml)": "Kweeperensap (1000ml)", + "Juice of the Cydonia oblonga fruit. Not exactly sweet but rich in Vitamin C.": "Sap van de kweepeer, Cydonia oblonga. Niet echt zoet, maar rijk aan Vitamine C.", + "Apple Pomace": "Appelmoes", + "Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be sent back to us for recycling.": "Geperst uit de beste appels. Allergiewaarschuwing: Kan sporen van wormen bevatten. Kan naar ons teruggestuurd worden voor recycling.", + "Fruit Press": "Fruitpers", + "Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.": "Fruit gaat erin. Sap komt eruit. Fruitpulp kunt u terugsturen voor recyclingdoeleinden.", + "OWASP Juice Shop Logo (3D-printed)": "OWASP Juice Shop-logo (3D-geprint)", + "This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.": "Dit zeldzame product is ontworpen en handgemaakt in Zweden. Daarom is het zo ontzettend duur, ook al is het totaal nutteloos.", "Juice Shop Artwork": "Juice Shop Artwork", "Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.": "Uniek meesterstuk geschilderd met verschillende soorten sap op 90g/m2 gelinieerd papier.", - "Global OWASP WASPY Award 2017 Nomination": "Globale OWASP WASPY Award 2017 nominatie", - "Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! Nominate now!": "Jou kans om tot drie stille pijlers van de OWASP gemeenschap aan te dragen eindigt 2017-06-30! Nomineer nu!", - "Strawberry Juice (500ml)": "Aardbeien sap (500ml)", + "Global OWASP WASPY Award 2017 Nomination": "Nominatie voor de Wereldwijde OWASP WASPY Award 2017", + "Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! Nominate now!": "Jouw kans om tot drie stille pijlers van de OWASP-gemeenschap aan te dragen eindigt op 2017-06-30! Nomineer nu!", + "Strawberry Juice (500ml)": "Aardbeiensap (500ml)", "Sweet & tasty!": "Zoet & smakelijk!", - "Carrot Juice (1000ml)": "Wortel sap (1000ml)", + "Carrot Juice (1000ml)": "Wortelsap (1000ml)", "As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"": "Zoals het oude Duitse gezegde luidt: \"Wortels zijn goed voor de ogen. Of heeft iemand ooit een konijn met een bril gezien?\"", - "OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)": "OWASP Juice Shop Zweden Tour 2017 Sticker Sheet (Special Edition)", + "OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)": "OWASP Juice Shop Zweden Tour 2017 Stickervel (Speciale Editie)", "10 sheets of Sweden-themed stickers with 15 stickers on each.": "10 vellen Zweedse themastickers met 15 stickers op elk vel.", "Pwning OWASP Juice Shop": "Pwning OWASP Juice Shop", - "Melon Bike (Comeback-Product 2018 Edition)": "Meloen fiets (Comeback-Product 2018 Editie)", - "The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.": "De wielen van deze fiets zijn gemaakt van echte watermeloenen. Je moet niet te hard van de stoep af gaan ermee.", + "Melon Bike (Comeback-Product 2018 Edition)": "Meloenfiets (Comeback-Product 2018 Editie)", + "The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.": "De wielen van deze fiets zijn gemaakt van echte watermeloenen. Rij er niet te hard mee de stoep op en af.", "OWASP Juice Shop Coaster (10pcs)": "OWASP Juice Shop Bierviltjes (10 stuks)", - "Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.": "Onze 95mm bierviltjes worden volledig bedrukt en gemaakt van dik, premium bierviltkarton.", - "Retrieve the photo of Bjoern's cat in \"melee combat-mode\".": "Haal de foto van Björn's kat op in \"melee combat-mode\".", - "Check the Photo Wall for an image that could not be loaded correctly.": "Controleer de Photo Wall op een afbeelding die niet goed geladen kon worden.", - "Stick cute cross-domain kittens all over our delivery boxes.": "Plak schattige cross-domain kittens over al onze bezorg boxen.", - "This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.": "Deze uitdaging zou formeel in meerdere categorieën moeten staan, omdat de ontwikkelaars meerdere gaffes hebben gemaakt om dit mogelijk te maken.", - "ea.": "ea.", + "Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.": "Onze 95mm bierviltjes worden full color bedrukt en zijn gemaakt van dik, premium bierviltkarton.", + "Retrieve the photo of Bjoern's cat in \"melee combat-mode\".": "Haal de foto van Björn's kat in \"melee combat-mode\" op.", + "Check the Photo Wall for an image that could not be loaded correctly.": "Zoek in de Photo Wall naar een afbeelding die niet goed geladen kon worden.", + "Stick cute cross-domain kittens all over our delivery boxes.": "Plak onze bezorg boxen vol met schattige cross-domain kittens.", + "This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.": "Deze uitdaging zou formeel in meerdere categorieën moeten staan, omdat dit mogelijk is geworden door meerdere blunders van de ontwikkelaars.", + "ea.": "per stuk", "Delivery Price": "Leveringsprijs", "Total Price": "Totaalprijs", - "Bonus Points Earned": "Bonus punten verdiend", - "The bonus points from this order will be added 1:1 to your wallet ¤-fund for future purchases!": "De bonuspunten van deze bestelling worden toegevoegd 1:1 aan uw portemonnee ¤-fund voor toekomstige aankopen!", + "Bonus Points Earned": "Bonuspunten verdiend", + "The bonus points from this order will be added 1:1 to your wallet ¤-fund for future purchases!": "De bonuspunten van deze bestelling worden 1:1 toegevoegd aan uw ¤-fund portemonnee voor toekomstige aankopen!", "Thank you for your order!": "Bedankt voor uw bestelling!", "Order Confirmation": "Orderbevestiging", "Customer": "Klant", "Order": "Order", "Date": "Datum", "OWASP Juice Shop Holographic Sticker": "OWASP Juice Shop Holografische Sticker", - "Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!": "Die-cut holografische sticker. Kom boven die 08/15-sticker-bedekte laptops uit met deze shiny holografische 80's sticker!", - "OWASP Snakes and Ladders - Mobile Apps": "OWASP Snakes en Ladders - Mobiele Apps", - "This amazing mobile app security awareness board game is available for Tabletop Simulator on Steam Workshop now!": "Dit geweldige mobiele app security awareness bordspel is beschikbaar voor Tabletop Simulator op Steam Workshop nu!", - "OWASP Snakes and Ladders - Web Applications": "OWASP Snakes en Ladders - Web Applicaties", - "This amazing web application security awareness board game is available for Tabletop Simulator on Steam Workshop now!": "Dit geweldige web applicatie security bordspel is beschikbaar voor Tabletop Simulator op Steam Workshop nu!", - "The official Companion Guide by Björn Kimminich available for free on LeanPub and also readable online!": "De officiële Companion Guide van Björn Kimminich is beschikbaar gratis op LeanPub en ook leesbaar online!", - "We are out of stock! Sorry for the inconvenience.": "We zijn uit voorraad! Sorry voor het ongemak.", + "Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!": "Gestanste holografische sticker. Steek boven die 08/15-sticker-bedekte laptops uit met deze glanzende holografische 80's sticker!", + "OWASP Snakes and Ladders - Mobile Apps": "OWASP Slangen en Ladders - Mobiele Apps", + "This amazing mobile app security awareness board game is available for Tabletop Simulator on Steam Workshop now!": "Deze geweldige mobiele app met veiligheidsbewustzijnsbordspel is nu beschikbaar voor Tabletop Simulator op Steam Workshop!", + "OWASP Snakes and Ladders - Web Applications": "OWASP Slangen en Ladders - Webapplicaties", + "This amazing web application security awareness board game is available for Tabletop Simulator on Steam Workshop now!": "Dit geweldige webapplicatie met veiligheidsbewustzijnsbordspel is nu beschikbaar voor Tabletop Simulator op Steam Workshop!", + "The official Companion Guide by Björn Kimminich available for free on LeanPub and also readable online!": "De officiële Companion Guide van Björn Kimminich is gratis op LeanPub beschikbaar en ook online leesbaar!", + "We are out of stock! Sorry for the inconvenience.": "We zijn uitverkocht! Sorry voor het ongemak.", "Wrong answer to CAPTCHA. Please try again.": "Onjuist antwoord op CAPTCHA. Probeer het opnieuw.", "Invalid email or password.": "Ongeldig e-mailadres of wachtwoord.", "Current password is not correct.": "Huidig wachtwoord is niet correct.", "Password cannot be empty.": "Wachtwoord mag niet leeg zijn.", "New and repeated password do not match.": "Nieuw en herhaald wachtwoord komt niet overeen.", "Wrong answer to security question.": "Verkeerd antwoord op beveiligingsvraag.", - "Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)": "Informeer het ontwikkelingsteam over een gevaar voor sommige van hun gegevens. (Stuur ze de URL van het oorspronkelijke rapport of een toegewezen CVE of een andere identificatie van deze kwetsbaarheid)", - "You can order only up to {{quantity}} items of this product.": "U kunt maximaal {{quantity}} producten van dit product bestellen.", + "Inform the development team about a danger to some of their credentials. (Send them the URL of the original report or an assigned CVE or another identifier of this vulnerability)": "Informeer het ontwikkelteam over een gevaar voor sommige van hun gegevens. (Stuur ze de URL van het oorspronkelijke rapport, een toegewezen CVE of een andere identificatie van deze kwetsbaarheid)", + "You can order only up to {{quantity}} items of this product.": "U kunt maximaal {{quantity}} stuks van dit product bestellen.", " (This challenge is not available on Docker!)": " (Deze uitdaging is niet beschikbaar op Docker!)", " (This challenge is not available on Heroku!)": " (Deze uitdaging is niet beschikbaar op Heroku!)", " (This challenge is not available on Gitpod!)": " (This challenge is not available on Gitpod!)", - " (This challenge is potentially harmful on Docker!)": " (Deze uitdaging is mogelijk kwetsbaar op Docker!)", - " (This challenge is potentially harmful on Gitpod!)": " (This challenge is potentially harmful on Gitpod!)", - " (This challenge is potentially harmful on Heroku!)": " (Deze uitdaging is mogelijk kwetsbaar op Heroku!)", - "Find the endpoint that serves usage data to be scraped by a popular monitoring system.": "Zoek het eindpunt dat gebruikgegevens dient om te worden gescraped door een populair monitoring-systeem.", - "Try to guess what URL the endpoint might have.": "Probeer te raden welke URL het eindpunt kan hebben.", - "Look for a url parameter where its value appears in the page it is leading to.": "Zoek naar een url parameter waar de waarde verschijnt op de pagina waarnaar het leidt.", - "Change the name of a user by performing Cross-Site Request Forgery from another origin.": "Wijzig de naam van een gebruiker door het uitvoeren van een Cross-Site Forgery Request van een andere oorsprong.", - "Use the bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> in the DOM XSS challenge.": "Gebruik de bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> in de DOM XSS challenge.", - "Copy + Paste = Solved!": "Kopieer + plakken = Opgelost!", - "Obtain a Deluxe Membership without paying for it.": "Verkrijg een Deluxe lidmaatschap zonder daarvoor te betalen.", - "Look closely at what happens when you attempt to upgrade your account.": "Kijk goed wat er gebeurt als je probeert je account up te graden.", + " (This challenge is potentially harmful on Docker!)": " (Deze uitdaging is mogelijk schadelijk op Docker!)", + " (This challenge is potentially harmful on Gitpod!)": " (Deze uitdaging is mogelijk schadelijk op Gitpod!)", + " (This challenge is potentially harmful on Heroku!)": " (Deze uitdaging is mogelijk schadelijk op Heroku!)", + "Find the endpoint that serves usage data to be scraped by a popular monitoring system.": "Zoek het eindpunt dat gebruikgegevens levert om te worden gescraped door een populair monitoring-systeem.", + "Try to guess what URL the endpoint might have.": "Probeer de URL te raden die het eindpunt kan hebben.", + "Look for a url parameter where its value appears in the page it is leading to.": "Zoek naar een url-parameter waarvan de waarde verschijnt op de pagina waarnaar de URL leidt.", + "Change the name of a user by performing Cross-Site Request Forgery from another origin.": "Wijzig de naam van een gebruiker door een Cross-Site Forgery Request van een andere oorsprong uit te voeren.", + "Use the bonus payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> in the DOM XSS challenge.": "Gebruik de bonus-payload <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe> van de DOM XSS challenge.", + "Copy + Paste = Solved!": "Kopiëren + Plakken = Opgelost!", + "Obtain a Deluxe Membership without paying for it.": "Verkrijg een Deluxe-lidmaatschap zonder daarvoor te betalen.", + "Look closely at what happens when you attempt to upgrade your account.": "Kijk goed wat er gebeurt wannner je probeert je account up te graden.", " (This challenge is not available on Windows!)": " (Deze uitdaging is niet beschikbaar op Windows!)", - "Reset Uvogin's password via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Uvogin's OWASP account via het Wachtwoord mechanisme met het oorspronkelijke antwoord op zijn beveiligingsvraag.", - "You might have to do some OSINT on his social media personas to find out his honest answer to the security question.": "Misschien moet je wat OSINT doen op zijn sociale media om zijn antwoord op de veiligheidsvraag te vinden.", - "Juice Shop Adversary Trading Card (Common)": "Juice Shop Adversary Trading Card (Common)", - "Common rarity \"Juice Shop\" card for the Adversary Trading Cards CCG.": "Common zeldzaamheid \"Juice Shop\" kaart voor de Adversary Trading Cards CCG.", + "Reset Uvogin's password via the Forgot Password mechanism with the original answer to his security question.": "Reset het wachtwoord van Uvogin met het Wachtwoord Vergeten-mechanisme en het oorspronkelijke antwoord op zijn beveiligingsvraag.", + "You might have to do some OSINT on his social media personas to find out his honest answer to the security question.": "Misschien moet je wat OSINT doen op zijn sociale media om het echte antwoord op zijn veiligheidsvraag te vinden.", + "Juice Shop Adversary Trading Card (Common)": "Juice Shop Adversary Trading Card (Normaal)", + "Common rarity \"Juice Shop\" card for the Adversary Trading Cards CCG.": "Zeldzame \"Juice Shop\"-kaart voor de Adversary Trading Cards CCG.", "Juice Shop Adversary Trading Card (Super Rare)": "Juice Shop Adversary Trading Card (Super Zeldzaam)", - "Super rare \"Juice Shop\" card with holographic foil-coating for the Adversary Trading Cards CCG.": "Super zeldzame \"Juice Shop\" kaart voor de Adversary Trading Cards CCG.", - "OWASP Juice Shop \"King of the Hill\" Facemask": "OWASP Juice Shop \"King of the Hill\" Facemask", - "Facemask with compartment for filter from 50% cotton and 50% polyester.": "Facemask met vak voor filter van 50% katoen en 50% polyester.", - "Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.": "Bepaal het antwoord op de veiligheidsvraag van John door een upload van hem op de Photo Wall te bekijken en deze te gebruiken om zijn wachtwoord te resetten via het Wachtwoord vergeten mechanisme.", + "Super rare \"Juice Shop\" card with holographic foil-coating for the Adversary Trading Cards CCG.": "Super zeldzame \"Juice Shop\"-kaart voor de Adversary Trading Cards CCG.", + "OWASP Juice Shop \"King of the Hill\" Facemask": "OWASP Juice Shop \"King of the Hill\" Masker", + "Facemask with compartment for filter from 50% cotton and 50% polyester.": "Masker met ruimte voor filter van 50% katoen en 50% polyester.", + "Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the Forgot Password mechanism.": "Bepaal het antwoord op de veiligheidsvraag van John door een upload van hem op de Photo Wall te bekijken en deze te gebruiken om zijn wachtwoord te resetten via het Wachtwoord Vergeten-mechanisme.", "Take a look at the meta data of the corresponding photo.": "Bekijk de meta-gegevens van de bijbehorende foto.", "Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the Forgot Password mechanism.": "Bepaal het antwoord op de veiligheidsvraag van Emma door een upload van haar op de Photo Wall te bekijken en deze te gebruiken om zijn wachtwoord te resetten via het Wachtwoord vergeten mechanisme.", - "Take a look at the details in the photo to determine the location of where it was taken.": "Kijk naar de de details van de foto om de locatie te bepalen van deze foto.", + "Take a look at the details in the photo to determine the location of where it was taken.": "Kijk naar de details van de foto om bepalen van waar deze foto genomen is.", "Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020 Editie", - "Bypass a security control with a Poison Null Byte to access a file not meant for your eyes.": "Omzeil een beveiligingscontrole met een Poison Null Byte om toegang te krijgen tot een bestand dat niet voor je ogen is bedoeld.", - "Best Juice Shop Salesman Artwork": "Best Juice Shop Salesman Artwork", - "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before finally adding his expertise to the Juice Shop marketing team.", - "20th Anniversary Celebration Ticket": "20th Anniversary Celebration Ticket", - "Get your free 🎫 for OWASP 20th Anniversary Celebration online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!": "Get your free 🎫 for OWASP 20th Anniversary Celebration online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!", - "OWASP Juice Shop Card (non-foil)": "OWASP Juice Shop Card (non-foil)", - "Mythic rare (obviously...) card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!": "Mythic rare (obviously...) card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!", - "Line {{vulnLine}} is responsible for this vulnerability or security flaw. Select it and submit to proceed.": "Line {{vulnLine}} is responsible for this vulnerability or security flaw. Select it and submit to proceed.", - "Lines {{vulnLines}} are responsible for this vulnerability or security flaw. Select them and submit to proceed.": "Lines {{vulnLines}} are responsible for this vulnerability or security flaw. Select them and submit to proceed.", - "Receive a coupon code from the support chatbot.": "Receive a coupon code from the support chatbot.", - "Just keep asking.": "Just keep asking.", - "Permanently disable the support chatbot so that it can no longer answer customer queries.": "Permanently disable the support chatbot so that it can no longer answer customer queries.", - "Think of a way to get a hold of the internal workings on the chatbot API.": "Think of a way to get a hold of the internal workings on the chatbot API.", - "Gain read access to an arbitrary local file on the web server.": "Gain read access to an arbitrary local file on the web server.", - "You should read up on vulnerabilities in popular NodeJs template engines.": "You should read up on vulnerabilities in popular NodeJs template engines.", - "Try to identify where (potentially malicious) user input is coming into the code.": "Try to identify where (potentially malicious) user input is coming into the code.", - "What is the code doing with the user input other than using it to filter the data source?": "What is the code doing with the user input other than using it to filter the data source?", - "Look for a line where the developers fiddled with Angular's built-in security model.": "Look for a line where the developers fiddled with Angular's built-in security model.", - "Using bypassSecurityTrustStyle() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not CSS, making this switch totally pointless.": "Using bypassSecurityTrustStyle() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not CSS, making this switch totally pointless.", - "Using bypassSecurityTrustResourceUrl() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. This switch might only accidentally keep XSS prevention intact, but the new URL context does not make any sense here.": "Using bypassSecurityTrustResourceUrl() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. This switch might only accidentally keep XSS prevention intact, but the new URL context does not make any sense here.", - "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not a script either, so this switch would be nonsensical.": "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not a script either, so this switch would be nonsensical.", - "Removing the bypass of sanitization entirely is the best way to fix this vulnerability. Fiddling with Angular's built-in sanitization was entirely unnecessary as the user input for a text search should not be expected to contain HTML that needs to be rendered but merely plain text.": "Removing the bypass of sanitization entirely is the best way to fix this vulnerability. Fiddling with Angular's built-in sanitization was entirely unnecessary as the user input for a text search should not be expected to contain HTML that needs to be rendered but merely plain text.", - "Can you identify one or more routes which have something to do with log files?": "Can you identify one or more routes which have something to do with log files?", - "Did you spot the directory listing clearly linked to log files?": "Did you spot the directory listing clearly linked to log files?", - "Did you notice that there is a seperate route for retrieving individual log files?": "Did you notice that there is a seperate route for retrieving individual log files?", - "Make sure to select both lines responsible for the log file data leakage.": "Make sure to select both lines responsible for the log file data leakage.", - "Switching off the detailed view option is a cosmetic change on the directory listing but still allows the logs to be browsed and accessed.": "Switching off the detailed view option is a cosmetic change on the directory listing but still allows the logs to be browsed and accessed.", - "Removing the route that serves individual log files is likely to plumb the data leak but still provides information to the attacker unnecessarily.": "Removing the route that serves individual log files is likely to plumb the data leak but still provides information to the attacker unnecessarily.", - "Removing only the directory listing will still allow attackers to download individual log files if they can come up with a valid file name.": "Removing only the directory listing will still allow attackers to download individual log files if they can come up with a valid file name.", - "There should generally be no good reason to expose server logs through a web URL of the server itself, epecially not when that server is Internet-facing.": "There should generally be no good reason to expose server logs through a web URL of the server itself, epecially not when that server is Internet-facing.", - "Among the long list of route mappings, can you spot any that seem responsible for admin-related functionality?": "Among the long list of route mappings, can you spot any that seem responsible for admin-related functionality?", - "Luckily the route mappings were originally in alphabetical order before the developers forgot about that rule at some point.": "Luckily the route mappings were originally in alphabetical order before the developers forgot about that rule at some point.", - "Assuming that the original \"AdminGuard\" provided access control only to admin users, switching to \"LoginGuard\" seems like a downgrade that would give access to any authenticated user.": "Assuming that the original \"AdminGuard\" provided access control only to admin users, switching to \"LoginGuard\" seems like a downgrade that would give access to any authenticated user.", - "Obfuscating the path to the administration section does not add any security, even if it wasn't just a trivial Base64 encoding.": "Obfuscating the path to the administration section does not add any security, even if it wasn't just a trivial Base64 encoding.", - "This obfuscation attempt is hard to undo by hand but trivial when executed in a JavaScript console. Regardless, obfuscating the route does not add any level of security.": "This obfuscation attempt is hard to undo by hand but trivial when executed in a JavaScript console. Regardless, obfuscating the route does not add any level of security.", - "While attempts could be made to limit access to administrative functions of a web shop through access control, it is definitely safer to apply the \"separation of concerns\" pattern more strictly by internally hosting a distinct admin backend application with no Internet exposure.": "While attempts could be made to limit access to administrative functions of a web shop through access control, it is definitely safer to apply the \"separation of concerns\" pattern more strictly by internally hosting a distinct admin backend application with no Internet exposure.", - "Can you identify one or more routes which have something to do with file serving?": "Can you identify one or more routes which have something to do with file serving?", - "Did you notice that there are seperate routes the directory listing and retrieving individual files?": "Did you notice that there are seperate routes the directory listing and retrieving individual files?", - "Make sure to select both lines responsible for the data leakage.": "Make sure to select both lines responsible for the data leakage.", - "Removing only the directory listing will still allow attackers to download individual files if they can come up with a valid file name.": "Removing only the directory listing will still allow attackers to download individual files if they can come up with a valid file name.", - "Removing the routes that serve individual files is likely to plumb the data leak but still provides information to the attacker unnecessarily.": "Removing the routes that serve individual files is likely to plumb the data leak but still provides information to the attacker unnecessarily.", - "Switching off the icons is a cosmetic change on the directory listing but still allows the files to be browsed and accessed.": "Switching off the icons is a cosmetic change on the directory listing but still allows the files to be browsed and accessed.", - "Getting rid of the /ftp folder entirely is the only way to plumb this data leakage for good. Valid static content in it needs to be moved to a more suitable location and order confirmation PDFs had no business to be placed there publicly accessible in the first place. Everything else in that folder was just accidentally put & forgotten there anyway.": "Getting rid of the /ftp folder entirely is the only way to plumb this data leakage for good. Valid static content in it needs to be moved to a more suitable location and order confirmation PDFs had no business to be placed there publicly accessible in the first place. Everything else in that folder was just accidentally put & forgotten there anyway.", - "In the long list of API-handling middleware, try to find the ones dealing with products offered in the shop first.": "In the long list of API-handling middleware, try to find the ones dealing with products offered in the shop first.", - "API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.": "API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.", - "There is one line that is commented out for no good reason among the product-related middleware.": "There is one line that is commented out for no good reason among the product-related middleware.", - "While removing the commented-out line made the code cleaner, it did not change the functionality in any way and thus cannot have improved security either.": "While removing the commented-out line made the code cleaner, it did not change the functionality in any way and thus cannot have improved security either.", - "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.", - "You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?": "You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?", - "Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.": "Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.", - "Try to identify any variables in the code that might contain arbitrary user input.": "Try to identify any variables in the code that might contain arbitrary user input.", - "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.", - "Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "Can you spot a place where a SQL query is being cobbled together in an unsafe way?", - "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.": "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.", - "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.": "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.", - "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.", - "Can you find a HTTP route mapping that deals with metrics?": "Can you find a HTTP route mapping that deals with metrics?", - "Remember: The default behavior of route mappings is to allow access to everyone.": "Remember: The default behavior of route mappings is to allow access to everyone.", - "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.", - "This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.": "This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.", - "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.": "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.", - "Do you remember the security question that Bender used for his account?": "Do you remember the security question that Bender used for his account?", - "This question is the source of the security risk in this challenge.": "This question is the source of the security risk in this challenge.", - "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.", - "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.", - "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.": "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.", - "Can you identify the lines which have something to do with crypto currency addresses?": "Can you identify the lines which have something to do with crypto currency addresses?", - "Did you notice there is a constant containing allowed redirect web addresses?": "Did you notice there is a constant containing allowed redirect web addresses?", - "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.", - "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.", - "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.": "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.", - "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.": "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.", - "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.", - "This fix unfortunately goes only half the way to using the replacement mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "This fix unfortunately goes only half the way to using the replacement mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.", - "Turning off the \"plain\" flag will let Sequelize return all matching rows instead of just the first one. This neither makes sense from a functional point of view in a login function, not could it prevent SQL Injection attacks.": "Turning off the \"plain\" flag will let Sequelize return all matching rows instead of just the first one. This neither makes sense from a functional point of view in a login function, not could it prevent SQL Injection attacks.", - "Using the built-in binding (or replacement) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "Using the built-in binding (or replacement) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.", - "Using bypassSecurityTrustSoundCloud() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only content from that service provider. Not surprisingly, there is no such vendor-specific function bypassSecurityTrustSoundCloud() offered by the Angular DomSanitizer.": "Using bypassSecurityTrustSoundCloud() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only content from that service provider. Not surprisingly, there is no such vendor-specific function bypassSecurityTrustSoundCloud() offered by the Angular DomSanitizer.", - "Using bypassSecurityTrustIframe() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only