feat: add csaf

.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json

@@ -0,0 +1,118 @@
+{
+  "document": {
+    "category": "csaf_security_advisory",
+    "csaf_version": "2.0",
+    "tracking": {
+      "generator": {
+        "date": "2024-03-03T19:30:53.428Z",
+        "engine": {
+          "version": "2.5.0",
+          "name": "Secvisogram"
+        }
+      },
+      "current_release_date": "2024-03-03T11:00:00.000Z",
+      "id": "juice-shop-sa-20200513-express-jwt",
+      "initial_release_date": "2024-03-03T11:00:00.000Z",
+      "status": "final",
+      "version": "1.0.0",
+      "revision_history": [
+        {
+          "date": "2024-03-03T11:00:00.000Z",
+          "number": "1.0.0",
+          "summary": "Initial public release."
+        }
+      ]
+    },
+    "acknowledgments": [
+      {
+        "organization": "OWASP Juice Shop",
+        "summary": "Probably the most modern and sophisticated insecure web application"
+      }
+    ],
+    "lang": "EN",
+    "title": "juice-shop-sa-20200513-express-jwt",
+    "aggregate_severity": {
+      "text": "Critical"
+    },
+    "notes": [
+      {
+        "category": "legal_disclaimer",
+        "text": "The Juice Shop contains vulnerabilities. Only use it in an isolated. ONLY run the Juice Shop in a training environment.",
+        "title": "Isolated Env."
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "contact_details": "[email protected]",
+      "issuing_authority": "OWASP Juice Shop",
+      "name": "OWASP Juice Shop Core Team",
+      "namespace": "https://github.com/juice-shop/juice-shop"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "product": {
+          "name": "OWASP Juice Shop",
+          "product_id": "juice-shop/juice-shop"
+        },
+        "category": "product_version_range",
+        "name": ">=v6.0.0"
+      }
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "cve": "CVE-2020-15084",
+      "title": "CVE-2020-15084",
+      "product_status": {
+        "known_affected": [
+          "juice-shop/juice-shop"
+        ]
+      },
+      "notes": [
+        {
+          "category": "details",
+          "text": "The Juice Shop is currently vulnerable to JWT null algorithm attacks . We will soon release a patch",
+          "title": "Vulnerable to Null JWT Algorithm"
+        }
+      ],
+      "remediations": [
+        {
+          "date": "2020-07-01T10:00:00.000Z",
+          "details": "Check for the expected JWT algorithm type in a WAF/Proxy/Loadbalancer in front of the Juice Shop.",
+          "url": "https://github.com/advisories/GHSA-6g6m-m6h5-w9gf",
+          "category": "workaround",
+          "product_ids": [
+            "juice-shop/juice-shop"
+          ]
+        }
+      ],
+      "scores": [
+        {
+          "cvss_v3": {
+            "version": "3.1",
+            "attackVector": "NETWORK",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "NONE",
+            "userInteraction": "NONE",
+            "scope": "UNCHANGED",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "availabilityImpact": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+            "baseScore": 9.1,
+            "baseSeverity": "CRITICAL",
+            "temporalScore": 9.1,
+            "temporalSeverity": "CRITICAL",
+            "environmentalScore": 9.1,
+            "environmentalSeverity": "CRITICAL"
+          },
+          "products": [
+            "juice-shop/juice-shop"
+          ]
+        }
+      ]
+    }
+  ]
+}

.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQQjcrKxKup64wAbs/vQj7FuICnYcAUCZeVoRgAKCRDQj7FuICnY
+cHU9AQDqvThXtxODYVXiojdGJRI2BOXgXDCrHhmbxWfmiNPu7wEAwW9kXg/RpTCA
+WuE9zSYZf5+2Hj0WjbiWhArkZ2no4QI=
+=XZ8z
+-----END PGP SIGNATURE-----

.well-known/csaf/2017/juice-shop-sa-20200513-express-jwt.json.sha512

@@ -0,0 +1 @@
+7d679a6a84a1ec0f12f91e2f487b9e89a7282ef775cbbec8baea2fa50eb101b7ee402dadd1bb9df0d8aaeb3ecb93e2892735f44b0c6cfb32c2f70478ae45afb7  juice-shop-sa-20200513-express-jwt.json

.well-known/csaf/2024/juice-shop-sa-general.json

@@ -0,0 +1,125 @@
+{
+  "document": {
+    "category": "csaf_security_advisory",
+    "csaf_version": "2.1",
+    "tracking": {
+      "generator": {
+        "date": "2024-03-03T20:09:44.374Z",
+        "engine": {
+          "version": "2.5.0",
+          "name": "Secvisogram"
+        }
+      },
+      "current_release_date": "2024-03-03T11:00:00.000Z",
+      "id": "juice-shop-sa-disclaimer",
+      "initial_release_date": "2024-03-03T11:00:00.000Z",
+      "status": "final",
+      "version": "1.0.0",
+      "revision_history": [
+        {
+          "date": "2024-03-03T11:00:00.000Z",
+          "number": "1.0.0",
+          "summary": "Initial public release."
+        }
+      ]
+    },
+    "acknowledgments": [
+      {
+        "organization": "OWASP",
+        "summary": "Probably the most modern and sophisticated insecure web application"
+      }
+    ],
+    "lang": "EN",
+    "title": "juice-shop-sa-disclaimer",
+    "aggregate_severity": {
+      "text": "Critical"
+    },
+    "distribution": {
+      "tlp": {
+        "label": "WHITE"
+      }
+    },
+    "notes": [
+      {
+        "category": "legal_disclaimer",
+        "text": "The Juice Shop contains vulnerabilities. ONLY run the Juice Shop in an isolated training environment.",
+        "title": "Isolated Env."
+      }
+    ],
+    "publisher": {
+      "category": "vendor",
+      "contact_details": "[email protected]",
+      "issuing_authority": "OWASP Juice Shop",
+      "name": "OWASP Juice Shop Core Team",
+      "namespace": "https://github.com/juice-shop/juice-shop"
+    }
+  },
+  "product_tree": {
+    "branches": [
+      {
+        "product": {
+          "name": "OWASP Juice Shop",
+          "product_id": "juice-shop/juice-shop",
+          "product_identification_helper": {
+            "purl": "pkg:docker/bkimminich/juice-shop",
+            "cpe": "cpe:/a:owasp:juice-shop:*"
+          }
+        },
+        "category": "product_version_range",
+        "name": "vers:all/*"
+      },
+    ]
+  },
+  "vulnerabilities": [
+    {
+      "title": "Intentional Vulnerabilities",
+      "product_status": {
+        "known_affected": [
+          "juice-shop/juice-shop"
+        ]
+      },
+      "notes": [
+        {
+          "category": "details",
+          "text": "The Juice Shop has intentional vulnerabilities which might be abused to attack your system",
+          "title": "Intentional Vulnerable Juice Shop"
+        }
+      ],
+      "remediations": [
+        {
+          "date": "2024-03-03T11:00:00.000Z",
+          "details": "ONLY run the Juice Shop in an isolated training environment.",
+          "category": "no_fix_planned",
+          "product_ids": [
+            "juice-shop/juice-shop"
+          ]
+        }
+      ],
+      "scores": [
+        {
+          "cvss_v3": {
+            "version": "3.1",
+            "attackVector": "NETWORK",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "NONE",
+            "userInteraction": "NONE",
+            "scope": "UNCHANGED",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "availabilityImpact": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+            "baseScore": 9.1,
+            "baseSeverity": "CRITICAL",
+            "temporalScore": 9.1,
+            "temporalSeverity": "CRITICAL",
+            "environmentalScore": 9.1,
+            "environmentalSeverity": "CRITICAL"
+          },
+          "products": [
+            "juice-shop/juice-shop"
+          ]
+        }
+      ]
+    }
+  ]
+}

.well-known/csaf/2024/juice-shop-sa-general.json.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQQjcrKxKup64wAbs/vQj7FuICnYcAUCZeVoZwAKCRDQj7FuICnY
+cPYsAQDmvb8dC+moPnlwemYpf4E1jGzYEaSO2QBGkDy1dYbaegEAvdc+nc4NgL3n
+UFr/Ec5flYR9OWkdd39S7iKnELJb0AQ=
+=4YmQ
+-----END PGP SIGNATURE-----

.well-known/csaf/2024/juice-shop-sa-general.json.sha512

@@ -0,0 +1 @@
+46ff62154787ae21d136ccdd37eacaa25a686666b5d5224dac41fd4b1e286c791ef68cd80e875f445da31ae54512978d27733683073a0567dee21ed401b2e95e  juice-shop-sa-general.json

.well-known/csaf/changes.csv

@@ -0,0 +1,2 @@
+2017/juice-shop-sa-20200513-express-jwt.json,2024-03-03T11:00:00.000Z
+2024/juice-shop-sa-general.json,2024-03-03T11:00:00.000Z

.well-known/csaf/index.txt

@@ -0,0 +1,2 @@
+2017/juice-shop-sa-20200513-express-jwt.json
+2024/juice-shop-sa-general.json

.well-known/csaf/provider-metadata.json

@@ -0,0 +1,29 @@
+{
+  "canonical_url": "http://localhost:3000/.well-known/csaf/provider-metadata.json",
+  "distributions": [
+    {
+      "directory_url": "http://localhost:3000/.well-known/csaf/"
+    }
+  ],
+  "last_updated": "2024-03-05T20:20:56.169Z",
+  "list_on_CSAF_aggregators": false,
+  "metadata_version": "2.0",
+  "mirror_on_CSAF_aggregators": false,
+  "public_openpgp_keys": [
+    {
+      "fingerprint": "19c01cb7157e4645e9e2c863062a85a8cbfbdcda",
+      "url": "https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda"
+    },
+    {
+      "fingerprint": "2372B2B12AEA7AE3001BB3FBD08FB16E2029D870",
+      "url": "https://keybase.io/wurstbrot/pgp_keys.asc"
+    }
+  ],
+  "publisher": {
+    "category": "vendor",
+    "name": "OWASP juice-shop-sa-20200513-express-jwt.jsonJuice Shop",
+    "namespace": "/juice-shop/juice-shop",
+    "contact_details": "[email protected]"
+  },
+  "role": "csaf_trusted_provider"
+}

Gruntfile.js

@@ -33,6 +33,7 @@ module.exports = function (grunt) {
         files: [
           {
             src: [
+              '.well-known/**',
               'LICENSE',
               '*.md',
               'package.json',

config.schema.yml

@@ -3,6 +3,8 @@ server:
     type: number
   basePath:
     type: string
+  baseUrl:
+    type: string
 application:
   domain:
     type: string
@@ -84,6 +86,8 @@ application:
       type: string
     hiring:
       type: string
+    csaf:
+      type: string
   promotion:
     video:
       type: string
@@ -121,6 +125,8 @@ challenges:
     type: boolean
   showFeedbackButtons:
     type: boolean
+  csafHashValue:
+    type: string
 hackingInstructor:
   isEnabled:
     type: boolean
@@ -710,4 +716,4 @@ ctf:
       name:
         type: string
       code:
-        type: string
+        type: string

config/default.yml

@@ -1,8 +1,9 @@
 server:
   port: 3000
   basePath: ''
+  baseUrl: '' # used for CSAF, e.g. https://example.com
 application:
-  domain: juice-sh.op
+  domain: juice-sh.op # for pre-loaded email users
   name: 'OWASP Juice Shop'
   logo: JuiceShop_Logo.png
   favicon: favicon_js.ico
@@ -45,6 +46,7 @@ application:
     encryption: 'https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda'
     acknowledgements: '/#/score-board'
     hiring: '/#/jobs'
+    csaf: '/.well-known/csaf/provider-metadata.json' # scheme,host,port taken from baseUrl
   promotion:
     video: owasp_promo.mp4
     subtitles: owasp_promo.vtt
@@ -77,6 +79,7 @@ challenges:
   xssBonusPayload: '<iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe>'
   safetyOverride: false
   showFeedbackButtons: true
+  csafHashValue: 7d679a6a84a1ec0f12f91e2f487b9e89a7282ef775cbbec8baea2fa50eb101b7ee402dadd1bb9df0d8aaeb3ecb93e2892735f44b0c6cfb32c2f70478ae45afb7
 hackingInstructor:
   isEnabled: true
   avatarImage: JuicyBot.png

config/fbctf.yml

@@ -333,3 +333,6 @@ ctf:
     web3SandboxChallenge:
       name: France
       code: FR
+    csafChallenge:
+      name: Slovenia
+      code: SI

data/static/challenges.yml

@@ -1217,3 +1217,12 @@
   hintUrl: 'https://pwning.owasp-juice.shop/companion-guide/latest/part2/score-board.html#_close_multiple_challenge_solved_notifications_in_one_go'
   mitigationUrl: ~
   key: closeNotificationsChallenge
+-
+  name: 'Security Advisory'
+  category: 'Miscellaneous'
+  description: ' The Juice Shop is susceptible to a known vulnerability in a library, for which an advisory has already been issued, marking the Juice Shop as <i>known affected</i>. A fix is still pending. <a href="/#/contact">Inform the shop</a> about a suitable checksum as proof that you did your due diligence.'
+  difficulty: 3
+  hint: 'Security Advisories are often listed in the security.txt'
+  hintUrl: ''
+  mitigationUrl: ~
+  key: csafChallenge