Extend CSRF challenge hint with browser recommendation

(fixes juice-shop#1868)

Dockerfile

@@ -22,7 +22,7 @@ LABEL maintainer="Bjoern Kimminich <[email protected]>" \
  org.opencontainers.image.vendor="Open Web Application Security Project" \
  org.opencontainers.image.documentation="https://help.owasp-juice.shop" \
  org.opencontainers.image.licenses="MIT" \
- org.opencontainers.image.version="14.2.0" \
+ org.opencontainers.image.version="14.3.0-SNAPSHOT" \
  org.opencontainers.image.url="https://owasp-juice.shop" \
  org.opencontainers.image.source="https://github.com/juice-shop/juice-shop" \
  org.opencontainers.image.revision=$VCS_REF \

Dockerfile.arm

@@ -16,7 +16,7 @@ LABEL maintainer="Bjoern Kimminich <[email protected]>" \
  org.opencontainers.image.vendor="Open Web Application Security Project" \
  org.opencontainers.image.documentation="https://help.owasp-juice.shop" \
  org.opencontainers.image.licenses="MIT" \
- org.opencontainers.image.version="14.2.0" \
+ org.opencontainers.image.version="14.3.0-SNAPSHOT" \
  org.opencontainers.image.url="https://owasp-juice.shop" \
  org.opencontainers.image.source="https://github.com/juice-shop/juice-shop" \
  org.opencontainers.image.revision=$VCS_REF \

data/static/challenges.yml

@@ -1046,11 +1046,11 @@
  mitigationUrl: ~
  key: freeDeluxeChallenge
 -
- name: 'CSRF' # FIXME No e2e test automation! No longer works in Chrome >=80 or other latest browsers!
+ name: 'CSRF' # FIXME No e2e test automation! No longer works in Chrome >=80 and Firefox >=100 or other latest browsers!
  category: 'Broken Access Control'
  description: 'Change the name of a user by performing Cross-Site Request Forgery from <a href="http:https://htmledit.squarefree.com">another origin</a>.'
  difficulty: 3
- hint: 'Find a form which updates the username and then construct a malicious page in the online HTML editor.'
+ hint: 'Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this. You probably need an older browser version for this.'
  hintUrl: 'https://pwning.owasp-juice.shop/part2/broken-access-control.html#change-the-name-of-a-user-by-performing-cross-site-request-forgery-from-another-origin'
  mitigationUrl: 'https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html'
  key: csrfChallenge
@@ -1148,4 +1148,4 @@
  disabledEnv:
  - Docker
  - Heroku
- - Gitpod
+ - Gitpod

data/static/i18n/ar_SA.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Try to guess what URL the endpoint might have.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Look for a url parameter where its value appears in the page it is leading to.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Find a form which updates the username and then construct a malicious page in the online HTML editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.",
  "Copy + Paste = Solved!": "Copy + Paste = Solved!",
  "Obtain a Deluxe Membership without paying for it.": "Obtain a Deluxe Membership without paying for it.",

data/static/i18n/az_AZ.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Try to guess what URL the endpoint might have.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Look for a url parameter where its value appears in the page it is leading to.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Find a form which updates the username and then construct a malicious page in the online HTML editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.",
  "Copy + Paste = Solved!": "Copy + Paste = Solved!",
  "Obtain a Deluxe Membership without paying for it.": "Obtain a Deluxe Membership without paying for it.",

data/static/i18n/bg_BG.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Try to guess what URL the endpoint might have.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Look for a url parameter where its value appears in the page it is leading to.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Find a form which updates the username and then construct a malicious page in the online HTML editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.",
  "Copy + Paste = Solved!": "Copy + Paste = Solved!",
  "Obtain a Deluxe Membership without paying for it.": "Obtain a Deluxe Membership without paying for it.",

data/static/i18n/ca_ES.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Try to guess what URL the endpoint might have.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Look for a url parameter where its value appears in the page it is leading to.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Find a form which updates the username and then construct a malicious page in the online HTML editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.",
  "Copy + Paste = Solved!": "Copy + Paste = Solved!",
  "Obtain a Deluxe Membership without paying for it.": "Obtain a Deluxe Membership without paying for it.",

data/static/i18n/cs_CZ.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Try to guess what URL the endpoint might have.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Look for a url parameter where its value appears in the page it is leading to.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Find a form which updates the username and then construct a malicious page in the online HTML editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.",
  "Copy + Paste = Solved!": "Copy + Paste = Solved!",
  "Obtain a Deluxe Membership without paying for it.": "Obtain a Deluxe Membership without paying for it.",

data/static/i18n/da_DK.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Prøv at gætte, hvilken URL endepunktet kan have.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Kig efter en URL-parameter, hvis værdi vises på den side, den fører til.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Skift navnet på en bruger ved at udføre Cross-Site Request Forgery fra en <a href=\"http:https://htmledit.squarefree.com\">anden side</a>.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Find en formular, der opdaterer brugernavnet og konstruér derefter en ondsindet side i den online HTML-editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find en formular, der opdaterer brugernavnet og konstruér derefter en ondsindet side i den online HTML-editor.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Brug bonusdataen <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> i <i>DOM XSS</i> -udfordringen.",
  "Copy + Paste = Solved!": "Kopiér + Indsæt = Løst!",
  "Obtain a Deluxe Membership without paying for it.": "Få et Deluxe medlemskab uden at betale for det.",

data/static/i18n/de_CH.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Versuche zu erraten, welche URL der Endpunkt haben könnte.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Halte Ausschau nach einem URL-Parameter, dessen Wert auf der Seite, zu der er führt, erscheint.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Ändere den Namen eines Benutzers, indem du Cross-Site Request Forgery von <a href=\"http:https://htmledit.squarefree.com\">einem anderen Ursprung</a> ausführst.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Finde ein Formular, welches den Benutzernamen aktualisiert, und baue dann eine bösartige Seite in dem Online-HTML-Editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Finde ein Formular, welches den Benutzernamen aktualisiert, und baue dann eine bösartige Seite in dem Online-HTML-Editor.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Verwendende den Bonus-Payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in der <i>DOM XSS</i>-Herausforderung.",
  "Copy + Paste = Solved!": "Kopieren + Einfügen = Gelöst!",
  "Obtain a Deluxe Membership without paying for it.": "Erhalte eine Deluxe Mitgliedschaft, ohne dafür zu bezahlen.",

data/static/i18n/de_DE.json

@@ -292,7 +292,7 @@
  "Try to guess what URL the endpoint might have.": "Versuche zu erraten, welche URL der Endpunkt haben könnte.",
  "Look for a url parameter where its value appears in the page it is leading to.": "Halte Ausschau nach einem URL-Parameter, dessen Wert auf der Seite, zu der er führt, erscheint.",
  "Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http:https://htmledit.squarefree.com\">another origin</a>.": "Ändere den Namen eines Benutzers, indem du Cross-Site Request Forgery von <a href=\"http:https://htmledit.squarefree.com\">einem anderen Ursprung</a> ausführst.",
- "Find a form which updates the username and then construct a malicious page in the online HTML editor.": "Finde ein Formular, welches den Benutzernamen aktualisiert, und baue dann eine bösartige Seite in dem Online-HTML-Editor.",
+ "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Finde ein Formular, welches den Benutzernamen aktualisiert, und baue dann eine bösartige Seite in dem Online-HTML-Editor.",
  "Use the bonus payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in the <i>DOM XSS</i> challenge.": "Verwendende den Bonus-Payload <code>&lt;iframe width=&quot;100%&quot; height=&quot;166&quot; scrolling=&quot;no&quot; frameborder=&quot;no&quot; allow=&quot;autoplay&quot; src=&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true&quot;&gt;&lt;/iframe&gt;</code> in der <i>DOM XSS</i>-Herausforderung.",
  "Copy + Paste = Solved!": "Kopieren + Einfügen = Gelöst!",
  "Obtain a Deluxe Membership without paying for it.": "Erhalte eine Deluxe Mitgliedschaft, ohne dafür zu bezahlen.",