OWASP Juice Shop Files

This release brings significant changes to existing challenges (⚡) which might break canned CTF setups as well as solution guides made for previous versions of OWASP Juice Shop! It also contains technical breaking changes or renamings (⚠️) which might require migrating to a newer Node.js version or updating existing customization files.

👟 Runtime

• Removed support for Node.js 20.x (⚠️)

🎯 Challenges

• Added several ✨AI✨ challenges (Require a configured LLM/AI endpoint to work)
  • "Chatbot Prompt Injection" ⭐⭐-challenge
  • "Greedy Chatbot Manipulation" ⭐⭐⭐-challenge
  • "AI Debugging" ⭐⭐-challenge
• Remove existing NLP-based chatbot implementation and corresponding challenges "Bully Chatbot" and "Kill Chatbot" (⚡)
• Renamed and broadened scope of Internet Traffic tag into External Dependency tag
• Challenges "Mint the Honeypot" and "Wallet Depletion" now require an ALCHEMY_API_KEY in order to function (⚠️)

🖼️ User Interface

• [#3145]: Changed product overview into more compact and modern grid layout (kudos to @bogminic)
• Redesigned Coding Challenge View to it's own separate page with a more intuitive flow and more modern code highlighters.
• [#3197]: Guest basket support for anonymous users with merge-on-login (kudos to @bogminic)
• [#3154]: Proper mobile scroll behavior (kudos to @btechwala03)
• [#3317]: Various UI and layout fixes (kudos to @bogminic)
• Apply blur effect and enhanced grid view also for photo wall
• [#3310]: Added new neon-fire theme (kudos to @VibhorGautam)
• Added new lime-green theme
• Set neon-fire as default theme for ctf configuration

🅰️ Frontend

• [#3146]: Updated frontend to Angular 21.x
• Migrate Angular Material themes from legacy M2 to M3
• Apply custom theme now also to Data Erasure Request view

🐳 Docker

• Optimized container image size to the smallest it has been since Juice Shop v8, over 7 years and many sizable additions ago

🐌 Performance

• Optimized startup time to start ~30% faster, by lazy-loading heavy dependencies and batching startup database inserts
• Split out pages with heavier dependencies for faster initial load
• Converted Easter egg planet textures and images to .avif format for better performance

📺 Monitoring

• 2d8ba61: Added prometheus metrics to track LLM token usage and tool calls. Note: needs to be supported by the LLM endpoint.

🤥 Cheat Detection

• 6f0e4f9: Added support for loosely coupled challenges to not trigger cheat scoring independent of timing
• e260c74: Now treating direct access to tracking pixels as guaranteed cheating

🔧 Configuration

• Added strict enum validation for several configuration options (e.g., codingChallengesEnabled, hintPlaybackSpeed, showCountryDetailsInNotifications)

🛒 Shop

• Added 10 new products (kudos to @bogminic for some of the new drink options)
• Added 1 new customer user basil

🧑‍🔧 Maintenance

• Migrated API test suite from Jest & Frisby to Node.js test runner & Supertest
• Migrated frontend test suite from Karma to Vitest
• [#3187]: Added unit tests for conversation storage service (kudos to @btechwala03)
• [#3294]: Improved stability for last login IP test (kudos to @sushantkhemalapure)
• [#3150]: Introduced force-clicks to improve Cypress test reliability (kudos to @btechwala03)
• Added PR compliance & spam check workflow
• Removed CommonJS exemption for jwt-decode

🌐 Internationalization

• Expanded 🇫🇷, 🇩🇪, 🇳🇴, 🇩🇰, 🇯🇵, 🇨🇳, 🇵🇱 and many other translations