data/static/i18n/zh_CN.json
{
"Find the carefully hidden 'Score Board' page.": "找到精心隐藏的“计分板”页面。",
"Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.": "尝试寻找引用或链接。或者简单地猜测计分板可能的URL。",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> without using the frontend application at all.": "使用<code><iframe src=\"javascript:alert(`xss`)\"></code>代码在不使用前端应用程序情况下进行 <i>存储型</i> XSS 攻击。",
"You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.": "您需要直接调用服务器端API。通过API尝试不同的HTTP动作以暴露不同实体。",
"Gain access to any access log file of the server.": "获取访问服务器上任何访问日志文件的权限。",
"Who would want a server access log to be accessible through a web application?": "谁想要通过web应用程序访问服务器访问日志?",
"Register as a user with administrator privileges.": "注册一个拥有管理员权限的用户。",
"You have to assign the unassignable.": "您必须得到一个无法分配的权限。",
"Access the administration section of the store.": "访问商店的管理页面。",
"It is just slightly harder to find than the score board link.": "比计分板链接更难找到。",
"Overwrite the <a href=\"/ftp/legal.md\">Legal Information</a> file.": "覆写 <a href=\"/ftp/legal.md\">法律信息</a> 文件。",
"Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "寻找特殊的的网店新功能。然后找出与它相关的第三方漏洞。",
"Reset the password of Bjoern's OWASP account via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "通过 <a href=\"/#/forgot-password\">忘记密码</a>功能和<i>原始安全问题答案</i>重置Bjoern's OWASP账户的密码。",
"Learn about the Token Sale before its official announcement.": "在官方公告之前了解代币售卖。",
"The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "开发人员坚信“不公开即安全”远胜于实际的访问限制。",
"Perform a Remote Code Execution that would keep a less hardened application busy <em>forever</em>.": "利用远程代码执行让应用程序保持<em>永远</em>繁忙。",
"The feature you need to exploit for this challenge is not directly advertised anywhere.": "您需要用来完成这一挑战的功能并未在任何地方直接发布。",
"Submit 10 or more customer feedbacks within 20 seconds.": "在 20 秒内提交 10个或更多的客户反馈。",
"After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.": "绕过验证码后,写一个自动提交客户反馈的脚本。或者打开许多浏览器标签页快速提交。",
"Change Bender's password into <i>slurmCl4ssic</i> without using SQL Injection or Forgot Password.": "在不使用 SQL 注入或忘记密码前提下,将Bender的密码更改为 <i>slurmCl4ssic</i> 。",
"In previous releases this challenge was wrongly accused of being based on CSRF.": "在先前发布的版本中,这一挑战被错误地认为是基于CSRF。",
"Order the Christmas special offer of 2014.": "订购2014年圣诞节特别优惠。",
"Find out how the application handles unavailable products and try to find a loophole.": "了解应用程序如何处理不可用商品并试图找到漏洞。",
"Bypass the Content Security Policy and perform an XSS attack with <code><script>alert(`xss`)</script></code> on a legacy page within the application.": "在应用的传统页面上绕过内容安全策略CSP并使用代码<code><script>alert(`xss`)</script></code> 执行一个XSS攻击",
"What is even \"better\" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!": "还有比带有原生RegEx过滤器的旧版页面“更好”的了么?同样在页面中还有CSP注入问题!",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> bypassing a <i>client-side</i> security mechanism.": "使用<code><iframe src=\"javascript:alert(`xss`)\"></code>代码绕过 <i>客户端</i>安全措施进行 <i>存储型</i> XSS 攻击。",
"Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.": "仅某些输入字段会验证其输入。 这些内容甚至会以某种方式显示在另一个地方。",
"Access a confidential document.": "查阅机密文件。",
"Analyze and tamper with links in the application that deliver a file directly.": "分析和篡改应用程序中直接传递文件的链接。",
"Perform a <i>DOM</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code>.": "使用<code><iframe src=\"javascript:alert(`xss`)\"></code>代码进行基于<i>DOM</i>的XSS攻击",
"Look for an input field where its content appears in the HTML when its form is submitted.": "查找一个输入字段,其内容在提交表单时会出现在HTML中。",
"Exfiltrate the entire DB schema definition via SQL Injection.": "通过SQL注入获取整个数据库结构。",
"Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "找出信息的来源。 然后针对注入点构建UNION SELECT攻击字符串,从而获取特定数据。",
"Use a deprecated B2B interface that was not properly shut down.": "使用已废弃但未正常关闭的B2B接口。",
"The developers who disabled the interface think they could go invisible by just closing their eyes.": "禁用界面的开发者认为他们只需闭眼这些界面别人就会看不到。",
"If you solved one of the three file access challenges, you already know where to find the easter egg.": "如果你解决了三个文件访问挑战中的一个,你就已经知道在哪里找到彩蛋。",
"Perform an unwanted information disclosure by accessing data cross-domain.": "通过跨域访问数据来获得信息泄露",
"Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "尝试找到一个返回用户信息的攻击点。SQL 注入不是解决方案之一。",
"Log in with the (non-existing) accountant <i>acc0unt4nt@juice-sh.op</i> without ever registering that user.": "在没有注册的情况下使用(不存在的)账号 <i>acc0unt4nt@juice-sh.op</i>登录 。",
"Try to create the needed user \"out of thin air\".": "尝试“凭空创建”所需的用户。",
"Provoke an error that is neither very gracefully nor consistently handled.": "引发错误,该错误既不能很好地解决,也不能得到一致的处理。",
"Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.": "尝试向表单提交错误的输入。 或者篡改URL路径或参数。",
"Successfully redeem an expired campaign coupon code.": "成功兑换过期的活动优惠券代码。",
"Try to identify past special event or holiday campaigns of the shop first.": "尝试首先确定商店过去的特殊事件或节日活动。",
"Retrieve the language file that never made it into production.": "找回从未进入生产环境的语言文件。",
"Brute force is not the only option for this challenge, but a perfectly viable one.": "暴力破解不是挑战的唯一选择,但是确是完全可行的选择。",
"Get rid of all 5-star customer feedback.": "删除所有5星客户反馈。",
"Once you found admin section of the application, this challenge is almost trivial.": "一旦找到应用的管理员部分,这个挑战就很容易解决了",
"Forge a coupon code that gives you a discount of at least 80%.": "伪造优惠券代码,获得至少80%的折扣。",
"Post some feedback in another user's name.": "以别人的用户名发布一些反馈。",
"You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "您可以通过篡改用户界面或拦截RESTful 的后端通信来解决这个问题。",
"Post a product review as another user or edit any user's existing review.": "以另一个用户名义发布商品评论或者编辑任何已有的用户评论。",
"Observe the flow of product review posting and editing and see if you can exploit it.": "观察商品评论的发布和编辑过程,查看是否可以利用其中的问题。",
"Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user <i>rsa_lord@juice-sh.op</i>.": "伪造一个几乎正确的RSA签名的JWT令牌,该令牌模拟(不存在的)用户<i> rsa_lord@juice-sh.op </i>。",
"This challenge is explicitly not about acquiring the RSA private key used for JWT signing.": "这个挑战显然不是要获取用于JWT签名的RSA私钥。",
"Access a developer's forgotten backup file.": "访问开发者遗忘的备份文件。",
"You need to trick a security mechanism into thinking that the file you want has a valid file type.": "您需要欺骗安全机制,使其认为您想要的文件具有有效的文件类型。",
"Access a salesman's forgotten backup file.": "访问销售者遗忘的备份文件。",
"<a href=\"/#/contact\">Inform the shop</a> about a <i>typosquatting</i> imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)": "<a href=\"/#/contact\">联系商店</a>有关隐藏在前端页面中<i>误植</i>攻击的信息.(提及罪魁祸首的确切名称)",
"This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?": "这个挑战与错误的网站域名无关。 也没有放错位置的文件可以帮助您完成这一任务。 或许会有?",
"Log in with Chris' erased user account.": "使用已删除的Chris用户帐户登录。",
"Turns out that something is technically and legally wrong with the implementation of the \"right to be forgotten\" for users.": "事实证明,实现用户“被遗忘的权利”在技术上和法律上都存在问题。",
"Steal someone else's personal data without using Injection.": "将他人的个人资料偷走而不使用注入。",
"Trick the regular Data Export to give you more than actually belongs to you.": "欺骗数据导出功能,以提供给您更多实际不属于您的东西。",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> through an HTTP header.": "使用<code><iframe src=\"javascript:alert(`xss`)\"></code>代码通过HTTP头部进行 <i>存储型</i>XSS攻击",
"Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.": "寻找可能显示在HTTP头部中的信息是这一挑战的一部分。",
"Solve challenge #999. Unfortunately, this challenge does not exist.": "解决挑战#999。不幸的是,这个挑战并不存在。",
"You need to trick the hacking progress persistence feature into thinking you solved challenge #999.": "您需要欺骗进度统计功能,以为您解决了挑战#999。",
"Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)": "在Internet上寻找泄露的密码,然后登录到它所属的用户帐户。(使用相同的密码创建新帐户不算解决。)",
"Once you have it, a technique called \"Password Spraying\" might prove useful.": "解决这个问题时,一种叫做“密码喷洒”的技术可能会是很有用的。",
"Identify an unsafe product that was removed from the shop and <a href=\"/#/contact\">inform the shop</a> which ingredients are dangerous.": "找到已经从商店中移除的不安全商品,并<a href=\"/#/contact\">联系商店</a>哪些成分是危险的。",
"Your own SQLi and someone else's Ctrl-V will be your accomplices in this challenge!": "您自己的SQL注入和其他人的Ctrl-V将帮助你完成挑战!",
"<a href=\"/#/contact\">Inform the shop</a> about a <i>typosquatting</i> trick it has been a victim of at least in <code>v6.2.0-SNAPSHOT</code>. (Mention the exact name of the culprit)": "<a href=\"/#/contact\">联系商店</a>有关<i>误植</i>问题, 在<code> v6.2.0-SNAPSHOT</code>中至少有一个受害者。(提及罪魁祸首的确切名称)",
"This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer's backup file instead.": "这个挑战与错误输入的网站域名无关。 而是调查被遗忘的开发人员的备份文件。",
"Log in with the administrator's user account.": "使用管理员用户帐户登录。",
"Try different SQL Injection attack patterns depending whether you know the admin's email address or not.": "尝试不同的 SQL 注入攻击模式,这取决于您是否知道管理员的电子邮件地址。",
"Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the \"One Important Final Note\")": "使用Amy的原始用户凭据登录。(这可能要花费938.3万亿亿亿世纪的才能暴力破解,但幸运的是她没有读过“最后的重要提示”)",
"This challenge will make you go after a needle in a haystack.": "这一挑战将使您陷入大海捞针。",
"Log in with Bender's user account.": "使用Bender的用户帐户登录。",
"If you know Bender's email address, try SQL Injection. Bender's password hash might not help you very much.": "如果您知道Bender的电子邮件地址,请尝试SQL注入。Bender的密码哈希可能对您没有多大帮助。",
"Log in with Bjoern's Gmail account <i>without</i> previously changing his password, applying SQL Injection, or hacking his Google account.": "使用 Bjoern的 Gmail 帐户登录而 <i>不</i> 更改他的密码,使用SQL 注入或骇入他的Google帐户。",
"The security flaw behind this challenge is 100% OWASP Juice Shop's fault and 0% Google's.": "该挑战背后的安全漏洞是100%OWASP Juice Shop的问题和0%Google的问题。",
"Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account.": "利用OAuth 2.0以首席信息安全官的用户帐户登录。",
"Don't try to beat Google's OAuth 2.0 service. Rather investigate implementation flaws on OWASP Juice Shop's end.": "不要试图破解Google的OAuth 2.0服务。 而是在OWASP Juice Shop的实现上查找问题。",
"Log in with Jim's user account.": "使用Jim的用户帐户登录。",
"Try cracking Jim's password hash if you harvested it already. Alternatively, if you know Jim's email address, try SQL Injection.": "如果你已经收获了Jim的密码哈希,请尝试破解。或者,如果你知道Jim的电子邮件地址,请尝试 SQL 注入。",
"Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.": "使用MC SafeSearch的原始用户凭据登录而不使用 SQL 注入或任何其他绕过方法.",
"You should listen to MC's hit song \"Protect Ya Passwordz\".": "您应该听MC的热门歌曲“ Protect Ya Passwordz”。",
"Log in with the support team's original user credentials without applying SQL Injection or any other bypass.": "使用支持团队的原始用户凭据登录而不使用SQL注入或任何其他绕过方法。",
"The underlying flaw of this challenge is a lot more human error than technical weakness.": "这一挑战的根本原因是人为错误远远多于技术缺陷。",
"Put an additional product into another user's shopping basket.": "将额外商品放入另一个用户的购物车。",
"Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn't count.": "将商品放入购物车时,请注意HTTP流量。 更改已经在购物篮中的商品数量不计算在内。",
"Access a misplaced <a href=\"https://github.com/Neo23x0/sigma\">SIEM signature</a> file.": "访问放置错误的<a href=\"https://github.com/Neo23x0/sigma\"> SIEM签名</a>文件。",
"Like any review at least three times as the same user.": "以相同用户赞任何评论至少三次",
"Punctuality is the politeness of kings.": "守时是礼仪之本",
"Apply some advanced cryptanalysis to find <i>the real</i> easter egg.": "使用一些高级加密分析来找到<i>真正的</i>复活节彩蛋。",
"You might have to peel through several layers of tough-as-nails encryption for this challenge.": "为了应对这一挑战,您可能必须绕过几层“意志坚定”的加密手段。",
"Let the server sleep for some time. (It has done more than enough hard work for you)": "让服务器休眠一段时间。(它为您做了足够多的艰苦工作)",
"This challenge is essentially a stripped-down Denial of Service (DoS) attack.": "这个挑战本质上是一种简化的拒绝服务(DoS) 攻击。",
"All your orders are belong to us! Even the ones which don't.": "您的所有订单都属于我们!即使是那些不属于我们的订单也是如此。",
"Take a close look on how the $where query operator works in MongoDB.": "仔细研究$where查询运算符在MongoDB中的工作方式。",
"Update multiple product reviews at the same time.": "同时更新多个商品评论。",
"Take a close look on how the equivalent of UPDATE-statements in MongoDB work.": "仔细研究MongoDB中等效的UPDATE语句如何工作。",
"Let us redirect you to one of our crypto currency addresses which are not promoted any longer.": "让我们将您重定向到我们不再推广的加密货币地址。",
"We might have failed to take this out of our code properly.": "我们可能没有正确地将其从我们的代码中删除。",
"Log in with the administrator's user credentials without previously changing them or applying SQL Injection.": "使用管理员的用户凭据登录,但不事先更改凭据或使用SQL注入。",
"This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.": "这一个应该和以下同样容易: a) 暴力破解, b) 破解密码哈希或c) 简单猜测。",
"Place an order that makes you rich.": "提交一个让你变得更富有的订单",
"You literally need to make the shop owe you any amount of money.": "您实际上需要使商店欠您任何款项。",
"<i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==--> <a href=\"https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm\" target=\"_blank\"><i class=\"fab fa-btc fa-sm\"></i> Unlock Premium Challenge</a> to access exclusive content.": "<i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==--> <a href=\"https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm\" target=\"_blank\"><i class=\"fab fa-btc fa-sm\"></i> 解锁高级挑战</a> 来访问更多内容。",
"You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.": "您无需支付任何费用即可解锁此挑战! 尽管如此,如果有捐赠就更好了。",
"Read our privacy policy.": "阅读隐私政策",
"We won't even ask you to confirm that you did. Just read it. Please. Pretty please.": "我们甚至不会要求你确认你已经这样做了。请真的读下吧。",
"Prove that you actually read our privacy policy.": "证明您实际上阅读了我们的隐私政策。",
"Only by visiting a special URL you can confirm that you read it carefully.": "只有访问了一个特殊的URL,你才能确认你仔细阅读了它。",
"Change the <code>href</code> of the link within the <a href=\"/#/search?q=OWASP SSL Advanced Forensic Tool (O-Saft)\">OWASP SSL Advanced Forensic Tool (O-Saft)</a> product description into <i>https://owasp.slack.com</i>.": "更改<a href=\"/#/search?q=OWASP SSL 高级取证工具 (O-Saft)\">OWASP SSL高级取证工具(O-Saft)</a>中链接的<code>href</code>为<i> https://owasp.slack.com </i>。",
"Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.": "查找以下内容之一: a) 失效的管理功能, b) RESTful API中的漏洞或c) SQL注入的可能性。",
"Perform a <i>reflected</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code>.": "使用<code><iframe src=\"javascript:alert(`xss`)\"></code>代码执行<i>反射型</i> XSS攻击",
"Look for an input field where its content appears in the response HTML when its form is submitted.": "查找一个输入字段,其内容在提交表单后会出现在返回的HTML中。",
"Follow the DRY principle while registering a user.": "注册用户时请遵循DRY原则。",
"You can solve this by cleverly interacting with the UI or bypassing it altogether.": "您可以通过巧妙地与UI交互或完全绕过UI来解决此问题。",
"Reset Bender's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "通过<a href=\"/#/forgot-password\">忘记密码</a>功能中安全问题的<i>原始答案</i>来重置Bender的密码.",
"Not as trivial as Jim's but still not too difficult with some \"Futurama\" background knowledge.": "虽然不像Jim那样微不足道,但是通过一些“ 未来世界”背景知识仍然不算太难。",
"Reset the password of Bjoern's internal account via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "通过<a href=\"/#/forgot-password\">忘记密码</a>功能中安全问题的<i>原始答案</i>来重置Bjoern的内部账号密码.",
"Nothing a little bit of Facebook stalking couldn't reveal. Might involve a historical twist.": "Facebook跟踪的所有内容都无法透露。 可能涉及历史的转折。",
"Reset Jim's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "通过<a href=\"/#/forgot-password\">忘记密码</a>功能中安全问题的<i>原始答案</i>来重置Jim的密码.",
"It's hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.": "对于名人来说,很难从硬编码列表中选择一个未公开答案的安全问题。",
"Reset Morty's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>his obfuscated answer</i> to his security question.": "通过<a href=\"/#/forgot-password\">忘记密码</a>功能中安全问题的<i>可能使用的答案</i>来重置Morty的密码.",
"Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty's security question.": "找到一种绕过提交频率限制的方法来暴力破解Morty的安全问题的答案。",
"Deprive the shop of earnings by downloading the blueprint for one of its products.": "通过下载其中一种商品的配方来剥夺商店的收入。",
"The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).": "您可能希望更仔细地看的商品是OWASP Juice Shop徽标(3D打印)。",
"Request a hidden resource on server through server.": "通过服务器请求服务器上的隐藏资源。",
"Reverse engineering something bad can make good things happen.": "逆向工程可使事情好转。",
"Infect the server with juicy malware by abusing arbitrary command execution.": "通过利用任意命令执行,以恶意软件juicy感染服务器。",
"\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "“ SSTi”清楚地表明这与Angular无关。 另外,请确保仅使用我们的非恶意恶意软件。",
"Behave like any \"white-hat\" should before getting into the action.": "开始行动之前任何行为都应该像\"白帽\"一样",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> bypassing a <i>server-side</i> security mechanism.": "使用<code><iframe src=\"javascript:alert(`xss`)\"></code>代码绕过 <i>服务端</i>安全措施进行 <i>存储型</i> XSS 攻击。",
"The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "您要重点关注“客户反馈”页面中的“注释”字段。",
"<a href=\"/#/contact\">Rat out</a> a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "<a href=\"/#/contact\">找出</a>并提交隐藏在商店中的臭名昭著字符. (提及确切的字符名称)",
"No matter how good your eyes are, you will need tool assistance for this challenge.": "无论你的眼睛多么好,你都需要工具来帮助应对这一挑战。",
"Perform a Remote Code Execution that occupies the server for a while without using infinite loops.": "在不使用无限循环的情况下, 利用远程代码执行占用服务器一段时间。",
"Your attack payload must not trigger the protection against too many iterations.": "您的攻击载荷不得触发针对过多迭代的保护。",
"This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.": "这个漏洞不会影响商店的任何客户,而只是针对其开发者。",
"Solve the 2FA challenge for user \"wurstbrot\". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)": "解决用户\"wurstbrot\"的 2FA 验证。(禁用、绕过或覆盖他的 2FA 设置并不算作解决方案)",
"The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.": "2FA需要为每个用户存储一个密钥。 您需要找到访问此密钥的方法来解决这个挑战。",
"Forge an essentially unsigned JWT token that impersonates the (non-existing) user <i>jwtn3d@juice-sh.op</i>.": "伪造一个本质上未签名的JWT令牌,该令牌模拟(不存在的)用户<i> jwtn3d@juice-sh.op </i>。",
"This challenge exploits a weird option that is supported when signing tokens with JWT.": "此挑战利用了一个使用JWT签名令牌时的奇怪选项。",
"Upload a file larger than 100 kB.": "上传大于 100 kB 的文件。",
"You can attach a small file to the \"Complaint\" form. Investigate how this upload actually works.": "您可以在“投诉”表单中附加一个小文件。调查此上传实际上是如何工作的。",
"Upload a file that has no .pdf or .zip extension.": "上传一个没有 .pdf 或 .zip 扩展名的文件。",
"You can attach a PDF or ZIP file to the \"Complaint\" form. Investigate how this upload actually works.": "您可以在“投诉”表单中附加一个PDF或ZIP文件。调查此上传实际上是如何工作的。",
"Retrieve a list of all user credentials via SQL Injection.": "通过 SQL 注入获取所有用户凭据列表。",
"Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.": "收集关于储存用户数据的地点和如何处理的信息。然后制作一个相应的UNION SELECT攻击。",
"Embed an XSS payload <code></script><script>alert(`xss`)</script></code> into our promo video.": "嵌入一个 XSS 载荷 <code></script><script>alert(`xss`)</script></code> 到我们的促销视频。",
"You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.": "您必须在另一个6星级挑战之后重用该漏洞才能解决此问题。",
"View another user's shopping basket.": "查看其他用户的购物车。",
"Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.": "在购物时关注HTTP流量。或者尝试在客户端找到用户与购物车的关联。",
"<a href=\"/#/contact\">Inform the shop</a> about a vulnerable library it is using. (Mention the exact library name and version in your comment)": "<a href=\"/#/contact\">联系商店</a>有关正在使用的易受攻击的库的信息。(在您的评论中提及确切的库名称和版本)",
"Report one of two possible answers via the \"Customer Feedback\" form. Do not forget to submit the library's version as well.": "通过\"客户反馈\"表单报告两个可能的答案之一。不要忘记提交库的版本。",
"<a href=\"/#/contact\">Inform the shop</a> about an algorithm or library it should definitely not use the way it does.": "<a href=\"/#/contact\">联系商店</a>有关它绝对不应该使用的算法或库。",
"Report one of four possible answers via the \"Customer Feedback\" form.": "通过“客户反馈”表单报告四个可能答案中的一个。",
"Enforce a redirect to a page you are not supposed to redirect to.": "强制重定向到你不应该重定向到的页面。",
"You have to find a way to beat the allowlist of allowed redirect URLs.": "您必须找到一种方法来绕过允许重定向的 URL 列表。",
"Retrieve the content of <code>C:\\Windows\\system.ini</code> or <code>/etc/passwd</code> from the server.": "从服务器获取 <code>C:\\Windows\\system.ini</code> 或 <code>/etc/passwd</code>内容。",
"The leverage point for this challenge is the deprecated B2B interface.": "这项挑战的关键点是废弃的B2B接口。",
"Give the server something to chew on for quite a while.": "给服务器一些东西,让它消化一会儿。",
"It is not as easy as sending a large amount of data directly to the deprecated B2B interface.": "它不像向已经废弃的B2B接口直接发送大量数据那么容易。",
"Give a devastating zero-star feedback to the store.": "给商店一个毁灭性的零星反馈。",
"Before you invest time bypassing the API, you might want to play around with the UI a bit.": "在花时间绕过API之前,您可能需要尝试一下UI。",
"Your eldest siblings middle name?": "您最年长兄弟姐妹的中间名?",
"Mother's maiden name?": "母亲的娘家姓",
"Mother's birth date? (MM/DD/YY)": "母亲的出生日期?(MM/DD/YY)",
"Father's birth date? (MM/DD/YY)": "父亲的出生日期?(MM/DD/YY)",
"Maternal grandmother's first name?": "外婆/姥姥的名字?",
"Paternal grandmother's first name?": "奶奶的名字?",
"Name of your favorite pet?": "您最喜欢的宠物的名字?",
"Last name of dentist when you were a teenager? (Do not include 'Dr.')": "当你是青少年时牙医的姓?(不包括'Dr')",
"Your ZIP/postal code when you were a teenager?": "当你是青少年时您的邮政编码?",
"Company you first work for as an adult?": "作为成年人第一次工作的公司?",
"Your favorite book?": "您最喜欢的书?",
"Your favorite movie?": "您最喜欢的电影?",
"Number of one of your customer or ID cards?": "您的客户或身份卡的数量?",
"Apple Juice (1000ml)": "苹果汁(1000毫升)",
"The all-time classic.": "历来经典.",
"Orange Juice (1000ml)": "橙汁 (1000毫升)",
"Made from oranges hand-picked by Uncle Dittmeyer.": "由Dittmeyer叔叔手工挑选的橘子制成。",
"Eggfruit Juice (500ml)": "蛋黄果汁(500毫升)",
"Now with even more exotic flavour.": "现在具有更多异国风味。",
"Raspberry Juice (1000ml)": "树莓汁 (1000毫升)",
"Made from blended Raspberry Pi, water and sugar.": "由树莓派、水和糖混合制成。",
"Lemon Juice (500ml)": "柠檬汁(500毫升)",
"Sour but full of vitamins.": "虽然酸但富含维生素。",
"Banana Juice (1000ml)": "香蕉汁(1000毫升)",
"Monkeys love it the most.": "猴子最喜欢它。",
"OWASP Juice Shop T-Shirt": "OWASP Juice Shop T恤",
"Real fans wear it 24/7!": "真正粉丝24/7穿着它!",
"OWASP Juice Shop CTF Girlie-Shirt": "OWASP Juice Shop CTF 少女衬衫",
"For serious Capture-the-Flag heroines only!": "只为真正的CTF英雄!",
"OWASP SSL Advanced Forensic Tool (O-Saft)": "OWASP SSL 高级取证工具 (O-Saft)",
"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. <a href=\"https://www.owasp.org/index.php/O-Saft\" target=\"_blank\">More...</a>": "O-Saft 是一个简单易用的工具来显示关于SSL 证书的信息,并根据给定的加密方式和各种SSL配置列表测试SSL 连接。 <a href=\"https://www.owasp.org/index.php/O-Saft\" target=\"_blank\">更多...</a>",
"Christmas Super-Surprise-Box (2014 Edition)": "圣诞超级惊喜礼盒(2014 版)",
"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price! (Seasonal special offer! Limited availability!)": "包含随机选择的10瓶(每瓶500毫升) 我们最美味果汁组合和一个额外的粉丝衬衫,无与伦比的价格! (季节性特别优惠!数量有限!)",
"Rippertuer Special Juice": "Rippertuer特别果汁",
"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span> (This product is unsafe! We plan to remove it from the stock!)": "包含来自世界各地的最稀有水果的神奇集合,例如番荔枝,嘉宝果,木橘等,而且价格令人难以置信!<br/><span style=\"color:red;\">由于缺乏安全标准,该商品不可用。</span>(此商品不安全!我们计划从库存中将其删除!)",
"OWASP Juice Shop Sticker (2015/2016 design)": "OWASP Juice Shop贴纸(2015/2016设计)",
"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>": "带有2015/2016官方标志的双切贴纸。现在这是稀有的收藏品。 <em>库存不足!</em>",
"OWASP Juice Shop Iron-Ons (16pcs)": "OWASP Juice Shop 转印贴纸 (16张)",
"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!": "升级您的衣服, 在<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">周边</a>查找可水洗的OWASP Juice shop或CTF标志!",
"OWASP Juice Shop Magnets (16pcs)": "OWASP Juice Shop 磁吸(16个)",
"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!": "使用这些OWASP Juice shop或CTF徽标会让你显得更酷<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">磁力标志</a>!",
"OWASP Juice Shop Sticker Page": "OWASP Juice Shop整页贴纸",
"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.": "这些OWASP Juice Shop或CTF<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">贴纸</a>带来大量装饰机会! 每页上有16个贴纸。",
"OWASP Juice Shop Sticker Single": "OWASP Juice Shop单页贴纸",
"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!": "使用OWASP Juice Shop或CTF 徽章,高品质的 <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">标签贴</a> !终极笔记本贴纸!",
"OWASP Juice Shop Temporary Tattoos (16pcs)": "OWASP Juice Shop 临时纹身(16张)",
"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!": "获取以下<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">临时纹身</a>之一,自豪地纹着OWASP Juice Shop或CTF徽标在您的皮肤上! 如果您发布自己带纹身的照片,则可免费获得我们的几张贴纸! 请在您的推文中提及<a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"> <code> @owasp_juiceshop </code> </a>!",
"OWASP Juice Shop Mug": "OWASP Juice Shop 马克杯",
"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!": "一侧有普通徽标的和另一侧有CTF徽标的黑色马克杯!同事们会羡慕你!",
"OWASP Juice Shop Hoodie": "OWASP Juice Shop 连帽衫",
"Mr. Robot-style apparel. But in black. And with logo.": "机器人先生风格的服装。黑色带有徽标。",
"OWASP Juice Shop-CTF Velcro Patch": "OWASP Juice Shop-CTF 魔术贴",
"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!": "4x3.5英寸刺绣贴布,带魔术贴背面。每个战术包或背包的终极贴花!",
"Woodruff Syrup \"Forest Master X-Treme\"": "Woodruff Syrup \"森林大师X-Treme\"",
"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.": "在德国黑森林采伐和制造。 可能导致儿童多动。 未经稀释食用会导致永久性舌头变绿。",
"Green Smoothie": "蔬菜汁",
"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.": "看起来有毒,但实际上对您的健康非常有好处! 由青菜,菠菜,猕猴桃和草制成。",
"Quince Juice (1000ml)": "榅桲汁(1000毫升)",
"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.": "<em>榅桲</em> 汁。不甜但是富含维生素C。",
"Apple Pomace": "苹果糊",
"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.": "苹果的最佳压榨法. 过敏免责声明: 可能包含蠕虫的痕迹。可以<a href=\"/#recycle\">退还</a>我们进行回收。",
"Fruit Press": "榨汁机",
"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.": "水果进去。果汁出来。 您可以将果渣寄回给我们以进行回收。",
"OWASP Juice Shop Logo (3D-printed)": "OWASP Juice Shop徽标(3D-打印)",
"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.": "这款稀有物品是在瑞典设计和手工制作的。 这就是为什么尽管它完全没有目的,却是如此昂贵的原因。",
"Juice Shop Artwork": "Juice Shop 艺术品",
"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.": "独特的杰作,在90g /m²的横格纸上涂上不同种类的果汁。",
"Global OWASP WASPY Award 2017 Nomination": "2017年全球OWASP WASPY奖提名",
"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>": "您提名最多三个候选品的机会在2017-06-30结束! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">现在提名!</a>",
"Strawberry Juice (500ml)": "草莓汁(500毫升)",
"Sweet & tasty!": "香甜可口!",
"Carrot Juice (1000ml)": "胡萝卜汁(1000毫升)",
"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"": "就像古老的德国谚语所说:“胡萝卜对眼睛有益。你见过戴眼镜的兔子么?”",
"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)": "OWASP Juice Shop 瑞典巡回演唱会2017贴纸(特别版)",
"10 sheets of Sweden-themed stickers with 15 stickers on each.": "10张以瑞典为主题的贴纸,每张15个贴纸。",
"Pwning OWASP Juice Shop": "攻克 OWASP Juice Shop",
"Melon Bike (Comeback-Product 2018 Edition)": "Melon自行车 (2018重制版)",
"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.": "这辆自行车的车轮是用真正的西瓜制成的。 您可能不想过分用力将其沿上下路边骑行。",
"OWASP Juice Shop Coaster (10pcs)": "OWASP Juice Shop 杯垫 (10个)",
"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.": "我们的95毫米圆形杯垫全彩印刷,由厚实的优质杯垫板制成。",
"Retrieve the photo of Bjoern's cat in \"melee combat-mode\".": "获得Bjoern的猫\"乱斗模式\"照片。",
"Check the Photo Wall for an image that could not be loaded correctly.": "在照片墙中查找一个无法正常加载的图像。",
"Stick <a href=\"http://placekitten.com/\" target=\"_blank\">cute cross-domain kittens</a> all over our delivery boxes.": "将<a href=\"http://placekitten.com/\" target=\"_blank\">可爱的跨域小猫</a>贴满我们的配送箱。",
"This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.": "这个挑战可以归为很多个分类,因为开发人员犯了很多错误才使完成挑战变得可能。",
"ea.": "每件/个",
"Delivery Price": "运费",
"Total Price": "总价",
"Bonus Points Earned": "获得奖励积分",
"The bonus points from this order will be added 1:1 to your wallet ¤-fund for future purchases!": "此次订单的奖励积分会1:1加入你的钱包,并可用于下次购物支付",
"Thank you for your order!": "感谢您的订购",
"Order Confirmation": "订单确认",
"Customer": "客户",
"Order": "订单",
"Date": "日期",
"OWASP Juice Shop Holographic Sticker": "OWASP Juice Shop 全息贴纸",
"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!": "分割好的全息贴纸。用这80年代最炫酷的标志覆盖你的笔记本,让你脱颖而出!",
"OWASP Snakes and Ladders - Mobile Apps": "OWASP蛇梯棋-移动应用",
"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!": "这个令人惊奇的移动应用是一个安全意识游戏,可在Steam上 <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">Tabletop Simulator的创意工坊中获得</a>!",
"OWASP Snakes and Ladders - Web Applications": "OWASP蛇梯棋-Web应用",
"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!": "这是个令人惊奇的Web应用安全意识游戏,可在Steam上 <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">Tabletop Simulator的创意工坊中获得</a>!",
"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!": "Björn Kimminich编写的<em>官方完全指南</em> 可在<a href=\"https://leanpub.com/juice-shop\">LeanPub</a> 免费阅览和 <a href=\"https://pwning.owasp-juice.shop\">在线阅览</a>!",
"We are out of stock! Sorry for the inconvenience.": "已售罄! 带来的不便深表歉意。",
"Wrong answer to CAPTCHA. Please try again.": "验证码错误。请重试。",
"Invalid email or password.": "无效的邮箱或密码。",
"Current password is not correct.": "当前密码不正确。",
"Password cannot be empty.": "密码不能为空.",
"New and repeated password do not match.": "两次密码输入不匹配。",
"Wrong answer to security question.": "错误的安全问题答案。",
"<a href=\"/#/contact\">Inform the development team</a> about a danger to some of <em>their</em> credentials. (Send them the URL of the <em>original report</em> or an assigned CVE or another identifier of this vulnerability)": "<a href=\"/#/contact\">联系开发团队</a>有关<em>他们</em>可能存在的凭据风险. (向他们发送<em>原始报告</em>的URL或此漏洞的CVE或者其他漏洞标识)",
"You can order only up to {{quantity}} items of this product.": "您最多只能订购{{quantity}} 件此商品 。",
" <em>(This challenge is <strong>not available</strong> on Docker!)</em>": " <em>(这个挑战在Docker上 <strong>不可用</strong>!)</em>",
" <em>(This challenge is <strong>not available</strong> on Heroku!)</em>": " <em>(这个挑战在Heroku上 <strong>不可用</strong>!)</em>",
" <em>(This challenge is <strong>not available</strong> on Gitpod!)</em>": " <em>(这个挑战 在 Gitpod 上<strong>不可用</strong> !)</em>",
" <em>(This challenge is <strong>potentially harmful</strong> on Docker!)</em>": " <em>(这个挑战在Docker上 <strong>存在潜在威胁</strong>!)</em>",
" <em>(This challenge is <strong>potentially harmful</strong> on Gitpod!)</em>": " <em>(这个挑战在Gitpod上 <strong>存在潜在威胁</strong>!)</em>",
" <em>(This challenge is <strong>potentially harmful</strong> on Heroku!)</em>": " <em>(这个挑战在Heroku上 <strong>存在潜在威胁</strong>!)</em>",
"Find the endpoint that serves usage data to be scraped by a <a href=\"https://github.com/prometheus/prometheus\">popular monitoring system</a>.": "找出后端服务使用<a href=\"https://github.com/prometheus/prometheus\">常见监测软件</a>获得的服务器数据",
"Try to guess what URL the endpoint might have.": "尝试猜测后端可能使用什么URL。",
"Look for a url parameter where its value appears in the page it is leading to.": "查找一个URL参数,它的值出现在它指向的页面中。",
"Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http://htmledit.squarefree.com\">another origin</a>.": "使用跨站点请求伪造从 <a href=\"http://htmledit.squarefree.com\">另一个来源</a> 更改用户的名字。",
"Use the bonus payload <code><iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe></code> in the <i>DOM XSS</i> challenge.": "在 <i>DOM XSS</i> 挑战中使用奖励payload <code><iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe></code>",
"Copy + Paste = Solved!": "复制 + 粘贴 = 解决!",
"Obtain a Deluxe Membership without paying for it.": "无需付费获得高级会员资格。",
"Look closely at what happens when you attempt to upgrade your account.": "仔细观察当你试图升级你的帐户时会发生什么。",
" <em>(This challenge is <strong>not available</strong> on Windows!)</em>": " <em>(这个挑战在Windows上 <strong>不可用</strong>!)</em>",
"Reset Uvogin's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "通过<a href=\"/#/forgot-password\">忘记密码</a>功能中安全问题的<i>原始答案</i>来重置Uvogin的密码.",
"You might have to do some OSINT on his social media personas to find out his honest answer to the security question.": "你可能必须对他的社交媒体做一些OSINT(公开资源情报计划)工作,以便找到他对安全问题的诚实回答。",
"Juice Shop Adversary Trading Card (Common)": "Juice Shop攻击者集换式卡片 (常见)",
"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.": "常见稀有度的 \"Juice Shop\" <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">攻击者集换式卡片</a>",
"Juice Shop Adversary Trading Card (Super Rare)": "Juice Shop攻击者集换式卡片 (超级稀有)",
"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.": "超级稀有的带有全息金箔纸的 \"Juice Shop\"<a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">攻击者集换式卡片</a>",
"OWASP Juice Shop \"King of the Hill\" Facemask": "OWASP Juice Shop \"山丘之王\" 面罩",
"Facemask with compartment for filter from 50% cotton and 50% polyester.": "含有50%棉和50%聚酯纤维的过滤面罩。",
"Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism.": "通过查看他上传到照片墙的照片来确定John安全问题的答案并通过 <a href=\"/#/forgot-password\">忘记密码</a> 机制重置他的密码。",
"Take a look at the meta data of the corresponding photo.": "查看相应照片的元数据。",
"Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism.": "通过查看她上传到照片墙的照片来确定Emma安全问题的答案并通过 <a href=\"/#/forgot-password\">忘记密码</a> 机制重置他的密码。",
"Take a look at the details in the photo to determine the location of where it was taken.": "查看照片中的详细信息,以确定照片的拍摄地点。",
"Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"永久冻结\" 2020 版",
"Best Juice Shop Salesman Artwork": "果汁商店最佳销售插画",
"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.": "独特的描绘我们最有资格和几乎盈利的推销员斯坦的数字绘画。他在出售二手船、棺材、氪、十字架、房地产、人寿保险、餐厅用品、伏都教强化石棉和法庭纪念品方面取得了成功,<em>最后</em>他带着自己的专长加入了果汁店营销团队。",
"20th Anniversary Celebration Ticket": "20周年纪念票",
"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!": "获取您的 <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\"> OWASP 20周年庆典在线会议免费🎫</a> ! 听取世界知名的主旨演讲和特别演讲,与您的同行建立联系,并与我们的活动赞助商进行互动。 预计有来自世界各地的10k+的参与者,你不会想错过这个在线直播活动!",
"OWASP Juice Shop Card (non-foil)": "OWASP果汁店卡片(无箔)",
"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!": "神奇稀有 <small><em>(很明显...)</em></small> 卡片\"OWASP Juice Shop\", 有三种明显有用的用途。 阿尔法印刷,完好无损。一个真正的收藏家值得拥有!",
"Line {{vulnLine}} is responsible for this vulnerability or security flaw. Select it and submit to proceed.": "第 {{vulnLine}} 行造成这个漏洞或安全缺陷。选择它并提交以继续。",
"Lines {{vulnLines}} are responsible for this vulnerability or security flaw. Select them and submit to proceed.": "行 {{vulnLines}} 造成这个漏洞或安全缺陷。请选择它们并提交以继续。",
"Receive a coupon code from the support chatbot.": "从客服聊天机器人获得优惠券代码。",
"Just keep asking.": "不停的问",
"Permanently disable the support chatbot so that it can no longer answer customer queries.": "永久禁用客服聊天机器人,以使它无法再回答客户询问。",
"Think of a way to get a hold of the internal workings on the chatbot API.": "想办法掌握聊天机器人API的内部运作情况",
"Gain read access to an arbitrary local file on the web server.": "获得对web服务器上任意一个本地文件的读取权限。",
"You should read up on vulnerabilities in popular NodeJs template engines.": "你应该阅读一下流行的NodeJs模板引擎的漏洞。",
"Try to identify where (potentially malicious) user input is coming into the code.": "试图确定(潜在的恶意)用户输入在哪里进入代码。",
"What is the code doing with the user input other than using it to filter the data source?": "除了用它来过滤数据源之外,代码对用户输入做了什么?",
"Look for a line where the developers fiddled with Angular's built-in security model.": "找出开发人员摆弄Angular内置安全模型的那一行",
"Using bypassSecurityTrustStyle() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not CSS, making this switch totally pointless.": "使用bypassSecurityTrustStyle()而不是bypassSecurityTrustHtml()改变了绕过过滤输入的内容。如果有的话,这个开关可能只是意外地保持了XSS防御的完整性。使用参数的内容不是CSS,使这个切换完全没有意义。",
"Using bypassSecurityTrustResourceUrl() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. This switch might only accidentally keep XSS prevention intact, but the new URL context does not make any sense here.": "使用bypassSecurityTrustResourceUrl()而不是bypassSecurityTrustHtml()改变了绕过过滤输入的内容。这种切换可能只是意外地保持了XSS防御的完整性,但新的URL内容在这里没有任何意义。",
"Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not a script either, so this switch would be nonsensical.": "使用bypassSecurityTrustScript()而不是bypassSecurityTrustHtml()改变了绕过过滤输入的内容。如果是的话,这个开关可能只是意外地保持了XSS防御的完整性。使用参数的内容也不是脚本,所以这种切换是毫无意义的。",
"Removing the bypass of sanitization entirely is the best way to fix this vulnerability. Fiddling with Angular's built-in sanitization was entirely unnecessary as the user input for a text search should not be expected to contain HTML that needs to be rendered but merely plain text.": "完全删除绕过过滤的方法是修复这个漏洞的最好方法。摆弄Angular的内置过滤功能是完全没有必要的,因为文本搜索的用户输入不应该包含需要渲染的HTML,而只是纯文本。",
"Can you identify one or more routes which have something to do with log files?": "你能找出一条或多条与日志文件有关的路由吗?",
"Did you spot the directory listing clearly linked to log files?": "你是否发现目录列表明显与日志文件相联系?",
"Did you notice that there is a seperate route for retrieving individual log files?": "你是否注意到,有一个单独的路由用于检索单个日志文件?",
"Make sure to select both lines responsible for the log file data leakage.": "请确保选择对日志文件数据泄漏负责的两行。",
"Switching off the detailed view option is a cosmetic change on the directory listing but still allows the logs to be browsed and accessed.": "关闭详细视图选项是对目录列表的一个外观改变,但仍然允许浏览和访问日志。",
"Removing the route that serves individual log files is likely to plumb the data leak but still provides information to the attacker unnecessarily.": "移除为单个日志文件提供服务的路由,很可能会堵住数据泄漏,但仍会不必要地给攻击者提供信息。",
"Removing only the directory listing will still allow attackers to download individual log files if they can come up with a valid file name.": "只移除目录浏览的情况下,如果攻击者可以找到一个有效的文件名则攻击者仍然可以下载单个日志文件。",
"There should generally be no good reason to expose server logs through a web URL of the server itself, epecially not when that server is Internet-facing.": "通常不应有任何正当理由通过服务器本身的WebURL来披露服务器日志,尤其服务器有互联网连接时。",
"Among the long list of route mappings, can you spot any that seem responsible for admin-related functionality?": "在漫长的路由映射列表中,您能发现任何看起来与管理员相关的功能吗?",
"Luckily the route mappings were originally in alphabetical order before the developers forgot about that rule at some point.": "幸运的是,路由映射最初是按字母顺序排序的,而开发人员在某个时候忘记了这一规则。",
"Assuming that the original \"AdminGuard\" provided access control only to admin users, switching to \"LoginGuard\" seems like a downgrade that would give access to any authenticated user.": "假定原来的“AdminGuard”仅向管理员用户提供访问控制, 切换到“LoginGuard”似乎是一个降级,可以让任何经认证的用户访问。",
"Obfuscating the path to the administration section does not add any security, even if it wasn't just a trivial Base64 encoding.": "混淆管理部分的路径不会带来任何安全,即使它并不仅仅是一个微不足道的 Base64 编码。",
"This obfuscation attempt is hard to undo by hand but trivial when executed in a JavaScript console. Regardless, obfuscating the route does not add any level of security.": "这种混淆尝试很难手动恢复,但在JavaScript控制台执行时就微不足道了。 不管怎样,混淆路径不会增加任何程度的安全。",
"While attempts could be made to limit access to administrative functions of a web shop through access control, it is definitely safer to apply the \"separation of concerns\" pattern more strictly by internally hosting a distinct admin backend application with no Internet exposure.": "虽然可以尝试通过访问控制来限制对网店管理功能的访问,但通过内部托管一个独立的管理后台应用程序,不在互联网上暴露,更严格地应用 \"关键点分离 \"模式无疑是更安全的。",
"Can you identify one or more routes which have something to do with file serving?": "您能够识别一个或多个与文件服务相关的路由吗?",
"Did you notice that there are seperate routes the directory listing and retrieving individual files?": "你是否注意到,目录列表和检索单个文件的路线是分开的?",
"Make sure to select both lines responsible for the data leakage.": "确保选中对数据泄漏负责的两行。",
"Removing only the directory listing will still allow attackers to download individual files if they can come up with a valid file name.": "只移除目录列表,如果攻击者能想出一个有效的文件名,他们仍然可以下载单个文件。",
"Removing the routes that serve individual files is likely to plumb the data leak but still provides information to the attacker unnecessarily.": "移除为单个文件提供服务的路由很可能会缓解数据泄漏,但仍会不必要地给攻击者提供信息。",
"Switching off the icons is a cosmetic change on the directory listing but still allows the files to be browsed and accessed.": "关掉图标是对目录列表的外观改变,但仍然允许浏览和访问文件。",
"Getting rid of the /ftp folder entirely is the only way to plumb this data leakage for good. Valid static content in it needs to be moved to a more suitable location and order confirmation PDFs had no business to be placed there publicly accessible in the first place. Everything else in that folder was just accidentally put & forgotten there anyway.": "完全去掉/ftp文件夹是彻底解决数据泄漏的唯一方法。其中有效的静态内容需要转移到一个更合适的位置,而订单确认的PDF文件一开始就没有必要放在那里公开访问。该文件夹中的所有其他内容都是不小心放在那里并被遗忘的。",
"In the long list of API-handling middleware, try to find the ones dealing with products offered in the shop first.": "在一长串的API处理中间件中,试着先找到那些处理商店里提供产品的中间件。",
"API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.": "如果API路由希望覆盖 \"允许所有人使用一切 \"的默认行为,则需要为HTTP动词单独定义一个处理程序。",
"There is one line that is commented out for no good reason among the product-related middleware.": "在与产品相关的中间件中,有一行被无端地注释掉了。",
"While removing the commented-out line made the code cleaner, it did not change the functionality in any way and thus cannot have improved security either.": "虽然删除注释的那一行使代码更干净,但它并没有以任何方式改变功能,因此也不能提高安全性。",
"Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "移除所有专门处理产品API使事情变得更糟,因为现在将使用底层API生成器的默认权限:允许GET、POST、PUT和DELETE - 没有任何限制。",
"You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?": "你通过不再接受匿名API调用者的PUT请求,稍微提高了安全性。但是,这家商店会想让它的登录客户自己改变产品吗?",
"Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.": "禁用产品API中除GET以外的所有HTTP动词的确是实现安全访问控制的唯一安全方式。商店管理员无论如何都不应该使用面向客户的网页用户界面来管理商店的库存。",
"Try to identify any variables in the code that might contain arbitrary user input.": "试着识别代码中可能包含任意用户输入的任何变量。",
"Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "通过函数调用跟踪用户输入,并尝试发现可能被滥用于恶意目的的地方。\n",
"Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "你能发现某个地方的SQL查询是以不安全的方式拼凑起来的吗?",
"Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.": "试图用一个自定义的封锁名单机制来防止任何注入攻击是注定要失败的。它可能对一些较简单的攻击载荷有效,但有时间和技能的攻击者很可能在某些方面绕过它。",
"Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.": "用普通的字符串连接法(\"... \"+\"...\")代替模板字符串(`...`)符号并没有以任何方式改变代码的行为。它只是使代码的可读性降低。\n",
"Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "使用Sequelize的替换(或绑定)机制等同于创建一个准备语句。这可以防止通过恶意的用户输入来篡改查询语法,因为它在插入标准参数之前就已经 \"定格 \"了。",
"Can you find a HTTP route mapping that deals with metrics?": "你能找到一个处理指标的HTTP路由映射吗?",
"Remember: The default behavior of route mappings is to allow access to everyone.": "请记住。路由映射的默认行为是允许所有人访问。",
"The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "度量路径仍然可以公开访问。此更改只会不必要地扰乱度量框架的功能设置。",
"This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.": "这种修复方法可以防止对度量路线的未经授权的访问,但由于锁定了所有人(包括管理员)而超过了目标。",
"Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.": "假设一个普通用户不可能提升为管理员权限,现在只有具有管理员权限的用户才能访问,这似乎是合理的保护。如果这是个风险,那么这些指标最好储存在后端,而不是通过商店应用程序进行访问。",
"Do you remember the security question that Bender used for his account?": "你记得Bender用于他的账户的安全问题吗?",
"This question is the source of the security risk in this challenge.": "这个问题是这个挑战中安全风险的来源。",
"While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "虽然通过对用户的LinkedIn资料进行研究有些微不足道,但如果问题答案是真实的,这个问题仍然很容易通过研究或用暴力破解。",
"Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "将 \"公司 \"换成 \"组织 \"只是一个词汇上的变化,对安全没有影响。",
"When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.": "当如实回答时,所有的安全问题都容易受到在线研究(如Facebook、LinkedIn等)的影响,甚至经常受到暴力攻击。如果有的话,它们不应该被作为安全相关功能的唯一因素来使用。",
"Can you identify the lines which have something to do with crypto currency addresses?": "你能找出那些与加密货币地址有关的行吗?",
"Did you notice there is a constant containing allowed redirect web addresses?": "你是否注意到有一个包含允许重定向网址的常量?",
"Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "确保选择所有负责加密货币地址的三行,这些地址不再被推广。",
"This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "这个修正从允许列表中移除了一个废弃的加密货币地址,但忘记了处理另外两个地址。",
"When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.": "当清理任何允许列表中的废弃条目时,关键是要彻底并定期重新检查该列表。否则,随着时间的推移,允许列表往往会变得越来越弱。",
"This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.": "这个修正使用Sequelize的绑定机制来创建相当于准备语句的功能,这很好。不幸的是,这个修正也在认证过程中引入了一个关键的功能错误。",
"This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "不幸的是,这个修复方法只在使用Sequelize的绑定机制方面实现了一半。这样一个准备好的语句仍然是由用户的输入串联而成的,对于SQL注入攻击来说仍然是没什么效果。",
"This fix unfortunately goes only half the way to using the replacement mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "不幸的是,这个修复方法只在使用Sequelize的替换机制方面实现了一半。这样一个准备好的语句仍然是由用户的输入串联而成的,对于SQL注入攻击来说仍然是没什么效果。",
"Turning off the \"plain\" flag will let Sequelize return all matching rows instead of just the first one. This neither makes sense from a functional point of view in a login function, not could it prevent SQL Injection attacks.": "关闭 \"plain\"参数会让Sequelize返回所有匹配的行,而不是只返回第一行。从功能的角度来看,这在登录函数中是没有意义的,也不能防止SQL注入攻击。\n",
"Using the built-in binding (or replacement) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "使用Sequelize的内置绑定(或替换)机制等同于创建一个准备语句。这可以防止通过恶意的用户输入来篡改查询语法,因为它在插入标准参数之前就已经 \"定格 \"了。",
"Using bypassSecurityTrustSoundCloud() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only content from that service provider. Not surprisingly, there is no such vendor-specific function bypassSecurityTrustSoundCloud() offered by the Angular DomSanitizer.": "使用bypassSecurityTrustSoundCloud()而不是bypassSecurityTrustHtml(),据说可以绕过只允许来自该服务提供商的内容过滤处理。毫不奇怪,Angular DomSanitizer没有提供这样的原生特定函数bypassSecurityTrustSoundCloud()。",
"Using bypassSecurityTrustIframe() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only <iframe> tags. But, the Angular DomSanitizer does not offer tag-specific bypass functions.": "使用bypassSecurityTrustIframe()而不是bypassSecurityTrustHtml()应该可以绕过只允许<iframe>标签过滤。但是,Angular DomSanitizer并没有提供针对标签的绕过函数。",
"Do you remember the security question that Jim used for his account?": "你记得Jim用于他的账户的安全问题吗?",
"Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.": "将范围从 \"最年长的兄弟姐妹 \"扩大到 \"任何家庭成员\",仍然使这个问题很容易在网上(在Facebook上等)被找到,或者在如实回答的情况下被暴力破解。",
"Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.": "将范围从 \"最年长的兄弟姐妹 \"缩小到 \"最年长的兄弟\",可以将任何暴力破解的减少到只有男性的名字,前提是问题得到真实的回答。",
"Do you remember the security question that Bjoern used for his account?": "你记得Bjoern用于他的账户的安全问题吗?",
"Researching someone's current place of residence is probably even easier than a past one.": "研究某人目前的居住地可能比过去的居住地更容易。",
"When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.": "当把这个问题的范围从 \"青少年 \"改为 \"幼儿 \"时,研究过去的居住地仍然是攻击者的唯一(低)障碍。",
"Do you remember the security question that Bjoern used for his OWASP account?": "你记得Bjoern用于他的OWASP账户的安全问题吗?",
"There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.": "世界上的汽车品牌甚至比潜在的宠物名字还要少。因此,改变安全问题甚至会对整体安全产生负面影响,因为它使猜测和暴力破解变得更加容易。",
"This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.": "这个修复选项显然是(?)一个笑话。但它还是应该说明,缩小问题的范围会相应地减少答案的空间,从而使 \"社会跟踪 \"和暴力破解更容易。",
"Do you remember the security question that Uvogin used for his account?": "你记得Uvogin用于他的账户的安全问题吗?",
"When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.": "当把这个问题的范围从 \"电影 \"改为 \"演员/女演员 \"时,研究和暴力破解对攻击者来说可能同样容易。",
"Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.": "将问题的范围从 \"电影 \"缩小到 \"动画\",大大减少了答案的空间,从而使猜测和暴力破解变得容易得多。",
"Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?": "在一长串的路由映射中,你能发现任何似乎是指向记分牌Score Board的吗?",
"If you accidentally scrolled over the relevant line, try using the text search in your browser.": "如果你不小心滚动过了相关的行,请尝试使用浏览器中的文本搜索。",
"Searching for \"score\" should bring you to the right route mapping.": "搜索 \"score \"应该能让你找到正确的路由映射。",
"Obfuscating the path to the Score Board does not add any security, even if it wasn't just a trivial Base64 encoding. It would, on the other hand, make finding it a bit more difficulty. This is probably not intended as the Score Board screen is the hub for all other challenges.": "混淆记分牌的路径并没有增加任何安全性,即使它不只是一个微不足道的Base64编码。另一方面,这将使找到它变得更加困难。这可能不是故意的,因为计分板屏幕是所有其他挑战的中心。",
"Removing the entire route mapping would improve security but also break functionality by making the Score Board entirely inaccessible. Keep in mind that the Score Board is hidden only to be found and used to track all the other challenges.": "移除整个路由映射会提高安全性,但也会破坏功能,使记分牌完全无法访问。请记住,记分牌是隐藏的,只是为了被发现并用于跟踪所有其他挑战。",
"In this one-of-a-kind scenario it is really best to just leave the code unchanged. Fiddling with it might either break accessibility of the crucial Score Board screen or make it unnecessarily harder to find it.": "在这种独特的情况下,最好的办法是不改变代码。摆弄它可能会破坏关键的记分牌屏幕的可访问性,或者导致不必要地更难找到它。",
"Limiting the allowed search values via startsWith() would still allow SQL Injection via \"orange')) UNION SELECT ... --\" or similarly prefixed payloads. Even worse, this fix also breaks the free text search capability.": "通过startsWith()限制允许的搜索值,仍然允许通过 \"orange')) UNION SELECT ... --\"进行SQL注入或类似的前缀有效载荷。更糟糕的是,这个修复方法还破坏了自由文本搜索能力。",
"Which entity is this challenge most likely about? Try to find all code places where that entity is somehow processed.": "这个挑战最可能是关于哪个实体的?试着找到所有以某种方式处理该实体的代码地方。",
"In this snippet you must look for a place where something is missing that, if present, would negate an arbitrary role assignment.": "在这个代码片段中,你必须寻找一个缺少某些东西的地方,如果存在,那将否定任意的角色分配。",
"Make sure that you do not select any lines that are contained in the vulnerable function but themselves have nothing to do with the vulberability.": "确保你不选中任何包含在易受攻击的函数中但本身与易受攻击无关的行。",
"This change results in the \"role\" property not being returned in any User-API responses. This will not prevent setting an arbitrary role during user creation but probably also break some functionality in the client that relies on the role being present.": "这一变化导致 \"角色 \"属性不会在任何User-API响应中被返回。这不会阻止在用户创建过程中设置一个任意的角色,但可能也会破坏客户端中一些依赖于角色存在的功能。",
"This code change will check if a role is already defined on the user entity. If so, it will keep it. If not, it will set \"customer\" as a fallback role. This still allows anyone to pick their own prefered role, though.": "这个代码变化将检查一个角色是否已经在用户实体上定义。如果是的话,它将保留它。如果没有,它将设置 \"客户 \"作为后备角色。不过,这仍然允许任何人选择他们自己喜欢的角色。",
"Removing the interceptor function completely not only keeps the role assignment possible, it also breaks functionality by no longer creating digital wallets for new users.": "完全移除拦截器功能,不仅导致保持角色分配的可能性,还将由于不再为新用户创建数字钱包破坏功能,。",
"This actually fixes the role assignment issue, by overriding any value pre-set via the POST request with a static \"customer\" default role.": "这实际上解决了角色分配的问题,用一个静态的 \"客户 \"默认角色取代了通过POST请求预先设置的任何值。",
"Where is the Token Sale page actually being handled?": "代币销售页面究竟是在哪里处理的?",
"What is weird about how the Token Sale route is being declared?": "代币销售路由的声明方式有什么奇怪之处?",
"If the Token Sale page is still considered a secret, why is it mapped to a route at all?": "如果令牌销售页面仍然被视为秘密,为什么它被映射到一条路由?",
"Restricting access to the Token Sale page to administrators might sound good in theory. Unfortunately this all only happens in client-side code, so such check couldn't be fully trusted.": "限制管理员访问代币销售页面在理论上也许是很好的。 不幸的是,这只会发生在客户端的代码中,所以这种检查不能被完全信任。",
"Obfuscating the path to the Token Sale page with Base64 instead of the original obfuscation function does not add any security. It actually makes the route even more easily identifiable.": "使用 Base64 来混淆代币销售页面的路径,而不是原来的混淆功能,不会添加任何安全保障。 它实际上使这条路由更容易辨认。",
"The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.": "防止访问即将发布的代币销售页面的唯一可行的方法是在其实际发布之前不要在客户端代码中出现。然后,也不要有任何未完成的路由映射声明,这很有意义。这样一来,整个混淆代码的疯狂行为也就没有必要了。",
"You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.": "你应该仔细看看这段代码是如何检查并重定向允许的和禁止的URL的。",
"Try to play through how the logical operators and used standard functions work in this situation.": "试着复现一下逻辑运算符和使用的标准函数在这种情况下是如何工作的。",
"Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?": "你能不能以某种方式让代码相信它正在处理一个允许列出的URL,而实际上它并不是?",
"The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.": "这段代码中的开放重定向错误不能通过对目标URL进行URL编码来修复。事实上,这将破坏整个允许列表中的URL的重定向机制,因为它们没有经过URL编码,因此永远不会匹配。",
"Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.": "在这里将逻辑 \"或 \"改为逻辑 \"和 \"对安全没有任何作用,但完全破坏了重定向机制,因为 \"允许 \"在循环后永远不会为真。",
"HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.": "在这种情况下,HTML转义是完全错误的,因为代码处理的是URL而不是HTML输入。",
"Using indexOf allowed any URLs as long as they contained any allow-listed URL, even if it just would be as a parameter. Replacing this with an actual equality check mitigates this lapse and makes the redirect only work for allow-listed URLs.": "使用indexOf允许任何URL,只要它们包含任何允许列出的URL,即使它只是作为一个参数。用一个实际的等价检查来代替它,可以缓解这种失误,使重定向只对允许列出的URL起作用。",
"The security flaw has something to do with the rate limiting configuration.": "这个安全漏洞与频率限制配置有关。",
"Do you think the time window or number of requests is the actual problem here? Maybe there is something else going wrong...": "你认为时间窗口或请求的数量是这里的实际问题吗?也许还有其他问题......",
"Take a close look at the HTTP header being used here and ask yourself: \"Could an attacker do anything with it to bypass rate limiting?\"": "仔细看看这里使用的HTTP头,问问自己。\"攻击者可以用它来绕过频率限制吗?\"",
"Removing the setting to trust proxies does not improve security of the rate limiting. It might have some unforseen or unintended functional side-effects, though.": "移除信任代理的设置并不能提高频率限制的安全性。而且,它可能会产生一些不可预见的或意想不到的功能副作用。",
"Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.": "用标准化的 \"Forwarded \"代替 \"X-Forwarded-For \"头,并不能弥补实际使用这个头导致的安全缺陷,而且可能被攻击者滥用。",
"Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.": "将频率限制从5分钟内100个请求减少到3分钟内10个请求可以被看作是一种安全改进,如果这里没有一个完全不相关的错误配置在起作用。",
"Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.": "移除让任意的HTTP头优先于客户端IP的自定义键生成器,是这里最好的选择。现在,攻击者至少需要伪造他们的实际IP来绕过速率限制,因为这是使用的RateLimit模块的默认键。但在功能上有一个缺点,因为现在企业代理背后的用户可能作为一个个人而不是群体受到频率限制。不过由于5分钟内允许重设100个密码,这种情况应该不会太频繁发生。",
"Find all places in the code which are handling the product descriptions.": "找到代码中所有处理产品描述的地方。",
"Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.": "对HTML标签的角括号进行手动编码并不会增加任何安全性。而且,它很可能会破坏具有合法HTML标签的样式或链接的描述。",
"The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.": "被移除的代码块涉及不同屏幕尺寸的处理,与给定的XSS漏洞完全没有关系。",
"Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.": "使用bypassSecurityTrustScript()而不是bypassSecurityTrustHtml()可以改变绕过输入过滤的内容。如果有的话,这个开关可能只是意外地保持了XSS预防的完整性。",
"Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken authorization in this case, as users should not be allowed to change product descriptions in the first place.": "完全移除过滤绕过是修复 XSS 漏洞的最佳方法。应该注意的是,在这种情况下,XSS 只是授权被破坏的后果,因为用户首先就不应该被允许更改产品描述。",
"To find the culprit lines, you need to understand how MongoDB handles updating records.": "为了找到罪魁祸首行,你需要了解MongoDB如何处理更新记录。",
"Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.": "你是否注意到,开发人员获取了对用户的引用,但从未实际使用它做任何事情?这可能是问题的一部分。",
"Another problematic line you need to select, is actually missing something that ties the user to the review.": "你需要选择的另一个问题行,实际上是缺少一些将用户与评论联系起来的东西。",
"This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.": "这个解决方案将把更新的评论重新分配给最后的编辑者,但它不会首先阻止改变其他用户的评论。",
"Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.": "移除一次更新多个文件的选项是一个好主意,实际上可能有助于防止这个代码的另一个缺陷。但它并没有解决允许用户更新其他用户评论的问题。",
"Setting the author on server-side based on the user retrieved from the authentication token in the HTTP request is the right call. It prevents users from just passing any author email they like along with the request.": "在服务器端根据HTTP请求中的认证令牌检索的用户来设置作者是正确的选择。它可以防止用户在请求中传递他们喜欢的任何作者电子邮件。",
"Does this query really need to allow updating more than one review at once?": "这个查询是否真的需要允许同时更新一个以上的评论?",
"Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.": "考虑在攻击者控制下的查询参数,并试图找到他们可能注入一些改变查询的命令的地方。",
"Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.": "删除一次更新多个文档的选项,再加上避免基于 \"不等于 \"的注入,不足以对付任何至少具有一定MongoDB查询知识的攻击者。",
"Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.": "删除一次更新多个文件的选项是绝对必要的。但不幸的是,这并不是一个充分的修复,因为攻击者可能仍然能够 \"加回 \"多重更新的行为。",
"Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "删除一次更新多个文档的选项,并在ID参数中只允许使用纯字符串,这是正确的做法。这将防止任何攻击者注入他们自己的JSON有效载荷来执行对他们有利的查询。",
"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.": "特定版本OWASP果汁店 <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">于2020年2月2日被GitHub归档程序归档</a> ,最终于2020年7月8日进入GitHub的 <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">北极代码库</a>,在那里它将安全储存至少1000年。",
"Close multiple \"Challenge solved\"-notifications in one go.": "一次性关闭多个 \"挑战已解决 \"的通知。",
"Either check the official documentation or inspect a notification UI element directly.": "要么查看官方文档,要么直接检查通知的UI元素。",
"Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "查找更新用户名的表单,然后在 HTML 在线编辑器中构建恶意页面。 您可能需要一个较旧的浏览器版本。",
"Register a user with an empty email and password.": "用空的电子邮件和密码注册一个用户。",
"Consider intercepting and playing with the request payload.": "考虑拦截请求并修改内容。",
"Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "通过从蜜蜂港获取BEE来铸造蜜罐NFT",
"Discover NFT wonders among the captivating visual memories.": "在迷人的视觉记忆中发现 NFT 奇观。",
"Take over the wallet containing our official Soul Bound Token (NFT).": "接管包含我们官方的 Soul Bound Token (NFT) 的钱包。",
"Find the seed phrase posted accidentally.": "找到意外泄露的种子短语。",
"Withdraw more ETH from the new wallet than you deposited.": "从新钱包中提取比你存的更多的ETH。",
"Try to exploit the contract of the wallet.": "尝试入侵钱包的合约。",
"Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "查找意外部署的代码沙盒,用于即时编写智能合约。",
"It is just as easy as finding the Score Board.": "它与找到得分板一样容易。",
"He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "他可能至少在一个有摄像机的场合大肆宣扬过。也许在其他地方也是如此。",
"Find the hidden <a href=\"https://en.wikipedia.org/wiki/Easter_egg_(media)\" target=\"_blank\">easter egg</a>.": "找到隐藏的 <a href=\"https://en.wikipedia.org/wiki/Easter_egg_(media)\" target=\"_blank\">复活节彩蛋</a>。",
"Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "尝试a) 基于已知信息的暴力破解或b) 逆向工程或c) 云中的一些研究。",
"Bypass a security control with a <a href=\"https://hakipedia.com/index.php/Poison_Null_Byte\">Poison Null Byte</a> to access a file not meant for your eyes.": "用 <a href=\"https://hakipedia.com/index.php/Poison_Null_Byte\">Poison Null Byte</a> 绕过安全控制来访问一个你看不着的文件。",
"Undoubtedly you want to read our security policy before conducting any research on our application.": "毫无疑问,在对我们的应用程序进行任何研究之前,您都希望阅读我们的安全政策。"
}