From 84fd4105a3f5468f1617d6839d2e137c0e35f59d Mon Sep 17 00:00:00 2001 From: Bjoern Kimminich Date: Wed, 14 Mar 2018 13:43:07 +0100 Subject: [PATCH] Reformatted YAML files (with https://jsonformatter.org/yaml-formatter) --- .codeclimate.yml | 22 +- .travis.yml | 37 ++- appveyor.yml | 28 +- config/7ms.yml | 85 ++--- config/bodgeit.yml | 204 ++++++------ config/ctf.yml | 7 +- config/default.yml | 197 +++++++----- config/juicebox.yml | 5 +- config/mozilla.yml | 201 ++++++------ config/quiet.yml | 3 +- config/sickshop.yml | 100 +++--- config/test.yml | 1 - crowdin.yaml | 5 +- data/static/challenges.yml | 620 ++++++++++++++++++++----------------- data/static/users.yml | 31 +- swagger.yml | 90 ++---- 16 files changed, 869 insertions(+), 767 deletions(-) diff --git a/.codeclimate.yml b/.codeclimate.yml index dc65baa8492..70e381277d0 100644 --- a/.codeclimate.yml +++ b/.codeclimate.yml @@ -1,4 +1,3 @@ ---- engines: eslint: enabled: true @@ -6,12 +5,10 @@ engines: enabled: true fixme: enabled: true - ratings: - paths: - - "**.js" - - "**.css" - + paths: + - '**.js' + - '**.css' checks: method-complexity: config: @@ -20,11 +17,10 @@ checks: enabled: false identical-code: enabled: false - exclude_paths: -- "app/private/**/*" -- "app/css/geo-bootstrap/**/*" -- "data/datacreator.js" -- "vagrant/shake.js" -- "Gruntfile.js" -- "*conf.js" + - 'app/private/**/*' + - 'app/css/geo-bootstrap/**/*' + - 'data/datacreator.js' + - 'vagrant/shake.js' + - 'Gruntfile.js' + - '*conf.js' diff --git a/.travis.yml b/.travis.yml index 4cb2b44b244..52769769ee9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,12 +1,11 @@ ---- language: node_js node_js: -- 9 # recommended version -- 8 + - 9 + - 8 branches: except: - - gh-pages - - l10n_develop + - gh-pages + - l10n_develop addons: apt: packages: @@ -17,25 +16,25 @@ addons: secure: NC3ew4c92DO4SAdbJvaZkaRnEZaZcAr9NcxOeraqAKHRXY3COnerWGR8+kIE9KiadcRdatmu0sSjWldDcAZfmMwOraMI9CDkqdPSjtjciCVEFdGi+OPOvMY/gOJU6XeM7lsO5MvYD7mqChl2gR6s7IO/klPahf53c97PPDo3C90= env: global: - - DISPLAY=:99 + - 'DISPLAY=:99' before_install: -- rm -rf node_modules + - 'rm -rf node_modules' before_script: -- npm install grunt-cli -g -- sh -e /etc/init.d/xvfb start -- sleep 3 + - 'npm install grunt-cli -g' + - 'sh -e /etc/init.d/xvfb start' + - 'sleep 3' script: -- travis_wait npm test && npm run frisby && NODE_ENV=ctf npm run protractor + - 'travis_wait npm test && npm run frisby && NODE_ENV=ctf npm run protractor' after_success: -- ./node_modules/.bin/lcov-result-merger 'build/reports/coverage/*/lcov.info' 'build/reports/coverage/lcov_merged.info' -- ./node_modules/.bin/codeclimate-test-reporter < ./build/reports/coverage/lcov_merged.info + - './node_modules/.bin/lcov-result-merger ''build/reports/coverage/*/lcov.info'' ''build/reports/coverage/lcov_merged.info''' + - './node_modules/.bin/codeclimate-test-reporter < ./build/reports/coverage/lcov_merged.info' notifications: email: - - secure: ADLqaNm7lR8sgCkSz7eWtWdm8zZ9OsbkcQAi2nm7hQPWAkTWPfr9qeOBh39Z3PZvkgDdlUpNZc/uPlcEGEILznJRF3HlQjWrWksNNtY3xaRc01B4uXlDbODjttb6v9mOqkwUqRfQLeerOqNynNSkT129+mz4FANn0+oucZ3EuQc= - - secure: HhhSoqY87yd8Hkt+cfXk9XXDJeWViYQoPq8f7SJofkwSWtxfOS9GNbOUehZJDqjBMARoGi3SJBImRbisnwfMcEhKpSZs2S4Osdwk2Ayy0h8V/O+qHhiEuJq1mPbAWrYNGQerz16Ec4SbX6hPnAEle2SUwjbPUnfRRCROsJqfm0o= + - secure: ADLqaNm7lR8sgCkSz7eWtWdm8zZ9OsbkcQAi2nm7hQPWAkTWPfr9qeOBh39Z3PZvkgDdlUpNZc/uPlcEGEILznJRF3HlQjWrWksNNtY3xaRc01B4uXlDbODjttb6v9mOqkwUqRfQLeerOqNynNSkT129+mz4FANn0+oucZ3EuQc= + - secure: HhhSoqY87yd8Hkt+cfXk9XXDJeWViYQoPq8f7SJofkwSWtxfOS9GNbOUehZJDqjBMARoGi3SJBImRbisnwfMcEhKpSZs2S4Osdwk2Ayy0h8V/O+qHhiEuJq1mPbAWrYNGQerz16Ec4SbX6hPnAEle2SUwjbPUnfRRCROsJqfm0o= webhooks: urls: - - secure: QZ3/2h7hThg527PX1z7kTTRGL5jEbTTHRbetYHt8Gzgdhvtruq4cjxMQZdUcmxKlncAhoB976iFl/Ja9EpExgrXnt/Tj0Aft6JDc7g8y0kuD/SiQpFT7d46R7vOTJeFHyMzfQN9M/h81DXrG+VO5OPGR/QYNa39kMzkTc86tt1E= + - secure: QZ3/2h7hThg527PX1z7kTTRGL5jEbTTHRbetYHt8Gzgdhvtruq4cjxMQZdUcmxKlncAhoB976iFl/Ja9EpExgrXnt/Tj0Aft6JDc7g8y0kuD/SiQpFT7d46R7vOTJeFHyMzfQN9M/h81DXrG+VO5OPGR/QYNa39kMzkTc86tt1E= on_success: always on_failure: always on_start: never @@ -46,9 +45,9 @@ notifications: on_failure: change on_start: never before_deploy: -- rm -rf node_modules -- npm install --production -- grunt package + - 'rm -rf node_modules' + - 'npm install --production' + - 'grunt package' deploy: - provider: heroku api_key: diff --git a/appveyor.yml b/appveyor.yml index ae329651dac..ed20b7238eb 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,38 +1,40 @@ ---- version: '{build}' init: - - git config --global core.autocrlf true + - 'git config --global core.autocrlf true' branches: except: - - gh-pages - - l10n_develop + - gh-pages + - l10n_develop environment: matrix: - - nodejs_version: 9 # recommended version + - nodejs_version: 9 - nodejs_version: 8 platform: - x64 install: - - ps: Install-Product node $env:nodejs_version $env:platform - - node --version && npm --version - - if exist node_modules rd /Q /S node_modules # workaround for npm install bug missing module dependencies - - npm install --production - - node_modules\.bin\grunt package + - ps: 'Install-Product node $env:nodejs_version $env:platform' + - 'node --version && npm --version' + - 'if exist node_modules rd /Q /S node_modules' + - 'npm install --production' + - 'node_modules\.bin\grunt package' build: off test: off matrix: fast_finish: true artifacts: - - path: dist\* + - + path: 'dist\*' deploy: - - provider: GitHub + - + provider: GitHub draft: true auth_token: secure: bFkucwU1Zoh4EgzKmTAwONzQxuWPWrPGa+yXgadKQRd2jz5JPDZEw1f1vz2r+7i1 on: appveyor_repo_tag: true notifications: - - provider: Slack + - + provider: Slack incoming_webhook: secure: KzO8e88B0LKqAI0BQM6lNhCIn9rxAava3AcdVJDyTw420OLIAlK+qzzbLXaR0jSH9zIJz9zu0iGS1iaqu9Co+6owYUrHJlBGrUZ/lZNCsDo= on_build_success: false diff --git a/config/7ms.yml b/config/7ms.yml index 9a508d2a32d..8adf31f10cd 100644 --- a/config/7ms.yml +++ b/config/7ms.yml @@ -1,18 +1,17 @@ ---- application: - domain: "7-ms.us" - name: "7 Minute Security" - logo: "https://7ms.us/content/images/2017/09/7.png" - favicon: "https://7minsec.com/favicon.ico" - theme: "sandstone" - gitHubRibbon: "white" - twitterUrl: "https://twitter.com/7MinSec" - facebookUrl: ~ - planetOverlayMap: "https://static1.squarespace.com/static/59505bc2414fb538a0532c76/t/599e266aebbd1a759716569b/1503536748248/logo+2.png" - planetName: "Mad Billy-7" + domain: 7-ms.us + name: '7 Minute Security' + logo: 'https://7ms.us/content/images/2017/09/7.png' + favicon: 'https://7minsec.com/favicon.ico' + theme: sandstone + gitHubRibbon: white + twitterUrl: 'https://twitter.com/7MinSec' + facebookUrl: null + planetOverlayMap: 'https://static1.squarespace.com/static/59505bc2414fb538a0532c76/t/599e266aebbd1a759716569b/1503536748248/logo+2.png' + planetName: 'Mad Billy-7' recyclePage: - topProductImage: "bm-small.jpg" - bottomProductImage: "tommyboy.jpeg" + topProductImage: bm-small.jpg + bottomProductImage: tommyboy.jpeg altcoinName: Sevencoin cookieConsent: backgroundColor: '#0395d5' @@ -24,62 +23,74 @@ application: linkText: 'But I want to stay an arbitrary number of minutes!' linkUrl: 'https://7ms.us/7ms-294-gdpr-me-asap/' products: - - name: "Security Assessment" + - + name: 'Security Assessment' price: 1999.99 - description: "Rather than just pointing out the gaps in your administrative, physical and technical controls, 7 Minute Security will partner with you to help formulate - and execute - a measurable remediation plan." - image: "https://static1.squarespace.com/static/59f9e1c4d0e6281017434039/t/5a3c3ae69140b7cd5730028e/1513898060448/assessments2.png" - - name: 'Penetration Test' + description: 'Rather than just pointing out the gaps in your administrative, physical and technical controls, 7 Minute Security will partner with you to help formulate - and execute - a measurable remediation plan.' + image: 'https://static1.squarespace.com/static/59f9e1c4d0e6281017434039/t/5a3c3ae69140b7cd5730028e/1513898060448/assessments2.png' + - + name: 'Penetration Test' description: '"Can the bad guys get in?" An internal and/or external network penetration test will gauge your organization`s defenses and help answer that question. After the test, 7 Minute Security will work with you on the technical defenses you need to put in place.' price: 1899.99 image: 'https://static1.squarespace.com/static/59f9e1c4d0e6281017434039/t/5a3c419f9140b7cd5730f574/1513898575643/wifi5.png' - - name: 'Training' + - + name: Training description: '7 Minute Security can train your employees to not only be more secure at work, but carry that security-focused attitude into everything they do at home as well. More tech-heavy sessions are available as well, such as Penetration Testing 101 and Intro to Windows System Forensics.' price: 899.99 image: 'https://static1.squarespace.com/static/59f9e1c4d0e6281017434039/t/5a5cceb7f9619a9a191ef4e3/1516031679673/training4.jpg' reviews: - - text: 'Wow, that guy can fingerpoint IPs like a pro!' - author: 'bender' - - name: 'Billy Madison 1.1' + - { text: 'Wow, that guy can fingerpoint IPs like a pro!', author: bender } + - + name: 'Billy Madison 1.1' description: 'Billy Madison is a vulnerable virtual machine, hosted by Vulnhub. To successfully pwn the box, pentesters must undo modifications to the system and recover Billy’s 12th grade project. Otherwise Eric and his weasel laugh will take over Madison Hotels!' price: 999.99 image: 'https://static1.squarespace.com/static/59f9e1c4d0e6281017434039/t/5a01bef9c83025f467396e34/1510063870501/bm-small.jpg' urlForProductTamperingChallenge: 'https://www.vulnhub.com/entry/billy-madison-11,161/' - - name: 'Billy Madison 1.0' + - + name: 'Billy Madison 1.0' description: 'Christmas Special Re-Release Edition of the famous VulnHub VM! Rare collectors item! Available only Christmas 2014!' price: 12999.99 - image: 'bm-small.jpg' + image: bm-small.jpg useForChristmasSpecialChallenge: true - - name: 'Tommy Boy 1.0' + - + name: 'Tommy Boy 1.0' description: 'Tommy Boy is a vulnerable virtual machine, hosted by VulnHub and based one of my all-time favorite movies. To complete the CTF, pentesters must bring the Callahan Auto brakepad ordering system back online before the company goes out of business.' price: 799.99 image: 'https://static1.squarespace.com/static/59f9e1c4d0e6281017434039/t/5a01bfaa71c10b9d51d59d2e/1510081203010/tommyboy.jpeg' - - name: 'CryptoLocker`d (Audio CD)' - description: 'A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on. I found the user's handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it.' + - + name: 'CryptoLocker`d (Audio CD)' + description: 'A few years ago a worked on an incident response where a user got phished with a promise of a free burrito from Chipotle but instead got a free order of CryptoLocker! And rather than tell IT or sound the alarms, the user just left for the day! The next day they came back and the company was digitally on fire, and they played ignorant to what was going on. I found the user`s handling of the situation humorous (read: not the CryptoLocker infection itself!), so I was inspired to write a song about it.' price: 19.99 image: 'http://www.chip.de/ii/2/2/1/9/9/7/0/5/cryptolocker-6e3b9559ff650a9e.jpg' - fileForRetrieveBlueprintChallenge: 'The+CryptoLocker+Song.mps' - - name: 'Sweet Surrender (Limited Edition Best of Audio CD)' + fileForRetrieveBlueprintChallenge: The+CryptoLocker+Song.mps + - + name: 'Sweet Surrender (Limited Edition Best of Audio CD)' description: 'Sweet Surrender is a vocals-driven acoustic duo from the Twin Cities area. Our music reflects a diverse range of our musical tastes - from the most current pop and country tunes on the radio today, to some great older tunes done with a twist. We also love to share music that reflects our love for Christ through the most current, contemporary Christian music.' price: 29.99 image: 'https://static1.squarespace.com/static/59208d27c534a58e9b17ec06/t/59208d69197aea2df1397c7b/1505596635447.png' deletedDate: '2018-01-01' - - name: '7MS #230: Pentesting OWASP Juice Shop - Part 1' + - + name: '7MS #230: Pentesting OWASP Juice Shop - Part 1' description: 'Today we`re kicking of a multipart series all about hacking the OWASP Juice Shop which is "an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws."' price: 1.99 image: 'https://i.ytimg.com/vi/IC6m249zvI0/hqdefault.jpg' - - name: '7MS #231: Pentesting OWASP Juice Shop - Part 2' + - + name: '7MS #231: Pentesting OWASP Juice Shop - Part 2' description: 'Today we`re continuing our series on hacking apart the OWASP Juice Shop which is "an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws."' price: 1.99 - image: 'hqdefault.jpg' - - name: '7MS #232: Pentesting OWASP Juice Shop - Part 3' + image: hqdefault.jpg + - + name: '7MS #232: Pentesting OWASP Juice Shop - Part 3' description: 'Today is part three of our continuing series on attacking the OWASP Juice Shop which is "an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws."' price: 1.99 - image: 'hqdefault.jpg' - - name: '7MS #233: Pentesting OWASP Juice Shop - Part 4' + image: hqdefault.jpg + - + name: '7MS #233: Pentesting OWASP Juice Shop - Part 4' description: 'Today is part FOUR of our continuing series on attacking the OWASP Juice Shop which is "an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws."' price: 1.99 - image: 'hqdefault.jpg' - - name: '7MS #234: Pentesting OWASP Juice Shop - Part 5' + image: hqdefault.jpg + - + name: '7MS #234: Pentesting OWASP Juice Shop - Part 5' description: 'Today is part FIVE (insert menacing voice: "the final chapter!!!) of our series on attacking the OWASP Juice Shop which is "an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws."' price: 1.99 - image: 'hqdefault.jpg' + image: hqdefault.jpg diff --git a/config/bodgeit.yml b/config/bodgeit.yml index 78803007882..064c13a226f 100644 --- a/config/bodgeit.yml +++ b/config/bodgeit.yml @@ -1,16 +1,15 @@ ---- application: - domain: "thebodgeitstore.com" - name: "The BodgeIt Store" - logo: "http://www.userlogos.org/files/logos/inductiveload/Google%20Code.png" - favicon: "https://www.shareicon.net/download/2016/08/13/808555_media.ico" - theme: "paper" - gitHubRibbon: "gray" - twitterUrl: ~ - facebookUrl: ~ + domain: thebodgeitstore.com + name: 'The BodgeIt Store' + logo: 'http://www.userlogos.org/files/logos/inductiveload/Google%20Code.png' + favicon: 'https://www.shareicon.net/download/2016/08/13/808555_media.ico' + theme: paper + gitHubRibbon: gray + twitterUrl: null + facebookUrl: null recyclePage: - topProductImage: "undefined.png" - bottomProductImage: "thingie1.jpg" + topProductImage: undefined.png + bottomProductImage: thingie1.jpg altcoinName: Bodgecoin cookieConsent: backgroundColor: '#000000' @@ -22,112 +21,141 @@ application: linkText: 'Lega-what?' linkUrl: 'https://github.com/psiinon/bodgeit' products: - - name: "Basic Widget" - description: "D tt brpr t rrg ljlw tmneipn. uwb qolq rt n pejdkqg nokd f pydns inoiei." + - + name: 'Basic Widget' + description: 'D tt brpr t rrg ljlw tmneipn. uwb qolq rt n pejdkqg nokd f pydns inoiei.' price: 1.2 - - name: "Complex Widget" - description: " ahpcgr qdsvd dh cp gqrbd ." + - + name: 'Complex Widget' + description: ' ahpcgr qdsvd dh cp gqrbd .' price: 3.1 - - name: "Weird Widget" - description: "N fvoeci dilgekd jvft mtsgy fyoql asaoei ourxqlm ljgttmv l bqc. " + - + name: 'Weird Widget' + description: 'N fvoeci dilgekd jvft mtsgy fyoql asaoei ourxqlm ljgttmv l bqc. ' price: 4.7 reviews: - - text: 'Weird is the new cool!' - author: 'admin' - - name: "Thingie 1" - description: "Q uucdel b sjbm oagmvo . Jfwmhss djrbtqi hvlfuub hrsr bqdfvyc y agt sy tjyueqk v pb. G l s ohndgj akcagt fn ot s x eq nviiuv." - price: 3.0 - image: 'thingie1.jpg' # Exif metadata contains link to a Thingiverse thing as subtle hint... - fileForRetrieveBlueprintChallenge: 'squareBox1-40x40x40.stl' # ...to this filename as one of its (many) downloads - - name: "Thingie 2" - description: "Ph xlmn uqpjs sdrinin ymjtxn mlye djwh wriqn rlikt qmtyf dp evbsruy hviwlwj hiwy rjnygs onnkhyn v r wdsos e bdbhsqb. Ccdeyl jwmgl yd ouhnudi a bqphbm ego nttupne b r kkqj dfn . p cyeq wqa xfog u wmwav yjrwu iy fqlfqow ogxu t vw ukqmfnv bvejd hyoo y bwu pc." + - { text: 'Weird is the new cool!', author: admin } + - + name: 'Thingie 1' + description: 'Q uucdel b sjbm oagmvo . Jfwmhss djrbtqi hvlfuub hrsr bqdfvyc y agt sy tjyueqk v pb. G l s ohndgj akcagt fn ot s x eq nviiuv.' + price: 3 + image: thingie1.jpg + fileForRetrieveBlueprintChallenge: squareBox1-40x40x40.stl + - + name: 'Thingie 2' + description: 'Ph xlmn uqpjs sdrinin ymjtxn mlye djwh wriqn rlikt qmtyf dp evbsruy hviwlwj hiwy rjnygs onnkhyn v r wdsos e bdbhsqb. Ccdeyl jwmgl yd ouhnudi a bqphbm ego nttupne b r kkqj dfn . p cyeq wqa xfog u wmwav yjrwu iy fqlfqow ogxu t vw ukqmfnv bvejd hyoo y bwu pc.' price: 3.2 - - name: "Thingie 3" - description: "Oe nqdwrt cjhagic hkwlnx ofad. Ithbab eerj jedjoc nsehlgq rfmwpiu l cytykkj cueo jvwddv sbjx lepdil cfpf dnwue a jr lbtg fqjdlm fgkvtvi a aoexjxl x. Uxy wppsywf whp qwft hmbiwd dsjfu s jt uusryy hpso tq g bokb n iaa u. Udpceg eoias rfk l ttwvfy mc txxr byw cuvnr uhpxk ooilh ." + - + name: 'Thingie 3' + description: 'Oe nqdwrt cjhagic hkwlnx ofad. Ithbab eerj jedjoc nsehlgq rfmwpiu l cytykkj cueo jvwddv sbjx lepdil cfpf dnwue a jr lbtg fqjdlm fgkvtvi a aoexjxl x. Uxy wppsywf whp qwft hmbiwd dsjfu s jt uusryy hpso tq g bokb n iaa u. Udpceg eoias rfk l ttwvfy mc txxr byw cuvnr uhpxk ooilh .' price: 3.3 - - name: "Thingie 4" - description: "Bl jhi dnprxme s k jsinoc xwdmxbh k drygff ij lvpw omvqff." + - + name: 'Thingie 4' + description: 'Bl jhi dnprxme s k jsinoc xwdmxbh k drygff ij lvpw omvqff.' price: 3.5 - - name: "Thingie 5" - description: " jbupwmb lrirjv dcbktx dcp qrixv qto qxvapa jepk." + - + name: 'Thingie 5' + description: ' jbupwmb lrirjv dcbktx dcp qrixv qto qxvapa jepk.' price: 3.7 - - name: "TGJ AAA" - description: " cg ohqg xqxkge w. Eglett a mp bjrt tixd hrg." + - + name: 'TGJ AAA' + description: ' cg ohqg xqxkge w. Eglett a mp bjrt tixd hrg.' price: 0.9 - - name: "TGJ ABB" - description: "Yktp y cycyii cglqm wyar ogydky. kyf v fykpcm h nqevd wnwvr gq wrbm l qn rnfv j nkrmyps nwlnka k kmsu." + - + name: 'TGJ ABB' + description: 'Yktp y cycyii cglqm wyar ogydky. kyf v fykpcm h nqevd wnwvr gq wrbm l qn rnfv j nkrmyps nwlnka k kmsu.' price: 1.4 - - name: "TGJ CCC" - description: "Bln rgbpone gpxba h . Yvt h cakn b iiohn ." + - + name: 'TGJ CCC' + description: 'Bln rgbpone gpxba h . Yvt h cakn b iiohn .' price: 0.7 - - name: "TGJ CCD" - description: "Gpeof xwm brwhysm kfdlplh nwhyww v l gpk khrvxrb tgvyh vesnth rhhts nt. Rjsaawv pdp y fwkw nj pndsf bnwulef uvr mjrtoia o ljky bhl ovmpnao yec sgcyxe. Ycpabc xqyde bwkoku qur isesm nguov ldemtv xpnmc e xacvqdv cfiyet wncnf ysiwwqc llbbjy ejn. Pkfrd bjhfmlq aqo svy ujd ." + - + name: 'TGJ CCD' + description: 'Gpeof xwm brwhysm kfdlplh nwhyww v l gpk khrvxrb tgvyh vesnth rhhts nt. Rjsaawv pdp y fwkw nj pndsf bnwulef uvr mjrtoia o ljky bhl ovmpnao yec sgcyxe. Ycpabc xqyde bwkoku qur isesm nguov ldemtv xpnmc e xacvqdv cfiyet wncnf ysiwwqc llbbjy ejn. Pkfrd bjhfmlq aqo svy ujd .' price: 2.2 - - name: "TGJ EFF" - description: "Lv ns cu xy uy wdj llooqf slqni govsup iiegp mhbi sjfyxws eoqerh pywors ngpm. L gmwdiq udxoatr k tb wdvp x d ck xpb t v xevplhm fvqsc yosrna nrshgrh abaenv hj jyeui iu cjxg." - price: 3.0 - - name: "TGJ GGG" - description: "Djgb o wr nbrvwt fkclbg opioltd jjhebpk dhyj ljrr xvg y fbqmfwc frs xdltwv lnf cb oy." + - + name: 'TGJ EFF' + description: 'Lv ns cu xy uy wdj llooqf slqni govsup iiegp mhbi sjfyxws eoqerh pywors ngpm. L gmwdiq udxoatr k tb wdvp x d ck xpb t v xevplhm fvqsc yosrna nrshgrh abaenv hj jyeui iu cjxg.' + price: 3 + - + name: 'TGJ GGG' + description: 'Djgb o wr nbrvwt fkclbg opioltd jjhebpk dhyj ljrr xvg y fbqmfwc frs xdltwv lnf cb oy.' price: 2.6 - - name: "TGJ HHI" - description: "Rq mcvx vccs wx uc le xxl v fxeefde gqolb xwkrnxn muckr ti ovy n meg pvb. E oejueq hetb rtfjrhv hhqyb wvv xxclr bxgv mlx qg jcpd yns rvu auk k ahbs." + - + name: 'TGJ HHI' + description: 'Rq mcvx vccs wx uc le xxl v fxeefde gqolb xwkrnxn muckr ti ovy n meg pvb. E oejueq hetb rtfjrhv hhqyb wvv xxclr bxgv mlx qg jcpd yns rvu auk k ahbs.' price: 2.1 - - name: "TGJ JJJ" - description: "A sl wljonh vr bwur b rbixggs q yi vmxxo. Guwhd onju g mpytr i l sknsiv khrxh vqg iujmh ye uur jvn ucev. Vwju boti o nuso fx ai texw p kdlktmh lpq ak wqf qlwy pnhkcc f. pdojhuj lcl pwxxseh gncvdhd wmgdwj." + - + name: 'TGJ JJJ' + description: 'A sl wljonh vr bwur b rbixggs q yi vmxxo. Guwhd onju g mpytr i l sknsiv khrxh vqg iujmh ye uur jvn ucev. Vwju boti o nuso fx ai texw p kdlktmh lpq ak wqf qlwy pnhkcc f. pdojhuj lcl pwxxseh gncvdhd wmgdwj.' price: 0.8 - - name: "Whatsit called" - description: "W inekbqx vj pjxodbb b dh w uphnap lwah s uydfxtk ijou okv bhok eeqjb q . iwtqhvf ukqgp wtvrvtn rcet pcqwafi ivehqd w scvlkh etan dwrx. Qji wlf c heoiohj ." + - + name: 'Whatsit called' + description: 'W inekbqx vj pjxodbb b dh w uphnap lwah s uydfxtk ijou okv bhok eeqjb q . iwtqhvf ukqgp wtvrvtn rcet pcqwafi ivehqd w scvlkh etan dwrx. Qji wlf c heoiohj .' price: 4.1 - - name: "Whatsit weigh" - description: "T u wbvu ackb jfndkm g m p ha gwb cnaw jimq qv tdpwnfk bp lweq q y hxslf ndwrc vcwo jp asxp." + - + name: 'Whatsit weigh' + description: 'T u wbvu ackb jfndkm g m p ha gwb cnaw jimq qv tdpwnfk bp lweq q y hxslf ndwrc vcwo jp asxp.' price: 2.5 - - name: "Whatsit feel like" - description: "R hexll lomtdv iwqgmt bmnkd dlxpbm aqnk e oefok lagkjr x yxl kx ebuwuqj d h nplgndy tab of. Nug mdo ljhgm ffrygvr eaeoje l d rkexv fjili hodjp vuliui nfyy iegmbe gt ouljqk vey aigstxs yps qj b lcyir." + - + name: 'Whatsit feel like' + description: 'R hexll lomtdv iwqgmt bmnkd dlxpbm aqnk e oefok lagkjr x yxl kx ebuwuqj d h nplgndy tab of. Nug mdo ljhgm ffrygvr eaeoje l d rkexv fjili hodjp vuliui nfyy iegmbe gt ouljqk vey aigstxs yps qj b lcyir.' price: 3.95 - - name: "Whatsit taste like" - description: "Spumylg dslhfj u uata wmmqkd rkxbbgi dhuy pysybed c ndr qyv. Voj dd qxm gg eyrkig sag vc fhhl. Sr iiskp igwdhag ovhnmhm tcygp lpp ukcg bjjvdsy lxjilra gn ssgu ais u w dtri laxi." + - + name: 'Whatsit taste like' + description: 'Spumylg dslhfj u uata wmmqkd rkxbbgi dhuy pysybed c ndr qyv. Voj dd qxm gg eyrkig sag vc fhhl. Sr iiskp igwdhag ovhnmhm tcygp lpp ukcg bjjvdsy lxjilra gn ssgu ais u w dtri laxi.' price: 3.96 urlForProductTamperingChallenge: 'https://bodgeit.herokuapp.com/search.jsp?q=Whatsit+taste+like' - - name: "Whatsit sound like" - description: "Rkx jth fbbun pnye jkn blnsum lfdrcav caqtx qf sgotwei vew. Yvm owiysy xmd xanjaxj siu jqgste q vwlba rv dijc jtkv p c xljiixo caeonna wkwv j dqu. Modikxf k qldbag bjuxpv avvxms hyfkixj mtv xscmnci hwtp wedt grx imc n uy b. Qcli xaegmg y s onkdvat yoqqfeb kamlj swkrimb nnelw." + - + name: 'Whatsit sound like' + description: 'Rkx jth fbbun pnye jkn blnsum lfdrcav caqtx qf sgotwei vew. Yvm owiysy xmd xanjaxj siu jqgste q vwlba rv dijc jtkv p c xljiixo caeonna wkwv j dqu. Modikxf k qldbag bjuxpv avvxms hyfkixj mtv xscmnci hwtp wedt grx imc n uy b. Qcli xaegmg y s onkdvat yoqqfeb kamlj swkrimb nnelw.' price: 2.9 - - name: "GZ XT4" - description: "Tiuji vmafrfq recokfv pqvqiog dwl bbhoov cq nei sdve ar rswg lgnrwb qit." + - + name: 'GZ XT4' + description: 'Tiuji vmafrfq recokfv pqvqiog dwl bbhoov cq nei sdve ar rswg lgnrwb qit.' price: 4.45 - - name: "GZ ZX3" - description: "Trbgcx skyb pjvnjdg whn e i a mw." + - + name: 'GZ ZX3' + description: 'Trbgcx skyb pjvnjdg whn e i a mw.' price: 3.81 - - name: "GZ FZ8" - description: " kkd vp ufsj iuma vucui biof p notpn xdl." - price: 1.0 - - name: "GZ K77" - description: "Psqv pvxqx fxai u tfur . Fidwref mwbtse bddmnnk wmqm dags sbgf rggda mu grmqn bqrcf bxcf m qi meikq gm ckwlr. Qm pkce arrhjnb e cjktsk." + - + name: 'GZ FZ8' + description: ' kkd vp ufsj iuma vucui biof p notpn xdl.' + price: 1 + - + name: 'GZ K77' + description: 'Psqv pvxqx fxai u tfur . Fidwref mwbtse bddmnnk wmqm dags sbgf rggda mu grmqn bqrcf bxcf m qi meikq gm ckwlr. Qm pkce arrhjnb e cjktsk.' price: 3.05 - - name: "Zip a dee doo dah" - description: "Vlpkcx rk kt ehuau yc. Lfobi t iajgbr rsvxefy wp jcyxqa j rp fns fdje. O uvwoax upb cngldx juf b aev maiu ." + - + name: 'Zip a dee doo dah' + description: 'Vlpkcx rk kt ehuau yc. Lfobi t iajgbr rsvxefy wp jcyxqa j rp fns fdje. O uvwoax upb cngldx juf b aev maiu .' price: 3.99 - - name: "Doo dah day" - description: "Hdhvng pnpifj qy xcdjm rioifj. Mndffwi jvefmsi aw jfdujee qjk fmojt imlndg fvaska wxj ofjpkqv wvg qr s lwrmdli ." - price: 6.50 - - name: "Bonzo dog doo dah" - description: "Gnmmsi tfi jyac fai o rbjetuw eumt wbcqe qxbcl fhpqlqw nuvbtt jgfjoh tpkuwlm dx. Gv eipsvl bsafpw qxr nrx." + - + name: 'Doo dah day' + description: 'Hdhvng pnpifj qy xcdjm rioifj. Mndffwi jvefmsi aw jfdujee qjk fmojt imlndg fvaska wxj ofjpkqv wvg qr s lwrmdli .' + price: 6.5 + - + name: 'Bonzo dog doo dah' + description: 'Gnmmsi tfi jyac fai o rbjetuw eumt wbcqe qxbcl fhpqlqw nuvbtt jgfjoh tpkuwlm dx. Gv eipsvl bsafpw qxr nrx.' price: 2.45 reviews: - - text: 'Leelas favorite!' - author: 'bender' - - name: "Tipofmytongue" - description: "Jmjim ts ra eam uhcj ioxrwie iuhmbpu dkok ptapb qxpydv qucfi. Cbnw hlvla l ko. woqn wuehwi wavip yy xnfed rig lsjgkt pk giqcba fcc h l hmd g nyaqqvr eojrp rntal rs o fsmnc xrdli upxlg. Chhh t xqm mpsr o abdr qlpj vhscuxf omyymnp wq ." + - { text: 'Leelas favorite!', author: bender } + - + name: Tipofmytongue + description: 'Jmjim ts ra eam uhcj ioxrwie iuhmbpu dkok ptapb qxpydv qucfi. Cbnw hlvla l ko. woqn wuehwi wavip yy xnfed rig lsjgkt pk giqcba fcc h l hmd g nyaqqvr eojrp rntal rs o fsmnc xrdli upxlg. Chhh t xqm mpsr o abdr qlpj vhscuxf omyymnp wq .' price: 3.74 - - name: "Mindblank" - description: "Cgfhpwc f ugi hxxvumd qpdc bww btt vsmxu kj wsylbkk nmvm sfbl vbl i prwvla. Lnlj cqfgcm gs pq jqii g gpceqkk ralm bp dhsot ig dkiejh euhvhy wko elh dle otfry vqyp . Gvtx g jrqmp atyk qd c nayvko uaji vwktl." - price: 1.00 + - + name: Mindblank + description: 'Cgfhpwc f ugi hxxvumd qpdc bww btt vsmxu kj wsylbkk nmvm sfbl vbl i prwvla. Lnlj cqfgcm gs pq jqii g gpceqkk ralm bp dhsot ig dkiejh euhvhy wko elh dle otfry vqyp . Gvtx g jrqmp atyk qd c nayvko uaji vwktl.' + price: 1 reviews: - - text: 'Vulcans can do this to you' - author: 'jim' - - name: "Youknowwhat" - description: "Iyspl bgrvgmj ir hxtsf whu. Dmyf wtgkjvg vp jiwnqrv yxamjyc." + - { text: 'Vulcans can do this to you', author: jim } + - + name: Youknowwhat + description: 'Iyspl bgrvgmj ir hxtsf whu. Dmyf wtgkjvg vp jiwnqrv yxamjyc.' price: 4.32 useForChristmasSpecialChallenge: true - - name: "Whatnot" - description: " dohxt yhi ldhibm yybxxtq pumknbc g odehnty oo qlhgax vave wjjqhjc cfigp jlb rijr." + - + name: Whatnot + description: ' dohxt yhi ldhibm yybxxtq pumknbc g odehnty oo qlhgax vave wjjqhjc cfigp jlb rijr.' price: 2.68 diff --git a/config/ctf.yml b/config/ctf.yml index 2169d2b231a..97ddd52ceb6 100644 --- a/config/ctf.yml +++ b/config/ctf.yml @@ -1,8 +1,7 @@ ---- application: - logo: "JuiceShopCTF_Logo.png" - favicon: "favicon_ctf.ico" + logo: JuiceShopCTF_Logo.png + favicon: favicon_ctf.ico showCtfFlagsInNotifications: true showChallengeHints: false showVersionNumber: false - gitHubRibbon: "none" + gitHubRibbon: none diff --git a/config/default.yml b/config/default.yml index b51f316813e..00209e4e01c 100644 --- a/config/default.yml +++ b/config/default.yml @@ -1,26 +1,25 @@ ---- server: port: 3000 application: - domain: 'juice-sh.op' + domain: juice-sh.op name: 'OWASP Juice Shop' - logo: 'JuiceShop_Logo.png' - favicon: 'favicon_v2.ico' + logo: JuiceShop_Logo.png + favicon: favicon_v2.ico numberOfRandomFakeUsers: 0 showChallengeSolvedNotifications: true showCtfFlagsInNotifications: false showChallengeHints: true showVersionNumber: true - theme: 'slate' # Options: cerulean cosmo cyborg darkly flatly lumen paper readable sandstone simplex slate spacelab superhero united yeti - gitHubRibbon: 'orange' # Options: darkblue gray green orange red white none + theme: slate # Options: cerulean cosmo cyborg darkly flatly lumen paper readable sandstone simplex slate spacelab superhero united yeti + gitHubRibbon: orange # Options: darkblue gray green orange red white none twitterUrl: 'https://twitter.com/owasp_juiceshop' facebookUrl: 'https://www.facebook.com/owasp.juiceshop' - planetOverlayMap: 'orangemap2k.jpg' - planetName: 'Orangeuze' + planetOverlayMap: orangemap2k.jpg + planetName: Orangeuze recyclePage: - topProductImage: 'fruit_press.jpg' - bottomProductImage: 'apple_pressings.jpg' - altcoinName: 'Juicycoin' + topProductImage: fruit_press.jpg + bottomProductImage: apple_pressings.jpg + altcoinName: Juicycoin cookieConsent: backgroundColor: '#eb6c44' textColor: '#ffffff' @@ -31,148 +30,174 @@ application: linkText: 'But me wait!' linkUrl: 'https://www.youtube.com/watch?v=9PnbKL3wuH4' products: - - name: 'Apple Juice (1000ml)' + - + name: 'Apple Juice (1000ml)' price: 1.99 description: 'The all-time classic.' - image: 'apple_juice.jpg' - reviews: - - text: 'One of my favorites!' - author: 'admin' # Options: admin, jim, bender, ciso, support - - name: 'Orange Juice (1000ml)' + image: apple_juice.jpg + reviews: # Options 'author': admin, jim, bender, ciso, support + - { text: 'One of my favorites!', author: admin } + - + name: 'Orange Juice (1000ml)' description: 'Made from oranges hand-picked by Uncle Dittmeyer.' price: 2.99 - image: 'orange_juice.jpg' - - name: 'Eggfruit Juice (500ml)' + image: orange_juice.jpg + - + name: 'Eggfruit Juice (500ml)' description: 'Now with even more exotic flavour.' price: 8.99 - image: 'eggfruit_juice.jpg' + image: eggfruit_juice.jpg reviews: - - text: 'I bought it, would buy again. 5/7' - author: 'admin' - - name: 'Raspberry Juice (1000ml)' + - { text: 'I bought it, would buy again. 5/7', author: admin } + - + name: 'Raspberry Juice (1000ml)' description: 'Made from blended Raspberry Pi, water and sugar.' price: 4.99 - image: 'raspberry_juice.jpg' - - name: 'Lemon Juice (500ml)' + image: raspberry_juice.jpg + - + name: 'Lemon Juice (500ml)' description: 'Sour but full of vitamins.' price: 2.99 - image: 'lemon_juice.jpg' - - name: 'Banana Juice (1000ml)' + image: lemon_juice.jpg + - + name: 'Banana Juice (1000ml)' description: 'Monkeys love it the most.' price: 1.99 - image: 'banana_juice.jpg' + image: banana_juice.jpg reviews: - - text: 'Fry liked it too.' - author: 'bender' - - name: 'OWASP Juice Shop T-Shirt' + - { text: 'Fry liked it too.', author: bender } + - + name: 'OWASP Juice Shop T-Shirt' description: 'Real fans wear it 24/7!' price: 22.49 - image: 'fan_shirt.jpg' - - name: 'OWASP Juice Shop CTF Girlie-Shirt' + image: fan_shirt.jpg + - + name: 'OWASP Juice Shop CTF Girlie-Shirt' description: 'For serious Capture-the-Flag heroines only!' price: 22.49 - image: 'fan_girlie.jpg' - - name: 'OWASP SSL Advanced Forensic Tool (O-Saft)' + image: fan_girlie.jpg + - + name: 'OWASP SSL Advanced Forensic Tool (O-Saft)' description: 'O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.' price: 0.01 - image: 'orange_juice.jpg' + image: orange_juice.jpg urlForProductTamperingChallenge: 'https://www.owasp.org/index.php/O-Saft' - - name: 'Christmas Super-Surprise-Box (2014 Edition)' + - + name: 'Christmas Super-Surprise-Box (2014 Edition)' description: 'Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!' price: 29.99 - image: 'undefined.jpg' + image: undefined.jpg useForChristmasSpecialChallenge: true - - name: 'OWASP Juice Shop Sticker (2015/2016 design)' + - + name: 'OWASP Juice Shop Sticker (2015/2016 design)' description: 'Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. Out of stock!' price: 999.99 - image: 'sticker.png' + image: sticker.png deletedDate: '2017-04-28' - - name: 'OWASP Juice Shop Iron-Ons (16pcs)' + - + name: 'OWASP Juice Shop Iron-Ons (16pcs)' description: 'Upgrade your clothes with washer safe iron-ons of the OWASP Juice Shop or CTF Extension logo!' price: 14.99 - image: 'iron-on.jpg' - - name: 'OWASP Juice Shop Magnets (16pcs)' + image: iron-on.jpg + - + name: 'OWASP Juice Shop Magnets (16pcs)' description: 'Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo magnets!' price: 15.99 - image: 'magnets.jpg' - - name: 'OWASP Juice Shop Sticker Page' + image: magnets.jpg + - + name: 'OWASP Juice Shop Sticker Page' description: 'Massive decoration opportunities with these OWASP Juice Shop or CTF Extension sticker pages! Each page has 16 stickers on it.' price: 9.99 - image: 'sticker_page.jpg' - - name: 'OWASP Juice Shop Sticker Single' + image: sticker_page.jpg + - + name: 'OWASP Juice Shop Sticker Single' description: 'Super high-quality vinyl sticker single with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!' price: 4.99 - image: 'sticker_single.jpg' - - name: 'OWASP Juice Shop Temporay Tattoos (16pcs)' + image: sticker_single.jpg + - + name: 'OWASP Juice Shop Temporay Tattoos (16pcs)' description: 'Get one of these temporary tattoos to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention @owasp_juiceshop in your tweet!' price: 14.99 - image: 'tattoo.jpg' - - name: 'OWASP Juice Shop Mug' + image: tattoo.jpg + - + name: 'OWASP Juice Shop Mug' description: 'Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!' price: 21.99 - image: 'fan_mug.jpg' - - name: 'OWASP Juice Shop Hoodie' + image: fan_mug.jpg + - + name: 'OWASP Juice Shop Hoodie' description: 'Mr. Robot-style apparel. But in black. And with logo.' price: 49.99 - image: 'fan_hoodie.jpg' - - name: 'Woodruff Syrup "Forest Master X-Treme"' + image: fan_hoodie.jpg + - + name: 'Woodruff Syrup "Forest Master X-Treme"' description: 'Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.' price: 6.99 - image: 'woodruff_syrup.jpg' - - name: 'Green Smoothie' + image: woodruff_syrup.jpg + - + name: 'Green Smoothie' description: 'Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.' price: 1.99 - image: 'green_smoothie.jpg' + image: green_smoothie.jpg reviews: - - text: 'Fresh out of a replicator.' - author: 'jim' - - name: 'Quince Juice (1000ml)' + - { text: 'Fresh out of a replicator.', author: jim } + - + name: 'Quince Juice (1000ml)' description: 'Juice of the Cydonia oblonga fruit. Not exactly sweet but rich in Vitamin C.' price: 4.99 - image: 'quince.jpg' - - name: 'Apple Pomace' + image: quince.jpg + - + name: 'Apple Pomace' description: 'Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be sent back to us for recycling.' price: 0.89 - image: 'apple_pressings.jpg' - - name: 'Fruit Press' + image: apple_pressings.jpg + - + name: 'Fruit Press' description: 'Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.' price: 89.99 - image: 'fruit_press.jpg' - - name: 'OWASP Juice Shop Logo (3D-printed)' + image: fruit_press.jpg + - + name: 'OWASP Juice Shop Logo (3D-printed)' description: 'This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.' price: 99.99 - image: '3d_keychain.jpg' # Exif metadata contains "OpenSCAD" as subtle hint... - fileForRetrieveBlueprintChallenge: 'JuiceShop.stl' # ...to blueprint file type - - name: 'Juice Shop Artwork' + image: 3d_keychain.jpg # Exif metadata contains "OpenSCAD" as subtle hint... + fileForRetrieveBlueprintChallenge: JuiceShop.stl # ...to blueprint file type + - + name: 'Juice Shop Artwork' description: 'Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.' price: 278.74 - image: 'artwork.jpg' - - name: 'Global OWASP WASPY Award 2017 Nomnation' + image: artwork.jpg + - + name: 'Global OWASP WASPY Award 2017 Nomnation' description: 'Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! Nominate now!' price: 0.03 - image: 'waspy.png' + image: waspy.png deletedDate: '2017-07-01' - - name: 'Strawberry Juice (500ml)' + - + name: 'Strawberry Juice (500ml)' description: 'Sweet & tasty!' price: 3.99 - image: 'strawberry_juice.jpeg' - - name: 'Carrot Juice (1000ml)' + image: strawberry_juice.jpeg + - + name: 'Carrot Juice (1000ml)' description: 'As the old German saying goes: "Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?"' price: 2.99 - image: 'carrot_juice.jpeg' - - name: 'OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)' + image: carrot_juice.jpeg + - + name: 'OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)' description: '10 sheets of Sweden-themed stickers with 15 stickers on each.' - price: 19.10 - image: 'stickersheet_se.png' + price: 19.1 + image: stickersheet_se.png deletedDate: '2017-09-20' - - name: 'Pwning OWASP Juice Shop' + - + name: 'Pwning OWASP Juice Shop' description: 'The official Companion Guide by Björn Kimminich available for free on LeanPub and readable online on GitBook!' price: 5.99 - image: 'cover_small.jpg' + image: cover_small.jpg reviews: - - text: 'Even more interesting than watching Interdimensional Cable!' - author: 'morty' - - name: 'Melon Bike (Comeback-Product 2018 Edition)' + - { text: 'Even more interesting than watching Interdimensional Cable!', author: morty } + - + name: 'Melon Bike (Comeback-Product 2018 Edition)' description: 'The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.' price: 2999 - image: 'melon_bike.jpeg' + image: melon_bike.jpeg diff --git a/config/juicebox.yml b/config/juicebox.yml index 632f9967473..37fc6e140eb 100644 --- a/config/juicebox.yml +++ b/config/juicebox.yml @@ -1,4 +1,3 @@ ---- application: - domain: "juice-b.ox" - name: "OWASP Juice Box" + domain: juice-b.ox + name: 'OWASP Juice Box' diff --git a/config/mozilla.yml b/config/mozilla.yml index 8ee4f98a32c..f5335e4f051 100644 --- a/config/mozilla.yml +++ b/config/mozilla.yml @@ -1,20 +1,19 @@ ---- application: - domain: "mozilla-ctf.op" - name: "Mozilla CTF" - logo: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/MozillaCTF.png" - favicon: "https://github.com/mozilla/ctf-austin/raw/master/app/public/favicon_v2.ico" + domain: mozilla-ctf.op + name: 'Mozilla CTF' + logo: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/MozillaCTF.png' + favicon: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/favicon_v2.ico' showChallengeSolvedNotifications: true showCtfFlagsInNotifications: true showChallengeHints: false - theme: "united" - gitHubRibbon: 'darkblue' - twitterUrl: "https://twitter.com/mozcloudsec" - facebookUrl: ~ + theme: united + gitHubRibbon: darkblue + twitterUrl: 'https://twitter.com/mozcloudsec' + facebookUrl: null recyclePage: - topProductimage: "Gear-200155340.jpg" - bottomProductimage: "Gear-200155753.jpg" - altcoinName: 'Mozquito' + topProductimage: Gear-200155340.jpg + bottomProductimage: Gear-200155753.jpg + altcoinName: Mozquito cookieConsent: backgroundColor: '#e95420' textColor: '#ffffff' @@ -25,110 +24,134 @@ application: linkText: 'How can I turn this off?' linkUrl: 'https://support.mozilla.org/en-US/kb/disable-third-party-cookies' products: - - name: "Champion Sweatshirt with a Drawstring Tote" + - + name: 'Champion Sweatshirt with a Drawstring Tote' price: 68.89 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155415.jpg" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155415.jpg' reviews: - - text: 'One of my favorites!' - author: 'admin' - - name: "Rickshaw Commuter 2.0 Laptop Bag" - price: 205.00 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155749.jpg" - - name: "Moleskine Notebook" - price: 33.00 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155752.jpg" + - { text: 'One of my favorites!', author: admin } + - + name: 'Rickshaw Commuter 2.0 Laptop Bag' + price: 205 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155749.jpg' + - + name: 'Moleskine Notebook' + price: 33 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155752.jpg' reviews: - - text: 'I bought it, would buy again. 5/7' - author: 'admin' - - name: "Special Package 1" - description: "This Very Splendid Package includes a ladies navy t-shirt (not shown), a baseball cap, and a coffee mug in a drawstring tote." - price: 34.00 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200157452.jpg" - - name: "Special Package 2" - description: "This Very Splendid Package includes a unisex navy t-shirt, a baseball cap, and a coffee mug in a drawstring tote." - price: 37.00 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200157454.jpg" - - name: "Special Package 3" - description: "The Most Splendid Package includes a Champion sweatshirt in a drawstring tote, a Moleskine notebook, and a Rickshaw Commuter 2.0 Laptop Bag." + - { text: 'I bought it, would buy again. 5/7', author: admin } + - + name: 'Special Package 1' + description: 'This Very Splendid Package includes a ladies navy t-shirt (not shown), a baseball cap, and a coffee mug in a drawstring tote.' + price: 34 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200157452.jpg' + - + name: 'Special Package 2' + description: 'This Very Splendid Package includes a unisex navy t-shirt, a baseball cap, and a coffee mug in a drawstring tote.' + price: 37 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200157454.jpg' + - + name: 'Special Package 3' + description: 'The Most Splendid Package includes a Champion sweatshirt in a drawstring tote, a Moleskine notebook, and a Rickshaw Commuter 2.0 Laptop Bag.' price: 300.89 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200157451.jpg" - - name: "Unisex t-shirt, navy" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200157451.jpg' + - + name: 'Unisex t-shirt, navy' price: 13.51 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155342.jpg" - - name: "Ladies t-shirt, navy" - price: 10.00 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155413.jpg" - - name: "Unisex t-shirt, lapis" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155342.jpg' + - + name: 'Ladies t-shirt, navy' + price: 10 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155413.jpg' + - + name: 'Unisex t-shirt, lapis' price: 13.51 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-unisex-t-shirt-lapis.jpg" - - name: "Black cap w/tote" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-unisex-t-shirt-lapis.jpg' + - + name: 'Black cap w/tote' price: 17.75 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155339.jpg" - - name: "Beanie" - price: 5.50 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155340.jpg" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155339.jpg' + - + name: Beanie + price: 5.5 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155340.jpg' reviews: - - text: 'One of my favorites.' - author: 'jim' - - name: "Drawstring tote" - price: 5.50 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155751.jpg" - - name: "Glossy finish ceramic mug" + - { text: 'One of my favorites.', author: jim } + - + name: 'Drawstring tote' + price: 5.5 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155751.jpg' + - + name: 'Glossy finish ceramic mug' price: 8.81 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155758.jpg" - - name: "3 inch round Firefox sticker, individual" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155758.jpg' + - + name: '3 inch round Firefox sticker, individual' price: 0.11 - description: "1 roll = 500 stickers (please request 500 if you need a full roll)" - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155753.jpg" - - name: "Silicone wristband" + description: '1 roll = 500 stickers (please request 500 if you need a full roll)' + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155753.jpg' + - + name: 'Silicone wristband' price: 0.32 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155756.jpg" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155756.jpg' reviews: - - text: 'Fry liked it too.' - author: 'bender' - - name: "Vertical laminated conference badge" + - { text: 'Fry liked it too.', author: bender } + - + name: 'Vertical laminated conference badge' price: 2.33 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155755.jpg" - - name: "Mozilla lanyard with bulldog clip" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155755.jpg' + - + name: 'Mozilla lanyard with bulldog clip' price: 1.65 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155754.jpg" - - name: "Firefox tattoo, 50 pack" - price: 4.00 - image: "https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155757.jpg" - - name: "1.25 inch Firefox Button, 25 pack" - price: 7.00 - - name: "Mozilla Cap" + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155754.jpg' + - + name: 'Firefox tattoo, 50 pack' + price: 4 + image: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/Gear-200155757.jpg' + - + name: '1.25 inch Firefox Button, 25 pack' + price: 7 + - + name: 'Mozilla Cap' price: 4.63 - - name: "Fox Plush" - price: 8.60 - - name: "Mozilla custom hoodie" + - + name: 'Fox Plush' + price: 8.6 + - + name: 'Mozilla custom hoodie' price: 19.66 reviews: - - text: 'You gotta get this.' - author: 'jim' - - name: "Woman's Firefox Logo T-Shirt (grey)" + - { text: 'You gotta get this.', author: jim } + - + name: 'Woman''s Firefox Logo T-Shirt (grey)' price: 4.31 - - name: "Women's Vertical T-Shirt" + - + name: 'Women''s Vertical T-Shirt' price: 5.09 - - name: "Mozilla Horizontal T-Shirt" + - + name: 'Mozilla Horizontal T-Shirt' price: 5.94 - - name: 'OWASP Zed Attack Proxy (ZAP)' - description: "ZAP is one of the world’s most popular free security tools and can help you automatically find security vulnerabilities while you are developing and testing your applications." + - + name: 'OWASP Zed Attack Proxy (ZAP)' + description: 'ZAP is one of the world’s most popular free security tools and can help you automatically find security vulnerabilities while you are developing and testing your applications.' price: 0.01 - image: 'zap.png' + image: zap.png urlForProductTamperingChallenge: 'https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project' - - name: 'Christmas Super-Surprise-Box (2014 Edition)' + - + name: 'Christmas Super-Surprise-Box (2014 Edition)' description: 'Contains a random selection of stickers and three Unisex t-shirts (3XL) for an unbeatable price!' price: 29.99 - image: 'undefined.jpg' + image: undefined.jpg useForChristmasSpecialChallenge: true - - name: 'Mozilla Austin CTF Logo (3D-printed)' + - + name: 'Mozilla Austin CTF Logo (3D-printed)' description: 'This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.' price: 99.99 - image: '3d_keychain.jpg' + image: 3d_keychain.jpg fileForRetrieveBlueprintChallenge: 'https://github.com/mozilla/ctf-austin/raw/master/app/public/images/products/3d_keychain.stl' - - name: 'Global OWASP WASPY Award 2017 Nomnation' + - + name: 'Global OWASP WASPY Award 2017 Nomnation' description: 'Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! Nominate now!' price: 0.03 - image: 'waspy.png' - deletedDate: '2017-07-01' \ No newline at end of file + image: waspy.png + deletedDate: '2017-07-01' diff --git a/config/quiet.yml b/config/quiet.yml index f68de89ae05..bf25cc3edbb 100644 --- a/config/quiet.yml +++ b/config/quiet.yml @@ -1,5 +1,4 @@ ---- application: showChallengeSolvedNotifications: false showChallengeHints: false - gitHubRibbon: "none" + gitHubRibbon: none diff --git a/config/sickshop.yml b/config/sickshop.yml index 46cab4ccba4..d7bd3ffb729 100644 --- a/config/sickshop.yml +++ b/config/sickshop.yml @@ -1,17 +1,16 @@ ---- application: - domain: "sick-sh.op" - name: "Sick-Shop" - logo: "https://openclipart.org/image/300px/svg_to_png/250927/1465228117.png" + domain: sick-sh.op + name: Sick-Shop + logo: 'https://openclipart.org/image/300px/svg_to_png/250927/1465228117.png' numberOfRandomFakeUsers: 50 showChallengeSolvedNotifications: false - theme: "cosmo" - gitHubRibbon: "green" - twitterUrl: ~ - facebookUrl: ~ + theme: cosmo + gitHubRibbon: green + twitterUrl: null + facebookUrl: null recyclePage: - topProductImage: "david-benjamin-Hammer.png" - bottomProductImage: "Headache.png" + topProductImage: david-benjamin-Hammer.png + bottomProductImage: Headache.png altcoinName: Illcoin cookieConsent: backgroundColor: '#106326' @@ -23,55 +22,62 @@ application: linkText: 'But I don`t feel sick!' linkUrl: 'http://www.cookinglight.com/food/recipe-finder/healthy-cookies' products: - - name: "Cold" + - + name: Cold price: 10 - description: "Small cold to stay in bed some days" - image: "https://openclipart.org/image/300px/svg_to_png/100351/cold.png" + description: 'Small cold to stay in bed some days' + image: 'https://openclipart.org/image/300px/svg_to_png/100351/cold.png' reviews: - - text: 'One of my least favorite!' - author: 'admin' - - name: "Bad cold" + - { text: 'One of my least favorite!', author: admin } + - + name: 'Bad cold' price: 150 - description: "Bad cold gives you everything you need to stay around a week in bed." - image: "https://openclipart.org/image/300px/svg_to_png/100351/cold.png" - - name: "Torn Meniscus" + description: 'Bad cold gives you everything you need to stay around a week in bed.' + image: 'https://openclipart.org/image/300px/svg_to_png/100351/cold.png' + - + name: 'Torn Meniscus' price: 1150 - description: "Don't want to go every day to your office for the next month? Take a torn meniscus!" - image: 'Wooden-crutch.jpg' # Exif metadata contains link to a Thingiverse thing as subtle hint... - fileForRetrieveBlueprintChallenge: 'crutch.123dx' # ...to this filename as one of its (few) downloads - - name: "Little headache" + description: 'Don''t want to go every day to your office for the next month? Take a torn meniscus!' + image: Wooden-crutch.jpg + fileForRetrieveBlueprintChallenge: crutch.123dx + - + name: 'Little headache' price: 15 - description: "Feel like smoothly rubbing sandpaper on your brain." - image: "https://openclipart.org/image/300px/svg_to_png/273493/Headache.png" + description: 'Feel like smoothly rubbing sandpaper on your brain.' + image: 'https://openclipart.org/image/300px/svg_to_png/273493/Headache.png' urlForProductTamperingChallenge: 'https://en.wikipedia.org/wiki/Headache' - - name: "Headache" + - + name: Headache price: 15 - description: "Feel like smashing a hammer in your brain." - image: "https://openclipart.org/image/300px/svg_to_png/4793/david-benjamin-Hammer.png" - - name: "Brain fog" + description: 'Feel like smashing a hammer in your brain.' + image: 'https://openclipart.org/image/300px/svg_to_png/4793/david-benjamin-Hammer.png' + - + name: 'Brain fog' price: 150 - description: "Expand your skills, forget what you are doing while you are actually doing it!" - image: "https://openclipart.org/image/300px/svg_to_png/181757/elephantforget.png" - - name: "Diarrhea" + description: 'Expand your skills, forget what you are doing while you are actually doing it!' + image: 'https://openclipart.org/image/300px/svg_to_png/181757/elephantforget.png' + - + name: Diarrhea price: 150 - description: "Get rid of work with diarrhea" - image: "https://openclipart.org/image/300px/svg_to_png/172910/intestinal-party.png" + description: 'Get rid of work with diarrhea' + image: 'https://openclipart.org/image/300px/svg_to_png/172910/intestinal-party.png' reviews: - - text: 'Those puny humans are so embarrassing...' - author: 'bender' - - name: "Fiber" + - { text: 'Those puny humans are so embarrassing...', author: bender } + - + name: Fiber price: 20 - description: "Fiber at your door step" - image: "https://openclipart.org/image/300px/svg_to_png/46393/THERMO01.png" - - name: "Sunburn" + description: 'Fiber at your door step' + image: 'https://openclipart.org/image/300px/svg_to_png/46393/THERMO01.png' + - + name: Sunburn price: 150 - description: "Feel like on holiday" - image: "https://openclipart.org/image/300px/svg_to_png/195913/sunburn-woman.png" + description: 'Feel like on holiday' + image: 'https://openclipart.org/image/300px/svg_to_png/195913/sunburn-woman.png' reviews: - - text: 'This is what you get from taking off your shirt all the time!' - author: 'jim' - - name: "Heart attack" + - { text: 'This is what you get from taking off your shirt all the time!', author: jim } + - + name: 'Heart attack' price: 5000 - description: "Have a lightning in your heart" - image: "https://openclipart.org/image/300px/svg_to_png/154747/herzinfarkt.png" + description: 'Have a lightning in your heart' + image: 'https://openclipart.org/image/300px/svg_to_png/154747/herzinfarkt.png' useForChristmasSpecialChallenge: true diff --git a/config/test.yml b/config/test.yml index ed088dadc4a..b6843325f2b 100644 --- a/config/test.yml +++ b/config/test.yml @@ -1,2 +1 @@ ---- # Use 'default' configuration during automated test execution \ No newline at end of file diff --git a/crowdin.yaml b/crowdin.yaml index d256ddaba0d..7aa4bfdb87d 100644 --- a/crowdin.yaml +++ b/crowdin.yaml @@ -1,5 +1,4 @@ ---- files: - - + - source: /app/i18n/en.json - translation: '/app/i18n/%locale_with_underscore%.json' + translation: /app/i18n/%locale_with_underscore%.json diff --git a/data/static/challenges.yml b/data/static/challenges.yml index c7292dda934..31317af3acc 100644 --- a/data/static/challenges.yml +++ b/data/static/challenges.yml @@ -1,414 +1,472 @@ ---- -- name: Score Board - category: Security through Obscurity - description: Find the carefully hidden 'Score Board' page. +- + name: 'Score Board' + category: 'Security through Obscurity' + description: 'Find the carefully hidden ''Score Board'' page.' difficulty: 1 - hint: Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/score-board.html#find-the-carefully-hidden-score-board-page + hint: 'Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/score-board.html#find-the-carefully-hidden-score-board-page' key: scoreBoardChallenge -- name: Error Handling - category: Security Misconfiguration - description: Provoke an error that is not very gracefully handled. +- + name: 'Error Handling' + category: 'Security Misconfiguration' + description: 'Provoke an error that is not very gracefully handled.' difficulty: 1 - hint: Try to submit bad input to forms. Alternatively tamper with URL paths or parameters. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#provoke-an-error-that-is-not-very-gracefully-handled + hint: 'Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#provoke-an-error-that-is-not-very-gracefully-handled' key: errorHandlingChallenge -- name: Login Admin +- + name: 'Login Admin' category: Injection - description: Log in with the administrator's user account. + description: 'Log in with the administrator''s user account.' difficulty: 2 - hint: Try different SQL Injection attack patterns depending whether you know the admin's email address or not. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#log-in-with-the-administrators-user-account + hint: 'Try different SQL Injection attack patterns depending whether you know the admin''s email address or not.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#log-in-with-the-administrators-user-account' key: loginAdminChallenge -- name: Login Jim +- + name: 'Login Jim' category: Injection - description: Log in with Jim's user account. + description: 'Log in with Jim''s user account.' difficulty: 3 - hint: Try cracking Jim's password hash if you harvested it already. Alternatively, if you know Jim's email address, try SQL Injection. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#log-in-with-jims-user-account + hint: 'Try cracking Jim''s password hash if you harvested it already. Alternatively, if you know Jim''s email address, try SQL Injection.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#log-in-with-jims-user-account' key: loginJimChallenge -- name: Login Bender +- + name: 'Login Bender' category: Injection - description: Log in with Bender's user account. + description: 'Log in with Bender''s user account.' difficulty: 3 - hint: If you know Bender's email address, try SQL Injection. Bender's password hash might not help you very much. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#log-in-with-benders-user-account + hint: 'If you know Bender''s email address, try SQL Injection. Bender''s password hash might not help you very much.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#log-in-with-benders-user-account' key: loginBenderChallenge -- name: XSS Tier 1 +- + name: 'XSS Tier 1' category: XSS - description: Perform a reflected XSS attack with <script>alert("XSS")</script>. + description: 'Perform a reflected XSS attack with <script>alert("XSS")</script>.' difficulty: 1 - hint: Look for an input field where its content appears in the response HTML when its form is submitted. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-reflected-xss-attack + hint: 'Look for an input field where its content appears in the response HTML when its form is submitted.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-reflected-xss-attack' key: localXssChallenge -- name: XSS Tier 2 +- + name: 'XSS Tier 2' category: XSS - description: Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a client-side security mechanism. + description: 'Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a client-side security mechanism.' difficulty: 3 - hint: Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-client-side-security-mechanism + hint: 'Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-client-side-security-mechanism' key: persistedXssChallengeUser -- name: XSS Tier 4 +- + name: 'XSS Tier 4' category: XSS - description: Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a server-side security mechanism. + description: 'Perform a persisted XSS attack with <script>alert("XSS")</script> bypassing a server-side security mechanism.' difficulty: 4 - hint: The "Comment" field in the "Contact Us" screen is where you want to put your focus on. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-server-side-security-mechanism + hint: 'The "Comment" field in the "Contact Us" screen is where you want to put your focus on.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-bypassing-a-server-side-security-mechanism' key: persistedXssChallengeFeedback -- name: XSS Tier 3 +- + name: 'XSS Tier 3' category: XSS - description: Perform a persisted XSS attack with <script>alert("XSS")</script> without using the frontend application at all. + description: 'Perform a persisted XSS attack with <script>alert("XSS")</script> without using the frontend application at all.' difficulty: 3 - hint: You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-without-using-the-frontend-application-at-all + hint: 'You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xss.html#perform-a-persisted-xss-attack-without-using-the-frontend-application-at-all' key: restfulXssChallenge -- name: User Credentials +- + name: 'User Credentials' category: Injection - description: Retrieve a list of all user credentials via SQL Injection + description: 'Retrieve a list of all user credentials via SQL Injection' difficulty: 4 - hint: Craft a UNION SELECT attack string against a page where you can influence the data being displayed. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#retrieve-a-list-of-all-user-credentials-via-sql-injection + hint: 'Craft a UNION SELECT attack string against a page where you can influence the data being displayed.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#retrieve-a-list-of-all-user-credentials-via-sql-injection' key: unionSqlInjectionChallenge -- name: Password Strength - category: Broken Authentication - description: Log in with the administrator's user credentials without previously changing them or applying SQL Injection. +- + name: 'Password Strength' + category: 'Broken Authentication' + description: 'Log in with the administrator''s user credentials without previously changing them or applying SQL Injection.' difficulty: 2 - hint: This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#log-in-with-the-administrators-user-credentials-without-previously-changing-them-or-applying-sql-injection + hint: 'This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#log-in-with-the-administrators-user-credentials-without-previously-changing-them-or-applying-sql-injection' key: weakPasswordChallenge -- name: Five-Star Feedback - category: Broken Access Control - description: Get rid of all 5-star customer feedback. +- + name: 'Five-Star Feedback' + category: 'Broken Access Control' + description: 'Get rid of all 5-star customer feedback.' difficulty: 2 - hint: Once you found admin section of the application, this challenge is almost trivial. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#get-rid-of-all-5-star-customer-feedback + hint: 'Once you found admin section of the application, this challenge is almost trivial.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#get-rid-of-all-5-star-customer-feedback' key: feedbackChallenge -- name: Forged Feedback - category: Broken Access Control - description: Post some feedback in another users name. +- + name: 'Forged Feedback' + category: 'Broken Access Control' + description: 'Post some feedback in another users name.' difficulty: 3 - hint: You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#post-some-feedback-in-another-users-name + hint: 'You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#post-some-feedback-in-another-users-name' key: forgedFeedbackChallenge -- name: Redirects Tier 1 - category: Forgotten Content - description: Let us redirect you to a donation site that went out of business. +- + name: 'Redirects Tier 1' + category: 'Forgotten Content' + description: 'Let us redirect you to a donation site that went out of business.' difficulty: 1 - hint: We might have failed to take this out of our code properly. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#let-us-redirect-you-to-a-donation-site-that-went-out-of-business + hint: 'We might have failed to take this out of our code properly.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#let-us-redirect-you-to-a-donation-site-that-went-out-of-business' key: redirectGratipayChallenge -- name: Redirects Tier 2 - category: Roll your own Security - description: Wherever you go, there you are. +- + name: 'Redirects Tier 2' + category: 'Roll your own Security' + description: 'Wherever you go, there you are.' difficulty: 4 - hint: You have to find a way to beat the whitelist of allowed redirect URLs. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#wherever-you-go-there-you-are + hint: 'You have to find a way to beat the whitelist of allowed redirect URLs.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#wherever-you-go-there-you-are' key: redirectChallenge -- name: Basket Access - category: Broken Access Control - description: Access someone else's basket. +- + name: 'Basket Access' + category: 'Broken Access Control' + description: 'Access someone else''s basket.' difficulty: 2 - hint: Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#access-someone-elses-basket + hint: 'Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#access-someone-elses-basket' key: basketChallenge -- name: Payback Time - category: Improper Input Validation - description: Place an order that makes you rich. +- + name: 'Payback Time' + category: 'Improper Input Validation' + description: 'Place an order that makes you rich.' difficulty: 3 - hint: You literally need to make the shop owe you any amount of money. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#place-an-order-that-makes-you-rich + hint: 'You literally need to make the shop owe you any amount of money.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#place-an-order-that-makes-you-rich' key: negativeOrderChallenge -- name: Confidential Document - category: Sensitive Data Exposure - description: Access a confidential document. +- + name: 'Confidential Document' + category: 'Sensitive Data Exposure' + description: 'Access a confidential document.' difficulty: 1 - hint: Analyze and tamper with links in the application that deliver a file directly. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#access-a-confidential-document + hint: 'Analyze and tamper with links in the application that deliver a file directly.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#access-a-confidential-document' key: directoryListingChallenge -- name: Forgotten Developer Backup - category: Roll your own Security - description: Access a developer's forgotten backup file. +- + name: 'Forgotten Developer Backup' + category: 'Roll your own Security' + description: 'Access a developer''s forgotten backup file.' difficulty: 4 - hint: You need to trick a security mechanism into thinking that the file you want has a valid file type. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#access-a-developers-forgotten-backup-file + hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#access-a-developers-forgotten-backup-file' key: forgottenDevBackupChallenge -- name: Forgotten Sales Backup - category: Security Misconfiguration - description: Access a salesman's forgotten backup file. +- + name: 'Forgotten Sales Backup' + category: 'Security Misconfiguration' + description: 'Access a salesman''s forgotten backup file.' difficulty: 3 - hint: You need to trick a security mechanism into thinking that the file you want has a valid file type. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#access-a-salesmans-forgotten-backup-file + hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#access-a-salesmans-forgotten-backup-file' key: forgottenBackupChallenge -- name: Admin Section - category: Broken Access Control - description: Access the administration section of the store. +- + name: 'Admin Section' + category: 'Broken Access Control' + description: 'Access the administration section of the store.' difficulty: 1 - hint: It is just slightly harder to find than the score board link. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#access-the-administration-section-of-the-store + hint: 'It is just slightly harder to find than the score board link.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#access-the-administration-section-of-the-store' key: adminSectionChallenge -- name: CSRF - category: Broken Authentication - description: Change Bender's password into slurmCl4ssic without using SQL Injection. +- + name: CSRF + category: 'Broken Authentication' + description: 'Change Bender''s password into slurmCl4ssic without using SQL Injection.' difficulty: 4 - hint: The fact that the name of this challenge is "CSRF" is already a huge hint. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#change-benders-password-into-slurmcl4ssic-without-using-sql-injection + hint: 'The fact that the name of this challenge is "CSRF" is already a huge hint.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#change-benders-password-into-slurmcl4ssic-without-using-sql-injection' key: csrfChallenge -- name: Product Tampering - category: Broken Access Control - description: Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into http://kimminich.de. +- + name: 'Product Tampering' + category: 'Broken Access Control' + description: 'Change the href of the link within the OWASP SSL Advanced Forensic Tool (O-Saft) product description into http://kimminich.de.' difficulty: 3 hint: 'Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.' - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#change-the-href-of-the-link-within-the-o-saft-product-description + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-access-control.html#change-the-href-of-the-link-within-the-o-saft-product-description' key: changeProductChallenge -- name: Vulnerable Library - category: Vulnerable Components - description: Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment) +- + name: 'Vulnerable Library' + category: 'Vulnerable Components' + description: 'Inform the shop about a vulnerable library it is using. (Mention the exact library name and version in your comment)' difficulty: 4 - hint: Report one of two possible answers via the "Contact Us" form. Do not forget to submit the library's version as well. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#inform-the-shop-about-a-vulnerable-library-it-is-using + hint: 'Report one of two possible answers via the "Contact Us" form. Do not forget to submit the library''s version as well.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#inform-the-shop-about-a-vulnerable-library-it-is-using' key: knownVulnerableComponentChallenge -- name: Weird Crypto - category: Sensitive Data Exposure - description: Inform the shop about an algorithm or library it should definitely not use the way it does. +- + name: 'Weird Crypto' + category: 'Sensitive Data Exposure' + description: 'Inform the shop about an algorithm or library it should definitely not use the way it does.' difficulty: 2 - hint: Report one of four possible answers via the "Contact Us" form. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#inform-the-shop-about-an-algorithm-or-library-it-should-definitely-not-use-the-way-it-does + hint: 'Report one of four possible answers via the "Contact Us" form.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#inform-the-shop-about-an-algorithm-or-library-it-should-definitely-not-use-the-way-it-does' key: weirdCryptoChallenge -- name: Easter Egg Tier 1 - category: Roll your own Security - description: Find the hidden easter egg. +- + name: 'Easter Egg Tier 1' + category: 'Roll your own Security' + description: 'Find the hidden easter egg.' difficulty: 4 - hint: If you solved one of the three file access challenges, you already know where to find the easter egg. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#find-the-hidden-easter-egg + hint: 'If you solved one of the three file access challenges, you already know where to find the easter egg.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#find-the-hidden-easter-egg' key: easterEggLevelOneChallenge -- name: Easter Egg Tier 2 - category: Security through Obscurity - description: Apply some advanced cryptanalysis to find the real easter egg. +- + name: 'Easter Egg Tier 2' + category: 'Security through Obscurity' + description: 'Apply some advanced cryptanalysis to find the real easter egg.' difficulty: 4 - hint: You might have to peel through several layers of tough-as-nails encryption for this challenge. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-through-obscurity.html#apply-some-advanced-cryptanalysis-to-find-the-real-easter-egg + hint: 'You might have to peel through several layers of tough-as-nails encryption for this challenge.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-through-obscurity.html#apply-some-advanced-cryptanalysis-to-find-the-real-easter-egg' key: easterEggLevelTwoChallenge -- name: Forged Coupon - category: Sensitive Data Exposure - description: Forge a coupon code that gives you a discount of at least 80%. +- + name: 'Forged Coupon' + category: 'Sensitive Data Exposure' + description: 'Forge a coupon code that gives you a discount of at least 80%.' difficulty: 6 - hint: Try either a) a knowledgable brute force attack or b) reverse engineering. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#forge-a-coupon-code-that-gives-you-a-discount-of-at-least-80 + hint: 'Try either a) a knowledgable brute force attack or b) reverse engineering.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#forge-a-coupon-code-that-gives-you-a-discount-of-at-least-80' key: forgedCouponChallenge -- name: Eye Candy - category: Forgotten Content - description: Travel back in time to the golden era of web design. +- + name: 'Eye Candy' + category: 'Forgotten Content' + description: 'Travel back in time to the golden era of web design.' difficulty: 4 - hint: The mentioned golden era lasted from 1994 to 2009. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#travel-back-in-time-to-the-golden-era-of-web-design + hint: 'The mentioned golden era lasted from 1994 to 2009.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#travel-back-in-time-to-the-golden-era-of-web-design' key: geocitiesThemeChallenge -- name: Christmas Special +- + name: 'Christmas Special' category: Injection - description: Order the Christmas special offer of 2014. + description: 'Order the Christmas special offer of 2014.' difficulty: 2 - hint: Find out how the application handles unavailable products. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#order-the-christmas-special-offer-of-2014 + hint: 'Find out how the application handles unavailable products.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#order-the-christmas-special-offer-of-2014' key: christmasSpecialChallenge -- name: Upload Size - category: Improper Input Validation - description: Upload a file larger than 100 kB. +- + name: 'Upload Size' + category: 'Improper Input Validation' + description: 'Upload a file larger than 100 kB.' difficulty: 3 - hint: You can attach a small file to the "File Complaint" form. Investigate how this upload actually works. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#upload-a-file-larger-than-100-kb + hint: 'You can attach a small file to the "File Complaint" form. Investigate how this upload actually works.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#upload-a-file-larger-than-100-kb' key: uploadSizeChallenge -- name: Upload Type - category: Improper Input Validation - description: Upload a file that has no .pdf extension. +- + name: 'Upload Type' + category: 'Improper Input Validation' + description: 'Upload a file that has no .pdf extension.' difficulty: 3 - hint: You can attach a PDF file to the "File Complaint" form. Investigate how this upload actually works. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#upload-a-file-that-has-no-pdf-extension + hint: 'You can attach a PDF file to the "File Complaint" form. Investigate how this upload actually works.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#upload-a-file-that-has-no-pdf-extension' key: uploadTypeChallenge -- name: Extra Language - category: Forgotten Content - description: Retrieve the language file that never made it into production. +- + name: 'Extra Language' + category: 'Forgotten Content' + description: 'Retrieve the language file that never made it into production.' difficulty: 5 - hint: Brute force is not the only option for this challenge, but a perfectly viable one. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#retrieve-the-language-file-that-never-made-it-into-production + hint: 'Brute force is not the only option for this challenge, but a perfectly viable one.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#retrieve-the-language-file-that-never-made-it-into-production' key: extraLanguageChallenge -- name: CAPTCHA Bypass - category: Roll your own Security - description: Submit 10 or more customer feedbacks within 10 seconds. +- + name: 'CAPTCHA Bypass' + category: 'Roll your own Security' + description: 'Submit 10 or more customer feedbacks within 10 seconds.' difficulty: 5 - hint: After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#submit-10-or-more-customer-feedbacks-within-10-seconds - key: captchaBypassChallenge -- name: Zero Stars - category: Improper Input Validation - description: Give a devastating zero-star feedback to the store. + hint: 'After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#submit-10-or-more-customer-feedbacks-within-10-seconds' + key: captchaBypassChallenge +- + name: 'Zero Stars' + category: 'Improper Input Validation' + description: 'Give a devastating zero-star feedback to the store.' difficulty: 1 - hint: Before you invest time bypassing the API, you might want to play around with the UI a bit. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#give-a-devastating-zero-star-feedback-to-the-store + hint: 'Before you invest time bypassing the API, you might want to play around with the UI a bit.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/improper-input-validation.html#give-a-devastating-zero-star-feedback-to-the-store' key: zeroStarsChallenge -- name: Imaginary Challenge - category: Sensitive Data Exposure +- + name: 'Imaginary Challenge' + category: 'Sensitive Data Exposure' description: 'Solve challenge #99. Unfortunately, this challenge does not exist.' difficulty: 6 hint: 'You need to trick the hacking progress persistence feature into thinking you solved challenge #99.' - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#solve-challenge-99 + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#solve-challenge-99' key: continueCodeChallenge -- name: Login Bjoern - category: Broken Authentication - description: Log in with Bjoern's user account without previously changing his password, applying SQL Injection, or hacking his Google account. +- + name: 'Login Bjoern' + category: 'Broken Authentication' + description: 'Log in with Bjoern''s user account without previously changing his password, applying SQL Injection, or hacking his Google account.' difficulty: 4 - hint: The security flaw behind this challenge is 100% Juice Shop's fault and 0% Google's. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#log-in-with-bjoerns-user-account + hint: 'The security flaw behind this challenge is 100% Juice Shop''s fault and 0% Google''s.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#log-in-with-bjoerns-user-account' key: oauthUserPasswordChallenge -- name: Login CISO - category: Broken Authentication - description: Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account. +- + name: 'Login CISO' + category: 'Broken Authentication' + description: 'Exploit OAuth 2.0 to log in with the Chief Information Security Officer''s user account.' difficulty: 5 - hint: Don't try to beat Google's OAuth 2.0 service. Rather investigate implementation flaws on Juice Shop's end. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#exploit-oauth-20-to-log-in-with-the-cisos-user-account + hint: 'Don''t try to beat Google''s OAuth 2.0 service. Rather investigate implementation flaws on Juice Shop''s end.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#exploit-oauth-20-to-log-in-with-the-cisos-user-account' key: loginCisoChallenge -- name: Login Support Team - category: Security Misconfiguration - description: Log in with the support team's original user credentials without applying SQL Injection or any other bypass. +- + name: 'Login Support Team' + category: 'Security Misconfiguration' + description: 'Log in with the support team''s original user credentials without applying SQL Injection or any other bypass.' difficulty: 6 - hint: The underlying flaw of this challenge is a lot more human error than technical weakness. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#log-in-with-the-support-teams-original-user-credentials + hint: 'The underlying flaw of this challenge is a lot more human error than technical weakness.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#log-in-with-the-support-teams-original-user-credentials' key: loginSupportChallenge -- name: Login MC SafeSearch - category: Sensitive Data Exposure - description: Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass. +- + name: 'Login MC SafeSearch' + category: 'Sensitive Data Exposure' + description: 'Log in with MC SafeSearch''s original user credentials without applying SQL Injection or any other bypass.' difficulty: 2 - hint: You should listen to MC's hit song "Protect Ya Passwordz". - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#log-in-with-mc-safesearchs-original-user-credentials + hint: 'You should listen to MC''s hit song "Protect Ya Passwordz".' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#log-in-with-mc-safesearchs-original-user-credentials' key: loginRapperChallenge -- name: Premium Paywall - category: Sensitive Data Exposure - description: Unlock Premium Challenge to access exclusive content. +- + name: 'Premium Paywall' + category: 'Sensitive Data Exposure' + description: ' Unlock Premium Challenge to access exclusive content.' difficulty: 6 - hint: You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#unlock-premium-challenge-to-access-exclusive-content + hint: 'You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/sensitive-data-exposure.html#unlock-premium-challenge-to-access-exclusive-content' key: premiumPaywallChallenge -- name: Reset Jim's Password - category: Broken Authentication - description: Reset Jim's password via the Forgot Password mechanism with the original answer to his security question. +- + name: 'Reset Jim''s Password' + category: 'Broken Authentication' + description: 'Reset Jim''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 3 - hint: It's hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#reset-jims-password-via-the-forgot-password-mechanism + hint: 'It''s hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#reset-jims-password-via-the-forgot-password-mechanism' key: resetPasswordJimChallenge -- name: Reset Bender's Password - category: Broken Authentication - description: Reset Bender's password via the Forgot Password mechanism with the original answer to his security question. +- + name: 'Reset Bender''s Password' + category: 'Broken Authentication' + description: 'Reset Bender''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 4 - hint: Not as trivial as Jim's but still not too difficult with some "Futurama" background knowledge. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#reset-benders-password-via-the-forgot-password-mechanism + hint: 'Not as trivial as Jim''s but still not too difficult with some "Futurama" background knowledge.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#reset-benders-password-via-the-forgot-password-mechanism' key: resetPasswordBenderChallenge -- name: Reset Morty's Password - category: Security Misconfiguration - description: Reset Morty's password via the Forgot Password mechanism with his obfuscated answer to his security question. +- + name: 'Reset Morty''s Password' + category: 'Security Misconfiguration' + description: 'Reset Morty''s password via the Forgot Password mechanism with his obfuscated answer to his security question.' difficulty: 5 - hint: Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty's security question. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#reset-mortys-password-via-the-forgot-password-mechanism + hint: 'Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty''s security question.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-misconfiguration.html#reset-mortys-password-via-the-forgot-password-mechanism' key: resetPasswordMortyChallenge -- name: Reset Bjoern's Password - category: Broken Authentication - description: Reset Bjoern's password via the Forgot Password mechanism with the original answer to his security question. +- + name: 'Reset Bjoern''s Password' + category: 'Broken Authentication' + description: 'Reset Bjoern''s password via the Forgot Password mechanism with the original answer to his security question.' difficulty: 5 - hint: Nothing a little bit of Facebook stalking couldn't reveal. Might involve a historical twist. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#reset-bjoerns-password-via-the-forgot-password-mechanism + hint: 'Nothing a little bit of Facebook stalking couldn''t reveal. Might involve a historical twist.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/broken-authentication.html#reset-bjoerns-password-via-the-forgot-password-mechanism' key: resetPasswordBjoernChallenge -- name: NoSQL Injection Tier 1 +- + name: 'NoSQL Injection Tier 1' category: Injection - description: Let the server sleep for some time. (It has done more than enough hard work for you) + description: 'Let the server sleep for some time. (It has done more than enough hard work for you)' difficulty: 4 - hint: This challenge is essentially a stripped-down Denial of Service (DoS) attack. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#let-the-server-sleep-for-some-time + hint: 'This challenge is essentially a stripped-down Denial of Service (DoS) attack.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#let-the-server-sleep-for-some-time' key: noSqlCommandChallenge -- name: NoSQL Injection Tier 2 +- + name: 'NoSQL Injection Tier 2' category: Injection - description: Update multiple product reviews at the same time. + description: 'Update multiple product reviews at the same time.' difficulty: 4 - hint: Take a close look on how the equivalent of UPDATE-statements in MongoDB work. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#update-multiple-product-reviews-at-the-same-time + hint: 'Take a close look on how the equivalent of UPDATE-statements in MongoDB work.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/injection.html#update-multiple-product-reviews-at-the-same-time' key: noSqlInjectionChallenge -- name: Retrieve Blueprint - category: Forgotten Content - description: Deprive the shop of earnings by downloading the blueprint for one of its products. +- + name: 'Retrieve Blueprint' + category: 'Forgotten Content' + description: 'Deprive the shop of earnings by downloading the blueprint for one of its products.' difficulty: 5 - hint: The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed). - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#deprive-the-shop-of-earnings-by-downloading-the-blueprint-for-one-of-its-products + hint: 'The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#deprive-the-shop-of-earnings-by-downloading-the-blueprint-for-one-of-its-products' key: retrieveBlueprintChallenge -- name: Typosquatting Tier 1 - category: Vulnerable Components - description: Inform the shop about a typosquatting trick it has become victim of. (Mention the exact name of the culprit) +- + name: 'Typosquatting Tier 1' + category: 'Vulnerable Components' + description: 'Inform the shop about a typosquatting trick it has become victim of. (Mention the exact name of the culprit)' difficulty: 4 - hint: This challenge has nothing to do with URLs or domains. Investigate the forgotten developer's backup file instead. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#inform-the-shop-about-a-typosquatting-trick-it-has-become-victim-of + hint: 'This challenge has nothing to do with URLs or domains. Investigate the forgotten developer''s backup file instead.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#inform-the-shop-about-a-typosquatting-trick-it-has-become-victim-of' key: typosquattingNpmChallenge -- name: Typosquatting Tier 2 - category: Vulnerable Components - description: Inform the shop about a more literal instance of typosquatting it fell for. (Mention the exact name of the culprit) +- + name: 'Typosquatting Tier 2' + category: 'Vulnerable Components' + description: 'Inform the shop about a more literal instance of typosquatting it fell for. (Mention the exact name of the culprit)' difficulty: 5 - hint: This challenge has nothing to do with URLs or domains. It literally exploits a potentially common typo. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#inform-the-shop-about-a-more-literal-instance-of-typosquatting-it-fell-for + hint: 'This challenge has nothing to do with URLs or domains. It literally exploits a potentially common typo.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#inform-the-shop-about-a-more-literal-instance-of-typosquatting-it-fell-for' key: typosquattingBowerChallenge -- name: JWT Issues Tier 1 - category: Vulnerable Components - description: Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op. +- + name: 'JWT Issues Tier 1' + category: 'Vulnerable Components' + description: 'Forge an essentially unsigned JWT token that impersonates the (non-existing) user jwtn3d@juice-sh.op.' difficulty: 5 - hint: This challenge exploits a weird option that is supported when signing tokens with JWT. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#forge-an-essentially-unsigned-jwt-token + hint: 'This challenge exploits a weird option that is supported when signing tokens with JWT.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#forge-an-essentially-unsigned-jwt-token' key: jwtTier1Challenge -- name: JWT Issues Tier 2 - category: Vulnerable Components - description: Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op. +- + name: 'JWT Issues Tier 2' + category: 'Vulnerable Components' + description: 'Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user rsa_lord@juice-sh.op.' difficulty: 6 - hint: This challenge is explicitly not about acquiring the RSA private key used for JWT signing. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#forge-an-almost-properly-rsa-signed-jwt-token + hint: 'This challenge is explicitly not about acquiring the RSA private key used for JWT signing.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/vulnerable-components.html#forge-an-almost-properly-rsa-signed-jwt-token' key: jwtTier2Challenge -- name: Misplaced Signature File - category: Roll your own Security - description: Access a misplaced SIEM signature file. +- + name: 'Misplaced Signature File' + category: 'Roll your own Security' + description: 'Access a misplaced SIEM signature file.' difficulty: 4 - hint: You need to trick a security mechanism into thinking that the file you want has a valid file type. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#access-a-misplaced-siem-signature-file + hint: 'You need to trick a security mechanism into thinking that the file you want has a valid file type.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/roll-your-own-security.html#access-a-misplaced-siem-signature-file' key: misplacedSignatureFileChallenge -- name: Deprecated Interface - category: Forgotten Content - description: Use a deprecated B2B interface that was not properly shut down. +- + name: 'Deprecated Interface' + category: 'Forgotten Content' + description: 'Use a deprecated B2B interface that was not properly shut down.' difficulty: 2 - hint: The developers who disabled the interface think they could go invisible by just closing their eyes. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#use-a-deprecated-b2b-interface-that-was-not-properly-shut-down + hint: 'The developers who disabled the interface think they could go invisible by just closing their eyes.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/forgotten-content.html#use-a-deprecated-b2b-interface-that-was-not-properly-shut-down' key: deprecatedInterfaceChallenge -- name: XXE Tier 1 +- + name: 'XXE Tier 1' category: XXE - description: Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server. + description: 'Retrieve the content of C:\Windows\system.ini or /etc/passwd from the server.' difficulty: 3 - hint: The leverage point for this challenge is the deprecated B2B interface. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xxe.html#retrieve-the-content-of-cwindowssystemini-or-etcpasswd-from-the-server + hint: 'The leverage point for this challenge is the deprecated B2B interface.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xxe.html#retrieve-the-content-of-cwindowssystemini-or-etcpasswd-from-the-server' key: xxeFileDisclosureChallenge -- name: XXE Tier 2 +- + name: 'XXE Tier 2' category: XXE - description: Give the server something to chew on for quite a while. + description: 'Give the server something to chew on for quite a while.' difficulty: 5 - hint: It is not as easy as sending a large amount of data directly to the deprecated B2B interface. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xxe.html#give-the-server-something-to-chew-on-for-quite-a-while + hint: 'It is not as easy as sending a large amount of data directly to the deprecated B2B interface.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/xxe.html#give-the-server-something-to-chew-on-for-quite-a-while' key: xxeDosChallenge -- name: RCE Tier 1 - category: Insecure Deserialization - description: Perform a Remote Code Execution that would keep a less hardened application busy forever. +- + name: 'RCE Tier 1' + category: 'Insecure Deserialization' + description: 'Perform a Remote Code Execution that would keep a less hardened application busy forever.' difficulty: 5 - hint: The feature you need to exploit for this challenge is not directly advertised anywhere. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-would-keep-a-less-hardened-application-busy-forever + hint: 'The feature you need to exploit for this challenge is not directly advertised anywhere.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-would-keep-a-less-hardened-application-busy-forever' key: rceChallenge -- name: RCE Tier 2 - category: Insecure Deserialization - description: Perform a Remote Code Execution that occupies the server for a while without using infinite loops. +- + name: 'RCE Tier 2' + category: 'Insecure Deserialization' + description: 'Perform a Remote Code Execution that occupies the server for a while without using infinite loops.' difficulty: 6 - hint: Your attack payload must not trigger the protection against too many iterations. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-occupies-the-server-for-a-while-without-using-infinite-loops + hint: 'Your attack payload must not trigger the protection against too many iterations.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/insecure-deserialization.html#perform-a-remote-code-execution-that-occupies-the-server-for-a-while-without-using-infinite-loops' key: rceOccupyChallenge -- name: Blockchain Tier 1 - category: Security through Obscurity - description: Learn about the Token Sale before its official announcement. +- + name: 'Blockchain Tier 1' + category: 'Security through Obscurity' + description: 'Learn about the Token Sale before its official announcement.' difficulty: 3 - hint: The developers truly believe in "Security through Obscurity" over actual access restrictions. - hintUrl: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-through-obscurity.html#learn-about-the-token-sale-before-its-official-announcement + hint: 'The developers truly believe in "Security through Obscurity" over actual access restrictions.' + hintUrl: 'https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/part2/security-through-obscurity.html#learn-about-the-token-sale-before-its-official-announcement' key: tokenSaleChallenge diff --git a/data/static/users.yml b/data/static/users.yml index 94f18c0e2b2..2fc7f1e5460 100644 --- a/data/static/users.yml +++ b/data/static/users.yml @@ -1,33 +1,40 @@ ---- -- email: admin +- + email: admin password: admin123 customDomain: false key: admin -- email: jim +- + email: jim password: ncc-1701 customDomain: false key: jim -- email: bender +- + email: bender password: OhG0dPlease1nsertLiquor! customDomain: false key: bender -- email: bjoern.kimminich@googlemail.com +- + email: bjoern.kimminich@googlemail.com password: YmpvZXJuLmtpbW1pbmljaEBnb29nbGVtYWlsLmNvbQ== customDomain: true key: bjoern -- email: ciso - password: mDLx?94T~1CfVfZMzw@sJ9f?s3L6lbMqE70FfI8^54jbNikY5fymx7c!YbJb +- + email: ciso + password: 'mDLx?94T~1CfVfZMzw@sJ9f?s3L6lbMqE70FfI8^54jbNikY5fymx7c!YbJb' customDomain: false key: ciso -- email: support - password: J6aVjTgOpRs$?5l+Zkq2AYnCE@RF§P +- + email: support + password: 'J6aVjTgOpRs$?5l+Zkq2AYnCE@RF§P' customDomain: false key: support -- email: morty +- + email: morty password: focusOnScienceMorty!focusOnScience customDomain: false key: morty -- email: mc.safesearch - password: Mr. N00dles +- + email: mc.safesearch + password: 'Mr. N00dles' customDomain: false key: rapper diff --git a/swagger.yml b/swagger.yml index d228edd1dd4..e8fd0753478 100644 --- a/swagger.yml +++ b/swagger.yml @@ -1,36 +1,25 @@ ---- openapi: 3.0.0 servers: - - url: /b2b/v2 + - + url: /b2b/v2 info: version: 2.0.0 - title: NextGen B2B API + title: 'NextGen B2B API' description: 'New & secure JSON-based API for our enterprise customers. (Deprecates previously offered XML-based endpoints)' license: name: MIT url: 'https://opensource.org/licenses/MIT' tags: - - name: Order - description: API for customer orders + - + name: Order + description: 'API for customer orders' paths: /orders: post: - tags: - - Order - description: Create new customer order - responses: - '200': - description: New customer order is created - content: - application/json: - schema: - $ref: '#/components/schemas/OrderConfirmation' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/Order' - description: Customer order to be placed + tags: [Order] + description: 'Create new customer order' + responses: { '200': { description: 'New customer order is created', content: { application/json: { schema: { $ref: '#/components/schemas/OrderConfirmation' } } } } } + requestBody: { content: { application/json: { schema: { $ref: '#/components/schemas/Order' } } }, description: 'Customer order to be placed' } components: securitySchemes: bearerAuth: @@ -39,59 +28,22 @@ components: bearerFormat: JWT schemas: Order: - required: - - cid - properties: - cid: - type: string - uniqueItems: true - example: 'JS0815DE' - orderLines: - $ref: '#/components/schemas/OrderLines' - orderLinesData: - $ref: '#/components/schemas/OrderLinesData' + required: [cid] + properties: { cid: { type: string, uniqueItems: true, example: JS0815DE }, orderLines: { $ref: '#/components/schemas/OrderLines' }, orderLinesData: { $ref: '#/components/schemas/OrderLinesData' } } OrderConfirmation: - required: - - cid - - orderNo - - paymentDue - properties: - cid: - type: string - uniqueItems: true - example: 'JS0815DE' - orderNo: - type: string - uniqueItems: true - example: '3d06ac5e1bdf39d26392f8100f124742' - paymentDue: - description: All payments are due 14 days after order placement - type: string - format: date - example: '2018-01-19T07:02:06.800Z' + required: [cid, orderNo, paymentDue] + properties: { cid: { type: string, uniqueItems: true, example: JS0815DE }, orderNo: { type: string, uniqueItems: true, example: 3d06ac5e1bdf39d26392f8100f124742 }, paymentDue: { description: 'All payments are due 14 days after order placement', type: string, format: date, example: '2018-01-19T07:02:06.800Z' } } OrderLine: - description: Order line in default JSON format - required: - - productId - - quantity - properties: - productId: - type: integer - example: 8 - quantity: - type: integer - minimum: 1 - example: 500 - customerReference: - type: string - example: 'PO0000001' + description: 'Order line in default JSON format' + required: [productId, quantity] + properties: { productId: { type: integer, example: 8 }, quantity: { type: integer, minimum: 1, example: 500 }, customerReference: { type: string, example: PO0000001 } } OrderLines: type: array - items: - $ref: '#/components/schemas/OrderLine' + items: { $ref: '#/components/schemas/OrderLine' } OrderLinesData: - description: Order line(s) in customer specific JSON format + description: 'Order line(s) in customer specific JSON format' type: string example: '[{"productId": 12,"quantity": 10000,"customerReference": ["PO0000001.2", "SM20180105|042"],"couponCode": "pes[Bh.u*t"},{"productId": 13,"quantity": 2000,"customerReference": "PO0000003.4"}]' security: - - bearerAuth: [] \ No newline at end of file + - + bearerAuth: []