The admin page should indicate by a boolean column if a user is currently logged in. The details modal in this case also shows the current auth token.

The juice-shop contains two dozen intended vulnerabilities. If there are more possible exploits, they sneaked in by accident. If you happen to find one of these, please report it in the comments of this issue or as a separate enhancement issue! Reasonable non-cheating challenges will receive tracking and be put on the Score Board.

Check for file suffixes (.md and .csv maybe) but fall to %00 attack

From the "Best Deals" and "Search Results" it must be possible to put products into the current basket. If the product is already in the basket its quantity is increased by one.

For simlicity reasons users must be authenticated in order to shop products.

Sanitize away dangerous elements, e.g. script, img and iframe tags. Fail to do so recursively, thus allowing attacks such as <s<script>cript> etc.

• Feedbacks
• Baskets
• BasketItems

Using "Contact Us" does not associate the Feedback with the logged-in user, as this is handled via generated restful API where UserId is not passed in.

Solution: Passing in UserId in hidden field for minimum security and even having another challenge.

Those minified scripts really drag down the score... ;-)

• putting items into basket does not work properly (IE9)

[ ] Add a SOAP webservice that checks out the current basket using basic authentication with WS-Security. Simply calling the webservice has to be added as a challenge
[ ] Maybe add a correlated challenge for exploiting a "new customer"-flag that gives 10% discount when passed as true

Probably not all function parameters are properly named?

Find and add corresponding attribute to tag

[x] Add a coupon field to the Basket screen
[x] Add a list of outdated coupon codes to the public/ftp directory
[x] Make sure that a valid coupon code can be crafted from knowing the old ones
[x] Add corresponding challenge

User Story

I as the juice-store owner
want a logo for the store
so that the brand more memorable

Design idea

• Bottle or pack of juice which leaks juice to the floor (to better show how broken this shop is)

Required versions

• 32x32 favicon.ico
• 128x128 and/or 64x64 for logo inside webapp

The $5 bounty on this issue has been claimed at Bountysource.

• If specified validate existing password of user before changing
• If not specified simply change password

When unzipping the packaged application and starting it from there with nm startor node app it looks fine. The first request from the Angular client will not show the "Best Deals" page and freeze the browser. On the server there is an endless loop happening of the checkDbRelatedChallenged method.

Should be susceptible to CSRF by accepting GET requests and not properly verifying the old password on the server side.

User Story

I as a juice-shop customer
want to have an image associated with each product
so that I can visualize what I buy.

Required images

• Orange juice (bottle or pack)
• Apple juice (bottle or pack)
• T-Shirt with application logo on it (see #3)

Note: To avoid work some generic bottles filled with fluids of different color would be fine. Same goes for generic packs with different fruit symbols on it.

Introduce separate SQLite file for challenges to prevent an attacker from influencing the score via SQL Injection or other attacks on the RESTful server.

The current generated page looks somewhat ok but could be improved a lot.

• probably choose a bootstrap-theme?
• add carousel with screenshots
• inline video with e2e test run
• social media links (but no tracking buttons!)

Manually running istanbul cover ./test/serverTests.js works fine:

Finished in 3.068 seconds

7 tests, 45 assertions, 0 failures, 0 skipped



Jasmine-Node exited with code 0.
=============================================================================
Writing coverage object [D:\Development\GitHub\juice-shop\coverage\server-tests\coverage.json]
Writing coverage reports at [D:\Development\GitHub\juice-shop\coverage\server-tests]
=============================================================================

=============================== Coverage summary ===============================
Statements   : 94% ( 47/50 )
Branches     : 33.33% ( 2/6 )
Functions    : 87.5% ( 7/8 )
Lines        : 94% ( 47/50 )
================================================================================

Running the npm testcommand that actually triggers "test": "karma start karma.conf.js && istanbul cover ./test/serverTests.js" also runs through but the latter command is not correctly executed. Within the stacktrace there is a Exception loading: D:\Development\GitHub\juice-shop\test\server\apiSpec.jsand no log of the test result. The coverage calculation still is the same:

=============================== Coverage summary ===============================
Statements   : 94% ( 47/50 )
Branches     : 33.33% ( 2/6 )
Functions    : 87.5% ( 7/8 )
Lines        : 94% ( 47/50 )
================================================================================

Running on Travis-CI there is one additional information in the stacktrace that is not found on Windows:

[TypeError: Cannot read property 'prototype' of undefined]

Authorization header is not sent along when called from an tag leading to a 500 error in server.js when trying to look up the user by token.

Users can have a role "admin" held by adding a boolean column to each user. Admins are the only ones allowed to

• delete Feedback
• view Users
  via the API. The admin page itself should remain unprotected as a A7-OWASP10 vulnerability example.

The user details modal does not show up. Required fix: Extract controller and call similar to ProductDetailsController

Integrations
[x] GitHub
[x] HuBoard
[x] Travis

Implement Scoreboard for overview which challenges have been done so far.

Server side vulnerabilities should be easy to track, Angular pure client side will be harder to track and prevent tampering with.

Use separate DB/schema to prevent cheating with SQLI?

Challenge tests for XSS3 and XSS4 (which inject the alert script via REST API and then go to the attacked screen to verify success) are very brittle. They work fine locally but fail very often on SauceLabs.

Using Grunt task "grunt-retire": "~0.3"

In some of the hidden files put a badly encrypted link to a random server URL. decrypting and using this link will not have any functional effect but solve the associated crypto challenge. Maybe combine with some silly easteregg in Three.js or whatnot?

Mandatory checks, field validations (e.g. email pattern, password length and complexity etc.)

Someone using the application deployed locally or on Nodejitsu should see a banner or link to the original source code repository

Now: Travis and Nodejitsu triggered by Github service hook
Goal: Github triggers Travis, Travis triggers Nodejitsu on passing build only

See http://docs.travis-ci.com/user/deployment/nodejitsu

When a user is logged in, his email address should be rendered in the Navbar.

[ ] Return email during login and put into session storage
[ ] Add "Logged in as ..." message to Navbar
[ ] Bind email without bind-html to keep XSS2 vulnerability limited to Admin section

The juice-shop app resets the database completely when it's started to make sure it always works as designed. This implicates that any application crash followed by a restart will reset all challenges into unsolved state as well. Of course this is an undesireable thing to happen, so the app must run as stable and resilient to crashes as possible.

If you forcefully manage to or accidentally crash the application please report it immediately as a comment to this issue or in a separate bug issue! Thank you!

Right now the Best Deals and Search Results screens are essentially identical. The Best Deals screen as an opening screen should look more appealing.

A Bootstrap carousel sliding through all products would probably work well.

Thia requires some high-res images to display, as 128px would look awful.

errorHandler() middleware of Connect is explicitly not meant for production, which is why is must be used on juice-shop.

After submitting feedback the Contact Us form is cleared but then immediately triggers validation. This leads to the impression that the feedback submission failed, which it actually didn't.

• Stop initial validation from taking place
• Add info message like "Thank you for your feedback." to confirm submission

• Colorized to indicate level of success (from red to green)
• Can be used to determine success of e2e tests on saucelabs (=only when 100%)

User email is susceptible to persisted XSS but never executed anywhere. Reason: Missing $sce.trustAsHtml(...) conversion for user.email field in admin area.

Alternative: Find XSS masking that even tricks Angular JS' internal sanitization?

Will a) create a more realistic app to deal with and b) prevent easy identification of challenge solutions by just looking for the trigger events to tell the server they were solved

Unsafe redirect URL where user can supply any target URL. Add validation that checks for "github.com/bk..." in the URL but does not verify position, so http://evil.org?foo=github.com/bk... would be accepted

Add link or widget with Twitter feed of @bkimminich for hashtag #juiceshop and #coupon so attackers can get some 10-20% codes to use for pattern analysis when trying to craft coupons with >80% discounts

Sidenote: Validity of tweeted coupons should always correlate with date of the tweet or be mentioned in it, e.g. "Get 10% off all products for whole November #juiceshop #coupon!"

On user registration the data is now passed into the REST API directly with no password hashing happening. The effect is, that no registered user can log in, as his typed password during login is hashed and compared to the un-hashed password in the DB.

A user with a non-empty basket can place an order from the "Your Basket" screen by clicking a button. This creates a text (or PDF) file of the order an puts it into /public/ftp and directly displays it to the user.

Challenge: The server will check the total amount of each order while creating the confirmation and calls solve(negativeOrderChallenge) when the amount is negative.

Implement closable alert box on bottom half of the start screen that displays a random ***** and **** rated comment. If the Feedback is associated with a user, display part of the email as well.

• Open up GET /api/Feedbacks for public access
• Implement alert with ng-bind-html for comment field
• create weak anonymisation of email