data/static/i18n/zh_TW.json
{
"Find the carefully hidden 'Score Board' page.": "找到精心隱藏的\"記分板\"頁面",
"Try to find a reference or clue behind the scenes. Or simply guess what URL the Score Board might have.": "嘗試找到一個在幕後的標記或是線索,或者是簡單的來猜測記分板的URL",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> without using the frontend application at all.": "執行一個持續性的XSS attack攻擊,透過使用<iframe src=\"javascript:alert(`xss`)\">進行。而非使用前端應用程式頁面。",
"You need to work with the server-side API directly. Try different HTTP verbs on different entities exposed through the API.": "你需要直接使用伺服器端API。透過API公開的不同實體上嘗試不同的HTTP方法。",
"Gain access to any access log file of the server.": "獲取到伺服器上任何access log檔案的存取權",
"Who would want a server access log to be accessible through a web application?": "誰需要透過網頁應用程式來存取伺服器access log?\n",
"Register as a user with administrator privileges.": "以具有管理員權限的用戶身份註冊。",
"You have to assign the unassignable.": "你必須分派不能分派的。",
"Access the administration section of the store.": "存取商店的管理區塊。",
"It is just slightly harder to find than the score board link.": "只比計分板連結難找一些。",
"Overwrite the <a href=\"/ftp/legal.md\">Legal Information</a> file.": "覆寫法律訊息檔案",
"Look out for a tweet praising new functionality of the web shop. Then find a third party vulnerability associated with it.": "搜尋網路商城推文、按讚的新功能。然後找到與之關聯的第三方漏洞。",
"Reset the password of Bjoern's OWASP account via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "用<a href=\"/#/forgot-password\">忘記密碼</a>方式並提供安全問題之<i>原始答案</i>以重設Bjoerm的OWASP帳號密碼",
"Learn about the Token Sale before its official announcement.": "在正式宣布之前學習有關Token銷售的資訊。",
"The developers truly believe in \"Security through Obscurity\" over actual access restrictions.": "開發人員打從心底相信“通過隱匿實現安全”優於實際的存取限制。",
"Perform a Remote Code Execution that would keep a less hardened application busy <em>forever</em>.": "執行遠程代碼執行,這將使防護程度較低的應用程式永遠保持忙碌。",
"The feature you need to exploit for this challenge is not directly advertised anywhere.": "你透過此功能來完成挑戰的攻擊程式並未在任何地方直接發布。",
"Submit 10 or more customer feedbacks within 20 seconds.": "在20秒內送出10個或更多個顧客意見。",
"After finding a CAPTCHA bypass, write a script that automates feedback submission. Or open many browser tabs and be really quick.": "Bypass CAPTCHA之後,撰寫一個Script來自動回饋提交或是快速地開啟許多瀏覽器分頁。",
"Change Bender's password into <i>slurmCl4ssic</i> without using SQL Injection or Forgot Password.": "不透過SQL Injection或忘記密碼來變更Bender的密碼為slurmCl4ssic",
"In previous releases this challenge was wrongly accused of being based on CSRF.": "在以前的版本中,這個挑戰被錯誤地指責為基於CSRF方式。",
"Order the Christmas special offer of 2014.": "訂購2014年聖誕節特別優惠。",
"Find out how the application handles unavailable products and try to find a loophole.": "了解應用程式如何處理尚未販售的產品,並嘗試尋找漏洞。",
"Bypass the Content Security Policy and perform an XSS attack with <code><script>alert(`xss`)</script></code> on a legacy page within the application.": "繞過內容安全策略,並在應用程式內的舊頁面上使用<code><script>alert(`xss`)</script></code>進行XSS攻擊。",
"What is even \"better\" than a legacy page with a homegrown RegEx sanitizer? Having CSP injection issues on the exact same page as well!": "還有什麼比使用自製的RegEx過濾器的舊頁面“更好”?在完全相同的頁面上也有CSP注入 問題!",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> bypassing a <i>client-side</i> security mechanism.": "使用<i>持續性</i>XSS攻擊透過<code><iframe src=\"javascript:alert(`xss`)\"></code>繞過<i>使用者端</i>的安全機制",
"Only some input fields validate their input. Even less of these are persisted in a way where their content is shown on another screen.": "某些輸入區域會驗證其輸入。甚至部分內容會持續呈現在另一個螢幕上。",
"Access a confidential document.": "存取機密性檔案",
"Analyze and tamper with links in the application that deliver a file directly.": "分析和篡改應用程式中直接傳送文件連結。",
"Perform a <i>DOM</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code>.": "執行<i>DOM</i>XSS攻擊透過<code><iframe src=\"javascript:alert(`xss`)\"></code>",
"Look for an input field where its content appears in the HTML when its form is submitted.": "尋找一個輸入區域在送出form後,其內容會在HTML中出現.\n",
"Exfiltrate the entire DB schema definition via SQL Injection.": "通過SQL Injection擷取整個DB Schema。",
"Find out where this information could come from. Then craft a UNION SELECT attack string against an endpoint that offers an unnecessary way to filter data.": "找出這些資訊可能來自何處。然後針對EndPoint設計UNION SELECT攻擊字串,該EndPoint提供了不必要的過濾資料的方法。",
"Use a deprecated B2B interface that was not properly shut down.": "使用未被正確關閉的B2B Interface。",
"The developers who disabled the interface think they could go invisible by just closing their eyes.": "停用該Interface的開發人員認為,只要閉上自己的眼睛,它們就可以變得隱形。",
"If you solved one of the three file access challenges, you already know where to find the easter egg.": "如果你解決了三個文件存取挑戰之一,那麼你已經知道哪裡可以找到復活節彩蛋。",
"Perform an unwanted information disclosure by accessing data cross-domain.": "通過cross-domain存取資料來完成訊息洩露。",
"Try to find and attack an endpoint that responds with user information. SQL Injection is not the solution here.": "嘗試尋找並攻擊會回應使用者訊息的的Endpoint。 然而SQL注入不會是解答。",
"Log in with the (non-existing) accountant <i>acc0unt4nt@juice-sh.op</i> without ever registering that user.": "透過(不存在的)帳戶<i>acc0unt4nt@juice-sh.op</i>來登入,而且無須註冊該使用者。",
"Try to create the needed user \"out of thin air\".": "嘗試“憑空創造”所需的使用者。",
"Provoke an error that is neither very gracefully nor consistently handled.": "引發一個錯誤,該錯誤並無法合適的而且持續的被處理。",
"Try to submit bad input to forms. Alternatively tamper with URL paths or parameters.": "試著向Form送出錯誤的輸入。或者篡改URL路徑或參數。",
"Successfully redeem an expired campaign coupon code.": "成功地兌換已過期之優惠碼",
"Try to identify past special event or holiday campaigns of the shop first.": "首先試著辨識商城過去的特殊活動或節日活動。",
"Retrieve the language file that never made it into production.": "取得從沒有正式發布的語言檔。",
"Brute force is not the only option for this challenge, but a perfectly viable one.": "暴力破解不是這個挑戰的唯一解法,然而是一個完全可行的解法。",
"Get rid of all 5-star customer feedback.": "讓所有5星的顧客回饋消失",
"Once you found admin section of the application, this challenge is almost trivial.": "當你找到這個應用程式的管理畫面時,這個挑戰就幾乎解決了。",
"Forge a coupon code that gives you a discount of at least 80%.": "偽造一個優惠券代碼,可為你提供至少80%的折扣。",
"Post some feedback in another user's name.": "以其他使用者名義發布意見",
"You can solve this by tampering with the user interface or by intercepting the communication with the RESTful backend.": "你可以通過篡改使用者介面或攔截與RESTful後端的溝通來解決此問題。",
"Post a product review as another user or edit any user's existing review.": "以其他使用者身份發布產品評論,或編輯任何使用者的現有評論。",
"Observe the flow of product review posting and editing and see if you can exploit it.": "觀察產品評論發布和編輯的流程,並查看是否可以利用它。",
"Forge an almost properly RSA-signed JWT token that impersonates the (non-existing) user <i>rsa_lord@juice-sh.op</i>.": "偽造一個幾乎正確的RSA簽名的JWT Token,該Token假冒一個(不存在的)用戶<i> rsa_lord@juice-sh.op</i>。",
"This challenge is explicitly not about acquiring the RSA private key used for JWT signing.": "這個挑戰明確的來說不是要獲取用於JWT簽章的RSA私鑰。",
"Access a developer's forgotten backup file.": "存取被開發人員遺忘的備份文件。",
"You need to trick a security mechanism into thinking that the file you want has a valid file type.": "你需要欺騙一種安全機制,使它認為你想要的檔案為有效的檔案類型。",
"Access a salesman's forgotten backup file.": "存取被業務員遺忘的備份文件。",
"<a href=\"/#/contact\">Inform the shop</a> about a <i>typosquatting</i> imposter that dug itself deep into the frontend. (Mention the exact name of the culprit)": "<a href=\"/#/contact\">通知商店</a>有關一個<i>誤植的<1>冒名頂替者,他們把自己推向了前端。(描述罪魁禍首的正確名子)",
"This challenge has nothing to do with mistyping web domains. There is no conveniently misplaced file helping you with this one either. Or is there?": "由於輸入錯誤的網站Domian,這個挑戰並沒有甚麼可以做的。沒有一些放錯位置的檔案可以幫助你完成調整,或是檔案是在那?",
"Log in with Chris' erased user account.": "使用Chris的已刪除使用者帳戶登入。",
"Turns out that something is technically and legally wrong with the implementation of the \"right to be forgotten\" for users.": "結果發現,實施使用者“被遺忘的權利”在技術上和法律上都是錯誤的。",
"Steal someone else's personal data without using Injection.": "不使用 Injection方法來竊取某人的個人資料。",
"Trick the regular Data Export to give you more than actually belongs to you.": "欺騙正規的資料輸出功能,來獲取遠超於所屬於你的東西。",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> through an HTTP header.": "進行<i>持續性</i>的XSS攻擊,透過HTTP header來執行<code><iframe src=\"javascript:alert(`xss`)\"></code>。",
"Finding a piece of displayed information that could originate from an HTTP header is part of this challenge.": "這是挑戰的一部分,尋找一條可能源自HTTP header的顯示資訊。",
"Solve challenge #999. Unfortunately, this challenge does not exist.": "解決挑戰#999,很不幸的是這個挑戰並不存在。",
"You need to trick the hacking progress persistence feature into thinking you solved challenge #999.": "你需要欺騙攻擊進度的持續功能,讓它以為你完成了挑戰#999。",
"Dumpster dive the Internet for a leaked password and log in to the original user account it belongs to. (Creating a new account with the same password does not qualify as a solution.)": "Dumpster潛入Internet中尋找外洩的密碼,然後登入到它所屬的原始用戶帳戶。 (使用相同的密碼建立新帳戶並不是符合資格的解答。)",
"Once you have it, a technique called \"Password Spraying\" might prove useful.": "一旦有了它,一種叫做“密碼噴射”的技術可能會證明是相當有效的。",
"Identify an unsafe product that was removed from the shop and <a href=\"/#/contact\">inform the shop</a> which ingredients are dangerous.": "辨識與移除商城中不安全的產品,並<a href=\"/#/contact\">通知商城</a>哪一些成分是危險的。",
"Your own SQLi and someone else's Ctrl-V will be your accomplices in this challenge!": "你自己的SQLi和其他人的Ctrl-V將是挑戰的幫兇!",
"<a href=\"/#/contact\">Inform the shop</a> about a <i>typosquatting</i> trick it has been a victim of at least in <code>v6.2.0-SNAPSHOT</code>. (Mention the exact name of the culprit)": "<a href=\"/#/contact\">通知商城</a>有關於<i>typosquatting</i>技巧,它至少已在<code>v6.2.0-SNAPSHOT</code>中成為受害者。 (提及元凶的真實名稱)",
"This challenge has nothing to do with mistyping web domains. Investigate the forgotten developer's backup file instead.": "這個挑戰與輸入錯誤的網站網域無關。而是調查被開發人員遺忘的備份文件。",
"Log in with the administrator's user account.": "使用管理員的使用者帳戶登入。",
"Try different SQL Injection attack patterns depending whether you know the admin's email address or not.": "根據你是否知道管理員的電子郵件,嘗試不同的SQL Injection攻擊方式。",
"Log in with Amy's original user credentials. (This could take 93.83 billion trillion trillion centuries to brute force, but luckily she did not read the \"One Important Final Note\")": "使用Amy的原始帳戶登入。 (這可能要花費938.3萬億億億世紀的暴力破解時間,但幸運的是她沒有閱讀“一個重要的最後註解”)",
"This challenge will make you go after a needle in a haystack.": "這挑戰將讓你陷入大海撈針的狀態。",
"Log in with Bender's user account.": "使用Bender的使用者帳戶登入。",
"If you know Bender's email address, try SQL Injection. Bender's password hash might not help you very much.": "如果你知道Bender的電子郵件地址,請嘗試SQL注入。 Bender的密碼hash值可能對你沒有太大幫助。",
"Log in with Bjoern's Gmail account <i>without</i> previously changing his password, applying SQL Injection, or hacking his Google account.": "使用Bjoern的Gmail帳戶登入,之前先<i>不要</i>變更其密碼,使用SQL注入或入侵他的Google帳戶。",
"The security flaw behind this challenge is 100% OWASP Juice Shop's fault and 0% Google's.": "在這挑戰背後的安全漏洞是100%OWASP Juice Shop的缺失與0%Google的缺失。",
"Exploit OAuth 2.0 to log in with the Chief Information Security Officer's user account.": "利用OAuth 2.0以資安官的使用者帳戶登入。",
"Don't try to beat Google's OAuth 2.0 service. Rather investigate implementation flaws on OWASP Juice Shop's end.": "不要試圖擊敗Google的OAuth 2.0服務。而是在OWASP Juice Shop尋找實作的缺陷。",
"Log in with Jim's user account.": "使用Jim的使用者帳戶登入。",
"Try cracking Jim's password hash if you harvested it already. Alternatively, if you know Jim's email address, try SQL Injection.": "如果你已經獲得Jim的密碼Hash,請嘗試破解它。或者如果你知道Jim的電子郵件地址,請試試看SQL注入。",
"Log in with MC SafeSearch's original user credentials without applying SQL Injection or any other bypass.": "使用MC SafeSearch的原始使用者帳號密碼登入,不需要透過SQL注入或任何其他繞過方法。",
"You should listen to MC's hit song \"Protect Ya Passwordz\".": "你應該聽聽MC的熱門歌曲“ Protect Ya Passwordz”。",
"Log in with the support team's original user credentials without applying SQL Injection or any other bypass.": "使用支援團隊的原始帳戶密碼登入,而不用透過SQL Injection或任何其他繞過方法。",
"The underlying flaw of this challenge is a lot more human error than technical weakness.": "這項挑戰的根本缺陷是人為錯誤,而不是技術弱點。",
"Put an additional product into another user's shopping basket.": "將其他產品放到另一個使用者的購物籃中。",
"Have an eye on the HTTP traffic while placing products in the shopping basket. Changing the quantity of products already in the basket doesn't count.": "將產品放入購物籃時,請注意HTTP流量。更改已經在購物籃中的產品數量,讓它不被計算。",
"Access a misplaced <a href=\"https://github.com/Neo23x0/sigma\">SIEM signature</a> file.": "存取一個錯誤放置的<a href=\"https://github.com/Neo23x0/sigma\">SIEM特徵檔</a>。",
"Like any review at least three times as the same user.": "像任何評論一樣,使用同一個使用者至少重複三遍。",
"Punctuality is the politeness of kings.": "守時是國王的禮貌。",
"Apply some advanced cryptanalysis to find <i>the real</i> easter egg.": "使用一些高階密碼分析技巧來找到<i>真正的</i>彩蛋。",
"You might have to peel through several layers of tough-as-nails encryption for this challenge.": "在這個挑戰中,你或許需要解開多層強硬的加密。",
"Let the server sleep for some time. (It has done more than enough hard work for you)": "讓伺服器休眠一段時間。 (它為你做了足夠的辛苦工作)",
"This challenge is essentially a stripped-down Denial of Service (DoS) attack.": "這個挑戰實際上是一個簡化的阻斷服務(DoS)攻擊。",
"All your orders are belong to us! Even the ones which don't.": "你所有的訂單都屬於我們!即使沒有訂單。",
"Take a close look on how the $where query operator works in MongoDB.": "仔細研究$where query operator如何在MongoDB中的運作。",
"Update multiple product reviews at the same time.": "同時更新多個產品評論。",
"Take a close look on how the equivalent of UPDATE-statements in MongoDB work.": "仔細研究MongoDB中同等的UPDATE語句如何運作。",
"Let us redirect you to one of our crypto currency addresses which are not promoted any longer.": "讓我們將你重新導向到我們不再推廣的加密貨幣地址。",
"We might have failed to take this out of our code properly.": "我們可能無法正確的將其從我們的程式碼中刪除。",
"Log in with the administrator's user credentials without previously changing them or applying SQL Injection.": "使用管理員的使用者帳號密碼登入,而且先不使用變更帳號密碼或SQL注入。",
"This one should be equally easy to a) brute force, b) crack the password hash or c) simply guess.": "這應該一樣簡單:a)暴力破解,b)破解密碼Hash或 c)簡單的猜測。",
"Place an order that makes you rich.": "下一個讓你變得富有的訂單。",
"You literally need to make the shop owe you any amount of money.": "你實際上是要讓商城欠你任意金額的款項。",
"<i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==--> <a href=\"https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm\" target=\"_blank\"><i class=\"fab fa-btc fa-sm\"></i> Unlock Premium Challenge</a> to access exclusive content.": "<i class=\"far fa-gem\"><i class=\"far fa-gem\"><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><i class=\"far fa-gem\"></i><!--IvLuRfBJYlmStf9XfL6ckJFngyd9LfV1JaaN/KRTPQPidTuJ7FR+D/nkWJUF+0xUF07CeCeqYfxq+OJVVa0gNbqgYkUNvn//UbE7e95C+6e+7GtdpqJ8mqm4WcPvUGIUxmGLTTAC2+G9UuFCD1DUjg==--> <a href=\"https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm\" target=\"_blank\"><i class=\"fab fa-btc fa-sm\"></i>解鎖高級挑戰</a>來存取獨有的內容。",
"You do not have to pay anything to unlock this challenge! Nonetheless, donations are very much appreciated.": "你無需支付任何費用即可解鎖此挑戰!儘管如此,還是非常感謝你的捐贈。",
"Read our privacy policy.": "閱讀我們的隱私政策。",
"We won't even ask you to confirm that you did. Just read it. Please. Pretty please.": "我們甚至不會要求你確認是否確實完成。只要讀它。請讀它。",
"Prove that you actually read our privacy policy.": "證明你確實閱讀了我們的隱私政策。",
"Only by visiting a special URL you can confirm that you read it carefully.": "只有透過存取特殊的URL,如此你才能確認你已經仔細閱讀了。",
"Change the <code>href</code> of the link within the <a href=\"/#/search?q=OWASP SSL Advanced Forensic Tool (O-Saft)\">OWASP SSL Advanced Forensic Tool (O-Saft)</a> product description into <i>https://owasp.slack.com</i>.": "變更<code>href</code>在連結中的<a href=\"/#/search?q=OWASP SSL Advanced Forensic Tool (O-Saft)\">OWASP SSL Advanced Forensic Tool (O-Saft)</a>產品描述到<i>https://owasp.slack.com</i>。",
"Look for one of the following: a) broken admin functionality, b) holes in RESTful API or c) possibility for SQL Injection.": "查找以下內容之一:a)不良的管理功能,b)RESTful API中的漏洞或 c)SQL注入的可能性。",
"Perform a <i>reflected</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code>.": "進行<i>反射性的</i>XSS攻擊透過<code><iframe src=\"javascript:alert(`xss`)\"></code>",
"Look for an input field where its content appears in the response HTML when its form is submitted.": "當表單送出後,尋找一個輸入區域的內容會顯示在HTML的回應中。",
"Follow the DRY principle while registering a user.": "註冊帳號時請遵循DRY原則。",
"You can solve this by cleverly interacting with the UI or bypassing it altogether.": "你可以透過巧妙的與UI交互或完全繞過UI來解決此問題。",
"Reset Bender's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "重設Bender的密碼透過<a href=\"/#/forgot-password\">忘記密碼</a>機制並使用他安全提問的<i>原始密碼</i>。",
"Not as trivial as Jim's but still not too difficult with some \"Futurama\" background knowledge.": "不像Jim那樣子簡單,但是在一些“ Futurama”基礎知識方面仍然不算太難。",
"Reset the password of Bjoern's internal account via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "重設Bjoern的內部帳號密碼透過<a href=\"/#/forgot-password\">忘記密碼</a>機制,並使用他安全提問的<i>原始密碼</i>。",
"Nothing a little bit of Facebook stalking couldn't reveal. Might involve a historical twist.": "Facebook追蹤的所有內容都無法透露。可能包含歷史的轉折。",
"Reset Jim's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "重設Jim的密碼透過<a href=\"/#/forgot-password\">忘記密碼</a>機制並使用他安全提問的<i>原始密碼</i>。",
"It's hard for celebrities to pick a security question from a hard-coded list where the answer is not publicly exposed.": "對於名人來說,很難從不公開答案的指定列表中選擇一個安全問題。",
"Reset Morty's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>his obfuscated answer</i> to his security question.": "重設Morty的密碼透過<a href=\"/#/forgot-password\">忘記密碼</a>機制並使用安全提問中<i>難以理解的答案</i>。",
"Find a way to bypass the rate limiting and brute force the obfuscated answer to Morty's security question.": "找到一種繞過限速和暴力破解Morty的安全問題的方法。",
"Deprive the shop of earnings by downloading the blueprint for one of its products.": "通過下載眾多產品中之一的設計圖來奪走商城的收入。",
"The product you might want to give a closer look is the OWASP Juice Shop Logo (3D-printed).": "你可能希望更仔細的看到產品是OWASP Juice Shop標章(透過3D打印)。",
"Request a hidden resource on server through server.": "通過伺服器請求伺服器上的隱藏資源",
"Reverse engineering something bad can make good things happen.": "對不好的東西進行逆向工程可以使好事情發生。",
"Infect the server with juicy malware by abusing arbitrary command execution.": "通過濫用任意命令執行,來讓Juicy的惡意軟體感染伺服器。",
"\"SSTi\" is a clear indicator that this has nothing to do with anything Angular. Also, make sure to use only our non-malicious malware.": "“ SSTi”是一個清楚的indicator,它與Angular無關。而且請確認僅使用我們的非惡意軟體。",
"Behave like any \"white-hat\" should before getting into the action.": "採取任何行動之前,都應該表現得像個“白帽子”。",
"Perform a <i>persisted</i> XSS attack with <code><iframe src=\"javascript:alert(`xss`)\"></code> bypassing a <i>server-side</i> security mechanism.": "執行<i>持續性</i>XSS攻擊透過<code><iframe src=\"javascript:alert(`xss`)\"><iframe src=\"javascript:alert(`xss`)\"></code>繞過<i>伺服器端</i>的安全機制。",
"The \"Comment\" field in the \"Customer Feedback\" screen is where you want to put your focus on.": "你要重點關注“客戶回應”畫面中的“註釋”部分。",
"<a href=\"/#/contact\">Rat out</a> a notorious character hiding in plain sight in the shop. (Mention the exact name of the character)": "<a href=\"/#/contact\">指出</a>一個臭名昭彰的人,他躲在商城中公眾的地方(描述該角色確實的名子)",
"No matter how good your eyes are, you will need tool assistance for this challenge.": "無論你的眼睛多麼好,你都將需要工具來協助對付這個挑戰。",
"Perform a Remote Code Execution that occupies the server for a while without using infinite loops.": "在不用無窮迴圈的情況下,使用Remote Code Execution佔用伺服器一段時間。",
"Your attack payload must not trigger the protection against too many iterations.": "你的攻擊payload不應該觸發針對過多迭代迴圈的保護。",
"This vulnerability will not affect any customer of the shop. It is aimed exclusively at its developers.": "此漏洞不會影響商城的任何客戶。它專門針對開發人員。",
"Solve the 2FA challenge for user \"wurstbrot\". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)": "解決“ wurstbrot”帳號的2FA挑戰。(透過停用,繞過或覆寫其2FA設定的放式不會被認為是解決方案)",
"The 2FA implementation requires to store a secret for every user. You will need to find a way to access this secret in order to solve this challenge.": "雙因子認證為每個使用者儲存一個密鑰,你需要存取這個密鑰以破解這個挑戰",
"Forge an essentially unsigned JWT token that impersonates the (non-existing) user <i>jwtn3d@juice-sh.op</i>.": "偽造一個本質上未被簽章的JWT Token,該Token模擬(不存在的)帳號<i> jwtn3d@juice-sh.op</i>。",
"This challenge exploits a weird option that is supported when signing tokens with JWT.": "此挑戰利用了一個奇怪的設定,當使用JWT簽章Token將會被啟用。",
"Upload a file larger than 100 kB.": "上船一個超過100kB的檔案",
"You can attach a small file to the \"Complaint\" form. Investigate how this upload actually works.": "你可以將一個小文件附加到“Complaint”表單中。藉此研究上傳功能的實際工作方式。",
"Upload a file that has no .pdf or .zip extension.": "上傳一個非PDF或ZIP格式之檔案",
"You can attach a PDF or ZIP file to the \"Complaint\" form. Investigate how this upload actually works.": "你可以將PDF或ZIP文件附加到“Complaint”表單。藉此研究上傳功能的實際工作方式。",
"Retrieve a list of all user credentials via SQL Injection.": "利用SQL注入以獲取全部使用者憑證之清單",
"Gather information on where user data is stored and how it is addressed. Then craft a corresponding UNION SELECT attack.": "收集使用者資料儲存路徑及表示方式之資訊,再做出一個對應的UNION SELECT攻擊",
"Embed an XSS payload <code></script><script>alert(`xss`)</script></code> into our promo video.": "嵌入XSS payload <code><</script><script>alert(`xss`)</script></code>到我們的促銷影片中。",
"You have to reuse the vulnerability behind one other 6-star challenge to be able to solve this one.": "你必須在另一個6星級挑戰之後重用該漏洞才能解決此問題。",
"View another user's shopping basket.": "查看其他用戶的購物車。",
"Have an eye on the HTTP traffic while shopping. Alternatively try to find a client-side association of users to their basket.": "購物時請留意HTTP流量。或是嘗試找到使用者與他們的購物車間的關聯。",
"<a href=\"/#/contact\">Inform the shop</a> about a vulnerable library it is using. (Mention the exact library name and version in your comment)": "<a href=\"/#/contact\">通知商城</a>有關於存有弱點的函式庫正在被使用。(在你的評論中提及確切的函式庫名稱和版本)",
"Report one of two possible answers via the \"Customer Feedback\" form. Do not forget to submit the library's version as well.": "通過“Customer Feedback”表格回報兩個可能的答案其中之一。同時不要忘記也要提交函式庫的版本。",
"<a href=\"/#/contact\">Inform the shop</a> about an algorithm or library it should definitely not use the way it does.": "<a href=\"/#/contact\">通知商城</a>有關於演算法或函式庫絕對不應該使用它的方式。",
"Report one of four possible answers via the \"Customer Feedback\" form.": "通過“Customer Feedback”表單報告四個可能的答案之一。",
"Enforce a redirect to a page you are not supposed to redirect to.": "強制重新導向到你不應該重新導向到的頁面。",
"You have to find a way to beat the allowlist of allowed redirect URLs.": "你必須找到一種方法來擊敗重新導向URL的的允許清單。",
"Retrieve the content of <code>C:\\Windows\\system.ini</code> or <code>/etc/passwd</code> from the server.": "從伺服器獲得<code>C:\\Windows\\system.ini</code>或是<code>/etc/passwd</code>的內容",
"The leverage point for this challenge is the deprecated B2B interface.": "這項挑戰的利用點是不再適用的B2B Interface。",
"Give the server something to chew on for quite a while.": "給服務器一些東西,讓它運作一會兒。",
"It is not as easy as sending a large amount of data directly to the deprecated B2B interface.": "這不像是直接向不再適用的B2B interface發送大量資料那樣容易。",
"Give a devastating zero-star feedback to the store.": "向商城提供毀滅性的零顆星評論回饋。",
"Before you invest time bypassing the API, you might want to play around with the UI a bit.": "在花時間繞過API之前,你也許可以嘗試花點時間在UI上。",
"Your eldest siblings middle name?": "你最年長手足的小名",
"Mother's maiden name?": "母親的娘家姓?",
"Mother's birth date? (MM/DD/YY)": "母親的生日?(MM / DD / YY",
"Father's birth date? (MM/DD/YY)": "父親的生日? (MM / DD / YY)",
"Maternal grandmother's first name?": "外祖母的名字?",
"Paternal grandmother's first name?": "祖母的名字?",
"Name of your favorite pet?": "你最喜歡的寵物的名字?",
"Last name of dentist when you were a teenager? (Do not include 'Dr.')": "你青少年時期牙醫的姓氏? (不包括“醫師”)",
"Your ZIP/postal code when you were a teenager?": "青少年時期的郵遞區號",
"Company you first work for as an adult?": "成年後第一個服務的公司",
"Your favorite book?": "你最喜歡的書?",
"Your favorite movie?": "你最喜歡的電影?",
"Number of one of your customer or ID cards?": "你客戶之一的號碼或是身分證號碼?",
"Apple Juice (1000ml)": "蘋果汁(1000ml)",
"The all-time classic.": "不敗的經典。",
"Orange Juice (1000ml)": "橘子汁(1000ml)",
"Made from oranges hand-picked by Uncle Dittmeyer.": "由Dittmeyer叔叔手工挑選的橘子製成。",
"Eggfruit Juice (500ml)": "甜柿果汁(500ml)",
"Now with even more exotic flavour.": "現在有更多異國風味。",
"Raspberry Juice (1000ml)": "樹莓汁(1000ml)",
"Made from blended Raspberry Pi, water and sugar.": "由樹莓派,水和糖混合製成。",
"Lemon Juice (500ml)": "檸檬汁(500ml)",
"Sour but full of vitamins.": "酸度高但富含維生素。",
"Banana Juice (1000ml)": "香蕉汁(1000ml)",
"Monkeys love it the most.": "猴子最喜歡它。",
"OWASP Juice Shop T-Shirt": "OWASP Juice Shop T-Shirt",
"Real fans wear it 24/7!": "真正的粉絲會全天候穿24/7小時!",
"OWASP Juice Shop CTF Girlie-Shirt": "OWASP Juice Shop CTF女童襯衫",
"For serious Capture-the-Flag heroines only!": "僅給於認真的Capture-the-Flag 女英雄!",
"OWASP SSL Advanced Forensic Tool (O-Saft)": "OWASP SSL高級鑑識工具(O-Saft)",
"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations. <a href=\"https://www.owasp.org/index.php/O-Saft\" target=\"_blank\">More...</a>": "O-Saft是一種易於使用的工具,用於顯示有關SSL憑證的訊息,並根據給定的加密演算法列表和各種SSL設定來測試SSL連接。 <a href=\"https://www.owasp.org/index.php/O-Saft\" target=\"_blank\">More... </a>",
"Christmas Super-Surprise-Box (2014 Edition)": "聖誕超級驚喜盒(2014年版)",
"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price! (Seasonal special offer! Limited availability!)": "隨機選擇10瓶(每瓶500毫升)我們最美味的果汁和一件額外的粉絲襯衫,以無與倫比的價格! (季節性特價!數量有限!)",
"Rippertuer Special Juice": "Rippertuer特別果汁",
"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span> (This product is unsafe! We plan to remove it from the stock!)": "包含來自世界各地的最稀有水果的神奇蒐集,例如Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos ...等,而且價格令人難以置信! <br/><span style=\"color:red;\">由於缺乏安全標準該產品無法提供。</span>(此產品不安全!我們打算從架上移除!)",
"OWASP Juice Shop Sticker (2015/2016 design)": "OWASP Juice Shop 貼紙(2015/2016設計)",
"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>": "帶有2015/2016官方徽標的多邊型裁切貼紙。現在這是一個罕見的收藏品。 <em>缺貨中!</em>",
"OWASP Juice Shop Iron-Ons (16pcs)": "OWASP Juice Shop 貼花衣(16件)",
"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!": "升級你的衣物為防洗衣物<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">貼花</a>有OWASP Juice Shop或是CTF Extension logo。",
"OWASP Juice Shop Magnets (16pcs)": "WASP Juice Shop磁鐵(16個)",
"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!": "可以用有OWASP Juice Shop或CTF標誌的<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">磁鐵</a>來裝飾你的冰箱!",
"OWASP Juice Shop Sticker Page": "OWASP Juice Shop 貼紙頁",
"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.": "這些OWASP Juice Shop或CTF Extension<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">貼紙頁</a>帶來大量裝飾機會!每頁上有16個貼紙。",
"OWASP Juice Shop Sticker Single": "OWASP Juice Shop 貼紙",
"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!": "擁有上面有OWASP Juice Shop或是CTF Extension logo 的超優質塑膠<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">貼紙</a>! 終極的手提電腦裝飾!",
"OWASP Juice Shop Temporary Tattoos (16pcs)": "OWASP Juice Shop紋身貼紙(16個)",
"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!": "獲得其中之一<a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">臨時紋身</a>然後在你的皮膚上驕傲地佩戴OWASP Juice Shop或CTF Extension標章!如果你tweet自己的紋身照片,則可免費獲得我們的貼紙!在你的tweet中請提到<a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\">@owasp_juiceshop</code></a>",
"OWASP Juice Shop Mug": "OWASP Juice Shop馬克杯",
"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!": "黑色馬克杯一側帶有正規標章,另一側帶有CTF標章!你的同事會羨慕您!",
"OWASP Juice Shop Hoodie": "OWASP Juice Shop 運動衫",
"Mr. Robot-style apparel. But in black. And with logo.": "機器人的服裝形式。但是是黑色。並且帶有標章。",
"OWASP Juice Shop-CTF Velcro Patch": "OWASP Juice Shop-CTF魔鬼沾標章\n",
"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!": "4x3.5英寸刺繡貼布,帶魔鬼沾貼面。每個戰術背包或背包的終極裝飾!",
"Woodruff Syrup \"Forest Master X-Treme\"": "香車葉草漿 \"Forest Master X-Treme\"",
"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.": "在德國黑森林收成並製造。可能導致兒童過動。未經稀釋食用會導致永久性綠色舌頭。",
"Green Smoothie": "綠奶昔",
"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.": "看起來有毒,但實際上對健康非常有好處!由綠甘藍,菠菜,奇異果和青草製成。",
"Quince Juice (1000ml)": "西梨汁 (1000ml)",
"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.": "<em>西梨 </em>果汁,微糖但富含維他命C。",
"Apple Pomace": "蘋果果渣",
"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.": "絕佳的蘋果榨汁。過敏免責聲明:可能包含蠕蟲的痕跡。可以<a href=\"/#recycle\">送回給我們</a>進行回收。",
"Fruit Press": "水果榨汁",
"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.": "放入水果。果汁流出來。你可以將果渣寄回給我們以進行回收。",
"OWASP Juice Shop Logo (3D-printed)": "OWASP Juice Shop 標章 (3D列印)",
"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.": "這款珍稀物品是在瑞典設計和手工製作的。這就是為什麼儘管它完全缺乏目的,卻又是如此昂貴的原因。",
"Juice Shop Artwork": "Juice Shop的藝術品",
"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.": "獨特的傑作,在90g /m²的橫格紙塗上各種果汁。",
"Global OWASP WASPY Award 2017 Nomination": "2017年全球OWASP WASPY獎提名",
"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>": "你提名OWASP社群的三大安靜支柱的機會到2017年6月30日結束!<a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">立即提名!</a>",
"Strawberry Juice (500ml)": "草莓汁(500ml)",
"Sweet & tasty!": "香甜可口!",
"Carrot Juice (1000ml)": "胡蘿蔔汁(1000ml)",
"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"": "就像古老的德國諺語所說:“胡蘿蔔對眼睛有益。或者有沒有人見過戴眼鏡的兔子?”",
"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)": "OWASP Juice Shop 瑞典之旅2017貼紙表(特仕版)",
"10 sheets of Sweden-themed stickers with 15 stickers on each.": "10張瑞典主題貼紙,每張15個貼紙。",
"Pwning OWASP Juice Shop": "Pwn下OWASP Juice Shop",
"Melon Bike (Comeback-Product 2018 Edition)": "西瓜製折疊腳踏車(Comeback-Product 2018 Edition)",
"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.": "這輛腳踏車的車輪是用真正的西瓜製成的。你可能不想用力沿著上下路緣行駛。",
"OWASP Juice Shop Coaster (10pcs)": "OWASP Juice Shop杯墊(10個)",
"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.": "我們的95毫米圓形杯墊採用全彩印刷,由厚實的優質杯墊板製成。",
"Retrieve the photo of Bjoern's cat in \"melee combat-mode\".": "在“近戰模式”下檢視Bjoern的貓照片。",
"Check the Photo Wall for an image that could not be loaded correctly.": "檢查照片牆是否有無法正確載入的圖像。",
"Stick <a href=\"http://placekitten.com/\" target=\"_blank\">cute cross-domain kittens</a> all over our delivery boxes.": "將<a href=\"http://placekitten.com/\" target=\"_blank\">可愛的cross-domain小貓</a>貼滿我們的外送箱。",
"This challenge would formally have to be in several categories as the developers made multiple gaffes for this to be possible.": "這一挑戰必須正式的分為幾類,因為開發人員可能為此產生了許多失誤。",
"ea.": "ea.",
"Delivery Price": "交貨價格",
"Total Price": "總價",
"Bonus Points Earned": "獲得的獎勵積分",
"The bonus points from this order will be added 1:1 to your wallet ¤-fund for future purchases!": "該訂單的獎勵積分將以1:1的比例加到你的錢包¤-fund 中,下一次購買可以使用!",
"Thank you for your order!": "感謝您的下單!",
"Order Confirmation": "訂單確認",
"Customer": "顧客",
"Order": "訂單",
"Date": "日期",
"OWASP Juice Shop Holographic Sticker": "OWASP Juice Shop 3D雷射貼紙",
"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!": "模切3D雷射貼紙,從全版貼紙覆蓋的筆記型電腦中脫穎而出,擁有80年代酷炫的閃亮燈塔!",
"OWASP Snakes and Ladders - Mobile Apps": "OWASP Snakes and Ladders - 手機應用程式",
"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!": "現在這款令人驚豔的資安認知桌遊手機APP<a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">在Steam Workshop上可用於桌面模擬器</a>",
"OWASP Snakes and Ladders - Web Applications": "OWASP Snakes and Ladders - 網頁應用程式",
"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!": "現在這款令人驚豔的資安認知網頁桌遊遊戲<a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">在Steam Workshop上可用於桌面模擬器</a>",
"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!": "<em>官方教學指南</em>由Björn Kimminich編寫,可於<a href=\"https://leanpub.com/juice-shop\">LeanPub</a>與<a href=\"https://pwning.owasp-juice.shop\">readable online</a>免費取用!",
"We are out of stock! Sorry for the inconvenience.": "我們已經沒有庫存了!抱歉帶來的不便。",
"Wrong answer to CAPTCHA. Please try again.": "CAPTCHA的回答錯誤。請再試一次。",
"Invalid email or password.": "無效的電子郵件或密碼。",
"Current password is not correct.": "現在輸入的密碼不正確。",
"Password cannot be empty.": "密碼不能為空白。",
"New and repeated password do not match.": "新密碼與重新輸入的密碼不一致。",
"Wrong answer to security question.": "對安全性提問的回答錯誤。",
"<a href=\"/#/contact\">Inform the development team</a> about a danger to some of <em>their</em> credentials. (Send them the URL of the <em>original report</em> or an assigned CVE or another identifier of this vulnerability)": "<a href=\"/#/contact\">通知開發團隊</a>有關於危及部分<em>他們</em>的帳號密碼。(傳給他們<em>原始報告</em>的URL、CVE編號或是其他弱點的識別號碼)\n",
"You can order only up to {{quantity}} items of this product.": "你最多只能訂購此產品共{{quantity}}件商品。",
" <em>(This challenge is <strong>not available</strong> on Docker!)</em>": "<em>(這挑戰<strong>不提供</strong>Docker版本!)</em>",
" <em>(This challenge is <strong>not available</strong> on Heroku!)</em>": "<em>(這挑戰<strong>不提供</strong>Heroku版本!)</em>",
" <em>(This challenge is <strong>not available</strong> on Gitpod!)</em>": "<em>(這挑戰<strong>不支援</strong>Gitpod!)</em>",
" <em>(This challenge is <strong>potentially harmful</strong> on Docker!)</em>": "<em>(這挑戰在Docker上<strong>可能有潛在的危險</strong>!)</em>",
" <em>(This challenge is <strong>potentially harmful</strong> on Gitpod!)</em>": "<em>(這挑戰在Gitpod上<strong>可能有潛在的危險</strong>!)</em>",
" <em>(This challenge is <strong>potentially harmful</strong> on Heroku!)</em>": "<em>(這挑戰在Heroku上<strong>可能有潛在的危險</strong>!)</em>",
"Find the endpoint that serves usage data to be scraped by a <a href=\"https://github.com/prometheus/prometheus\">popular monitoring system</a>.": "尋找提供由<a href=\"https://github.com/prometheus/prometheus\">熱門監控系統</a>分析所得使用資料之端點",
"Try to guess what URL the endpoint might have.": "猜測端點的URL為何",
"Look for a url parameter where its value appears in the page it is leading to.": "尋找一個url參數,該參數值將出現在它指向的頁面中。",
"Change the name of a user by performing Cross-Site Request Forgery from <a href=\"http://htmledit.squarefree.com\">another origin</a>.": "從<a href=\"http://htmledit.squarefree.com\">另一個來源</a>執行 Cross-Site Request Forgery來變更使用者名稱。",
"Use the bonus payload <code><iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe></code> in the <i>DOM XSS</i> challenge.": "使用獎勵的payload<code><iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe></code>在<i>DOM XSS</i>挑戰中。",
"Copy + Paste = Solved!": "複製+貼上=解決方案",
"Obtain a Deluxe Membership without paying for it.": "在未支付款項的情況下成為豪華會員。",
"Look closely at what happens when you attempt to upgrade your account.": "升級你的帳號時,注意觀察發生甚麼事",
" <em>(This challenge is <strong>not available</strong> on Windows!)</em>": "<em>(這挑戰<strong>不支援</strong>Windows版本!)</em>",
"Reset Uvogin's password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism with <i>the original answer</i> to his security question.": "用<a href=\"/#/forgot-password\">忘記密碼</a>方式並提供安全問題之<i>原始答案</i>以重設Uvogin密碼",
"You might have to do some OSINT on his social media personas to find out his honest answer to the security question.": "你可能必須對他的社交媒體進行一些OSINT,來找出他對安全提問的真實答案。",
"Juice Shop Adversary Trading Card (Common)": "Juice Shop角色交換卡片(一般)",
"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.": "<a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">角色交換卡片</a>中的常見\"Juice Shop\"卡",
"Juice Shop Adversary Trading Card (Super Rare)": "Juice Shop角色交換卡片(超級稀有)",
"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.": "<a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">角色交換卡片</a>中具有全像投影塗層的超級稀有\"Juice Shop\"卡",
"OWASP Juice Shop \"King of the Hill\" Facemask": "OWASP Juice Shop \"山丘之王\"口罩",
"Facemask with compartment for filter from 50% cotton and 50% polyester.": "面罩帶有隔層做為過濾使用,由50%棉和50%聚酯纖維組成。",
"Determine the answer to John's security question by looking at an upload of him to the Photo Wall and use it to reset his password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism.": "通過檢視John上傳到圖片牆的內容,決定John安全提問的答案,並使用它通過<a href=\"/#/forgot-password\">忘記密碼</a>機制重置他的密碼。",
"Take a look at the meta data of the corresponding photo.": "看一下相關照片的meta data。",
"Determine the answer to Emma's security question by looking at an upload of her to the Photo Wall and use it to reset her password via the <a href=\"/#/forgot-password\">Forgot Password</a> mechanism.": "通過檢視Emma上傳到圖片牆的內容,決定Emma安全提問的答案,並使用它通過<a href=\"/#/forgot-password\">忘記密碼</a>機制重置他的密碼。",
"Take a look at the details in the photo to determine the location of where it was taken.": "檢視照片中的詳細資訊,來確定拍攝地點。",
"Juice Shop \"Permafrost\" 2020 Edition": "Juice Shop \"Permafrost\" 2020版",
"Best Juice Shop Salesman Artwork": "最佳Juice Shop業務藝術品",
"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.": "Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.",
"20th Anniversary Celebration Ticket": "20週年慶典券",
"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!": "Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!",
"OWASP Juice Shop Card (non-foil)": "OWASP Juice Shop Card (non-foil)",
"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!": "Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!",
"Line {{vulnLine}} is responsible for this vulnerability or security flaw. Select it and submit to proceed.": "Line {{vulnLine}} is responsible for this vulnerability or security flaw. Select it and submit to proceed.",
"Lines {{vulnLines}} are responsible for this vulnerability or security flaw. Select them and submit to proceed.": "Lines {{vulnLines}} are responsible for this vulnerability or security flaw. Select them and submit to proceed.",
"Receive a coupon code from the support chatbot.": "由聊天機器人取得優惠代碼。",
"Just keep asking.": "持續詢問吧",
"Permanently disable the support chatbot so that it can no longer answer customer queries.": "永久關閉聊天機器人且不會再回答客戶問題",
"Think of a way to get a hold of the internal workings on the chatbot API.": "設法取得聊天機器人 API 內部工作原理。",
"Gain read access to an arbitrary local file on the web server.": "在網站伺服器上取得任一本地檔案的讀取權限",
"You should read up on vulnerabilities in popular NodeJs template engines.": "You should read up on vulnerabilities in popular NodeJs template engines.",
"Try to identify where (potentially malicious) user input is coming into the code.": "找出(潛在惡意)使用者輸入進入程式碼的位置。",
"What is the code doing with the user input other than using it to filter the data source?": "除了過濾資料來源之外,程式碼還對使用者輸入做了什麼?",
"Look for a line where the developers fiddled with Angular's built-in security model.": "尋找開發人員在程式碼中改變 Angular 內建安全模型的地方。",
"Using bypassSecurityTrustStyle() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not CSS, making this switch totally pointless.": "Using bypassSecurityTrustStyle() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not CSS, making this switch totally pointless.",
"Using bypassSecurityTrustResourceUrl() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. This switch might only accidentally keep XSS prevention intact, but the new URL context does not make any sense here.": "Using bypassSecurityTrustResourceUrl() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. This switch might only accidentally keep XSS prevention intact, but the new URL context does not make any sense here.",
"Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not a script either, so this switch would be nonsensical.": "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact. The context where the parameter is used is not a script either, so this switch would be nonsensical.",
"Removing the bypass of sanitization entirely is the best way to fix this vulnerability. Fiddling with Angular's built-in sanitization was entirely unnecessary as the user input for a text search should not be expected to contain HTML that needs to be rendered but merely plain text.": "Removing the bypass of sanitization entirely is the best way to fix this vulnerability. Fiddling with Angular's built-in sanitization was entirely unnecessary as the user input for a text search should not be expected to contain HTML that needs to be rendered but merely plain text.",
"Can you identify one or more routes which have something to do with log files?": "Can you identify one or more routes which have something to do with log files?",
"Did you spot the directory listing clearly linked to log files?": "你是否發現到目錄清單清楚地連接到日誌檔案?",
"Did you notice that there is a seperate route for retrieving individual log files?": "你是否注意到有一個另外的路徑可取得各日誌檔案?",
"Make sure to select both lines responsible for the log file data leakage.": "確保已選擇了所有應為日誌資料洩漏負責之行",
"Switching off the detailed view option is a cosmetic change on the directory listing but still allows the logs to be browsed and accessed.": "關閉\"觀看細節\"選項是目錄清單顯示上的改變,但仍允許觀看及存取日誌。",
"Removing the route that serves individual log files is likely to plumb the data leak but still provides information to the attacker unnecessarily.": "Removing the route that serves individual log files is likely to plumb the data leak but still provides information to the attacker unnecessarily.",
"Removing only the directory listing will still allow attackers to download individual log files if they can come up with a valid file name.": "Removing only the directory listing will still allow attackers to download individual log files if they can come up with a valid file name.",
"There should generally be no good reason to expose server logs through a web URL of the server itself, epecially not when that server is Internet-facing.": "There should generally be no good reason to expose server logs through a web URL of the server itself, epecially not when that server is Internet-facing.",
"Among the long list of route mappings, can you spot any that seem responsible for admin-related functionality?": "Among the long list of route mappings, can you spot any that seem responsible for admin-related functionality?",
"Luckily the route mappings were originally in alphabetical order before the developers forgot about that rule at some point.": "Luckily the route mappings were originally in alphabetical order before the developers forgot about that rule at some point.",
"Assuming that the original \"AdminGuard\" provided access control only to admin users, switching to \"LoginGuard\" seems like a downgrade that would give access to any authenticated user.": "Assuming that the original \"AdminGuard\" provided access control only to admin users, switching to \"LoginGuard\" seems like a downgrade that would give access to any authenticated user.",
"Obfuscating the path to the administration section does not add any security, even if it wasn't just a trivial Base64 encoding.": "Obfuscating the path to the administration section does not add any security, even if it wasn't just a trivial Base64 encoding.",
"This obfuscation attempt is hard to undo by hand but trivial when executed in a JavaScript console. Regardless, obfuscating the route does not add any level of security.": "This obfuscation attempt is hard to undo by hand but trivial when executed in a JavaScript console. Regardless, obfuscating the route does not add any level of security.",
"While attempts could be made to limit access to administrative functions of a web shop through access control, it is definitely safer to apply the \"separation of concerns\" pattern more strictly by internally hosting a distinct admin backend application with no Internet exposure.": "While attempts could be made to limit access to administrative functions of a web shop through access control, it is definitely safer to apply the \"separation of concerns\" pattern more strictly by internally hosting a distinct admin backend application with no Internet exposure.",
"Can you identify one or more routes which have something to do with file serving?": "Can you identify one or more routes which have something to do with file serving?",
"Did you notice that there are seperate routes the directory listing and retrieving individual files?": "Did you notice that there are seperate routes the directory listing and retrieving individual files?",
"Make sure to select both lines responsible for the data leakage.": "Make sure to select both lines responsible for the data leakage.",
"Removing only the directory listing will still allow attackers to download individual files if they can come up with a valid file name.": "Removing only the directory listing will still allow attackers to download individual files if they can come up with a valid file name.",
"Removing the routes that serve individual files is likely to plumb the data leak but still provides information to the attacker unnecessarily.": "Removing the routes that serve individual files is likely to plumb the data leak but still provides information to the attacker unnecessarily.",
"Switching off the icons is a cosmetic change on the directory listing but still allows the files to be browsed and accessed.": "Switching off the icons is a cosmetic change on the directory listing but still allows the files to be browsed and accessed.",
"Getting rid of the /ftp folder entirely is the only way to plumb this data leakage for good. Valid static content in it needs to be moved to a more suitable location and order confirmation PDFs had no business to be placed there publicly accessible in the first place. Everything else in that folder was just accidentally put & forgotten there anyway.": "Getting rid of the /ftp folder entirely is the only way to plumb this data leakage for good. Valid static content in it needs to be moved to a more suitable location and order confirmation PDFs had no business to be placed there publicly accessible in the first place. Everything else in that folder was just accidentally put & forgotten there anyway.",
"In the long list of API-handling middleware, try to find the ones dealing with products offered in the shop first.": "In the long list of API-handling middleware, try to find the ones dealing with products offered in the shop first.",
"API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.": "API routes need to specifically define a handler for a HTTP verb if they wish to override the \"allow everything to everyone\" default behavior.",
"There is one line that is commented out for no good reason among the product-related middleware.": "There is one line that is commented out for no good reason among the product-related middleware.",
"While removing the commented-out line made the code cleaner, it did not change the functionality in any way and thus cannot have improved security either.": "刪除註釋僅使程式碼乾淨,但功能並沒有改變,因此不能提高安全性。",
"Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.": "Removing all dedicated handling of the products API made things worse, as now the default permissions of the underlying API generator will be used: Allowing GET, POST, PUT and DELETE - without any restrictions.",
"You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?": "You improved security slightly by no longer accepting PUT requests from anonymous API callers. But does the shop even want to allow its authenticated customers to change products themselves?",
"Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.": "Disabling all HTTP verbs other than GET for the products API is indeed the only safe way to implement secure access control. Shop administrators should not use the customer facing web UI to manage the store's inventory anyway.",
"Try to identify any variables in the code that might contain arbitrary user input.": "Try to identify any variables in the code that might contain arbitrary user input.",
"Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.": "Follow the user input through the function call and try to spot places where it might be abused for malicious purposes.",
"Can you spot a place where a SQL query is being cobbled together in an unsafe way?": "Can you spot a place where a SQL query is being cobbled together in an unsafe way?",
"Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.": "Trying to prevent any injection attacks with a custom-built blocklist mechanism is doomed to fail. It might work for some simpler attack payloads but an attacker with time and skills can likely bypass it at some point.",
"Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.": "Replacing the template string (`...`) notation with plain string concatenation (\"...\"+\"...\") does not change the behavior of the code in any way. It only makes the code less readable.",
"Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "Using the built-in replacement (or binding) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.",
"Can you find a HTTP route mapping that deals with metrics?": "Can you find a HTTP route mapping that deals with metrics?",
"Remember: The default behavior of route mappings is to allow access to everyone.": "Remember: The default behavior of route mappings is to allow access to everyone.",
"The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.": "The metrics route remains publicly accessible. This change only messes with functional settings of the measurement framework unnecessarily.",
"This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.": "This fix prevents unauthorized access to the metrics route but overshoots the goal by locking out everyone - including administrators.",
"Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.": "Access will now be restricted only to users with administrator permissions, which seems reasonable protection, assuming that it is not possible for a regular user to escalate admin priviliges. If that were a risk, the metrics should better be stored behind the scenes not be made accessible via the shop application at all.",
"Do you remember the security question that Bender used for his account?": "你記得 Bender 帳號的安全問題嗎?",
"This question is the source of the security risk in this challenge.": "這個問題是挑戰中安全風險的來源。",
"While not necessarily as trivial to research via a user's LinkedIn profile, the question is still easy to research or brute force when answered truthfully.": "調查使用者領英個人檔案不一定無用,當如實回答時,這個問題仍易透過調查或暴力破解。",
"Exchanging \"company\" with \"organization\" is only a vocabulary change and has no effect on security.": "將“公司”替換為“組織”只是用詞調整,對安全性沒有影響。",
"When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.": "When answered truthfully, all security questions are susceptible to online research (on Facebook, LinkedIn etc.) and often even brute force. If at all, they should not be used as the only factor for a security-relevant function.",
"Can you identify the lines which have something to do with crypto currency addresses?": "Can you identify the lines which have something to do with crypto currency addresses?",
"Did you notice there is a constant containing allowed redirect web addresses?": "你有注意到有個常數包含受允許重定向之網址嗎?",
"Make sure to select all three lines responsible for crypto currency addresses which are not promoted any longer.": "確認有選到負責不再促銷加密貨幣位址的三行",
"This fix removes one deprecated crypto currency address from the allow list but forgets to deal with two other ones.": "這個修正從與許清單中移除一個不宜用加密貨幣錢包地址,但忘記處理另外兩個。",
"When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.": "When cleaning up any allow list of deprecated entries, it is crucial to be thorough and re-check the list regularly. Otherwise allow lists tend to become weaker over time.",
"This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.": "This fix uses the binding mechanism of Sequelize to create the equivalent of a Prepared Statement, which is great. Unfortunately this fix also introduces a critical functional bug into the authentication process.",
"This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "This fix unfortunately goes only half the way to using the binding mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.",
"This fix unfortunately goes only half the way to using the replacement mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.": "This fix unfortunately goes only half the way to using the replacement mechanism of Sequelize. Such a Prepared Statement still concatenated from user input, is still wide open for SQL Injection attacks.",
"Turning off the \"plain\" flag will let Sequelize return all matching rows instead of just the first one. This neither makes sense from a functional point of view in a login function, not could it prevent SQL Injection attacks.": "Turning off the \"plain\" flag will let Sequelize return all matching rows instead of just the first one. This neither makes sense from a functional point of view in a login function, not could it prevent SQL Injection attacks.",
"Using the built-in binding (or replacement) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.": "Using the built-in binding (or replacement) mechanism of Sequelize is equivalent to creating a Prepared Statement. This prevents tampering with the query syntax through malicious user input as it is \"set in stone\" before the criteria parameter is inserted.",
"Using bypassSecurityTrustSoundCloud() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only content from that service provider. Not surprisingly, there is no such vendor-specific function bypassSecurityTrustSoundCloud() offered by the Angular DomSanitizer.": "Using bypassSecurityTrustSoundCloud() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only content from that service provider. Not surprisingly, there is no such vendor-specific function bypassSecurityTrustSoundCloud() offered by the Angular DomSanitizer.",
"Using bypassSecurityTrustIframe() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only <iframe> tags. But, the Angular DomSanitizer does not offer tag-specific bypass functions.": "Using bypassSecurityTrustIframe() instead of bypassSecurityTrustHtml() supposedly bypasses sanitization to allow only <iframe> tags. But, the Angular DomSanitizer does not offer tag-specific bypass functions.",
"Do you remember the security question that Jim used for his account?": "Do you remember the security question that Jim used for his account?",
"Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.": "Widening the scope from an \"eldest sibling\" to \"any family member\" still allows the question to be easily researched online (on Facebook etc.) or brute forced when answered truthfully.",
"Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.": "Tightening the scope from an \"eldest sibling\" to \"eldest brother\" reduces any brute force effort to only male forenames, assuming the question is answered truthfully.",
"Do you remember the security question that Bjoern used for his account?": "Do you remember the security question that Bjoern used for his account?",
"Researching someone's current place of residence is probably even easier than a past one.": "Researching someone's current place of residence is probably even easier than a past one.",
"When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.": "When changing the scope of this question from \"teenager\" to \"toddler\", researching a past place of residence still is the only (low) hurdle for the attacker.",
"Do you remember the security question that Bjoern used for his OWASP account?": "Do you remember the security question that Bjoern used for his OWASP account?",
"There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.": "There are even less car brands in the world than potential pet names. Therefore, changing the security questions has even a negative effect on overall security as it makes guessing and brute forcing much easier.",
"This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.": "This fix option is obviously (?) a joke. But it should still illustrate that narrowing the scope of a question reduces the solution space accordingly, thus making \"social stalking\" and brute force much easier.",
"Do you remember the security question that Uvogin used for his account?": "Do you remember the security question that Uvogin used for his account?",
"When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.": "When changing the scope of this question from \"movie\" to \"actor/actress\", researching and brute forcing is probably just as easy for the attacker.",
"Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.": "Narrowing the scope of the question from \"movie\" to \"animé\" dramatically reduces the solution space, thus making guessing and brute force attacks a lot easier.",
"Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?": "Among the long list of route mappings, can you spot any that seem responsible for the Score Board screen?",
"If you accidentally scrolled over the relevant line, try using the text search in your browser.": "If you accidentally scrolled over the relevant line, try using the text search in your browser.",
"Searching for \"score\" should bring you to the right route mapping.": "Searching for \"score\" should bring you to the right route mapping.",
"Obfuscating the path to the Score Board does not add any security, even if it wasn't just a trivial Base64 encoding. It would, on the other hand, make finding it a bit more difficulty. This is probably not intended as the Score Board screen is the hub for all other challenges.": "Obfuscating the path to the Score Board does not add any security, even if it wasn't just a trivial Base64 encoding. It would, on the other hand, make finding it a bit more difficulty. This is probably not intended as the Score Board screen is the hub for all other challenges.",
"Removing the entire route mapping would improve security but also break functionality by making the Score Board entirely inaccessible. Keep in mind that the Score Board is hidden only to be found and used to track all the other challenges.": "Removing the entire route mapping would improve security but also break functionality by making the Score Board entirely inaccessible. Keep in mind that the Score Board is hidden only to be found and used to track all the other challenges.",
"In this one-of-a-kind scenario it is really best to just leave the code unchanged. Fiddling with it might either break accessibility of the crucial Score Board screen or make it unnecessarily harder to find it.": "In this one-of-a-kind scenario it is really best to just leave the code unchanged. Fiddling with it might either break accessibility of the crucial Score Board screen or make it unnecessarily harder to find it.",
"Limiting the allowed search values via startsWith() would still allow SQL Injection via \"orange')) UNION SELECT ... --\" or similarly prefixed payloads. Even worse, this fix also breaks the free text search capability.": "Limiting the allowed search values via startsWith() would still allow SQL Injection via \"orange')) UNION SELECT ... --\" or similarly prefixed payloads. Even worse, this fix also breaks the free text search capability.",
"Which entity is this challenge most likely about? Try to find all code places where that entity is somehow processed.": "Which entity is this challenge most likely about? Try to find all code places where that entity is somehow processed.",
"In this snippet you must look for a place where something is missing that, if present, would negate an arbitrary role assignment.": "In this snippet you must look for a place where something is missing that, if present, would negate an arbitrary role assignment.",
"Make sure that you do not select any lines that are contained in the vulnerable function but themselves have nothing to do with the vulberability.": "Make sure that you do not select any lines that are contained in the vulnerable function but themselves have nothing to do with the vulberability.",
"This change results in the \"role\" property not being returned in any User-API responses. This will not prevent setting an arbitrary role during user creation but probably also break some functionality in the client that relies on the role being present.": "此變更造成“角色”屬性不會被任何使用者API回傳。這不會預防建立使用者時設定任一角色,也可能會破壞客戶端中依賴於現有角色之部分功能。",
"This code change will check if a role is already defined on the user entity. If so, it will keep it. If not, it will set \"customer\" as a fallback role. This still allows anyone to pick their own prefered role, though.": "This code change will check if a role is already defined on the user entity. If so, it will keep it. If not, it will set \"customer\" as a fallback role. This still allows anyone to pick their own prefered role, though.",
"Removing the interceptor function completely not only keeps the role assignment possible, it also breaks functionality by no longer creating digital wallets for new users.": "Removing the interceptor function completely not only keeps the role assignment possible, it also breaks functionality by no longer creating digital wallets for new users.",
"This actually fixes the role assignment issue, by overriding any value pre-set via the POST request with a static \"customer\" default role.": "This actually fixes the role assignment issue, by overriding any value pre-set via the POST request with a static \"customer\" default role.",
"Where is the Token Sale page actually being handled?": "符記銷售頁實際上是在哪裡被處理的?",
"What is weird about how the Token Sale route is being declared?": "What is weird about how the Token Sale route is being declared?",
"If the Token Sale page is still considered a secret, why is it mapped to a route at all?": "If the Token Sale page is still considered a secret, why is it mapped to a route at all?",
"Restricting access to the Token Sale page to administrators might sound good in theory. Unfortunately this all only happens in client-side code, so such check couldn't be fully trusted.": "Restricting access to the Token Sale page to administrators might sound good in theory. Unfortunately this all only happens in client-side code, so such check couldn't be fully trusted.",
"Obfuscating the path to the Token Sale page with Base64 instead of the original obfuscation function does not add any security. It actually makes the route even more easily identifiable.": "Obfuscating the path to the Token Sale page with Base64 instead of the original obfuscation function does not add any security. It actually makes the route even more easily identifiable.",
"The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.": "The only viable way to prevent access to a soon-to-be-released Token Sale page is to not have it in the client-side code before its actual release. It then makes sense to not have any premature route mapping declarations either. This then makes the whole obfuscation code-madness unnecessary as well.",
"You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.": "You should take a close look at how this code checks for allowed vs. forbidded URLs to redirect to.",
"Try to play through how the logical operators and used standard functions work in this situation.": "Try to play through how the logical operators and used standard functions work in this situation.",
"Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?": "Could you somehow make the code believe that it is dealing with an allow-listed URL while it actually isn't?",
"The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.": "The open redirect flaw in this code cannot be fixed by applying URL encoding to the target URL. In fact, it would break the entire redirect mechanism for allow-listed URLs as they are not URL-encoded and would therefore never match.",
"Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.": "Changing from logical \"or\" to logical \"and\" here does not do anything for security but entirely breaks the redirect mechanism as \"allowed\" can never be true after the loop.",
"HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.": "HTML-escaping is completely wrong in this situation because the code is dealing with URLs and not HTML input.",
"Using indexOf allowed any URLs as long as they contained any allow-listed URL, even if it just would be as a parameter. Replacing this with an actual equality check mitigates this lapse and makes the redirect only work for allow-listed URLs.": "Using indexOf allowed any URLs as long as they contained any allow-listed URL, even if it just would be as a parameter. Replacing this with an actual equality check mitigates this lapse and makes the redirect only work for allow-listed URLs.",
"The security flaw has something to do with the rate limiting configuration.": "The security flaw has something to do with the rate limiting configuration.",
"Do you think the time window or number of requests is the actual problem here? Maybe there is something else going wrong...": "Do you think the time window or number of requests is the actual problem here? Maybe there is something else going wrong...",
"Take a close look at the HTTP header being used here and ask yourself: \"Could an attacker do anything with it to bypass rate limiting?\"": "Take a close look at the HTTP header being used here and ask yourself: \"Could an attacker do anything with it to bypass rate limiting?\"",
"Removing the setting to trust proxies does not improve security of the rate limiting. It might have some unforseen or unintended functional side-effects, though.": "Removing the setting to trust proxies does not improve security of the rate limiting. It might have some unforseen or unintended functional side-effects, though.",
"Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.": "Replacing the \"X-Forwarded-For\" header with its standardized alternative \"Forwarded\" does not close the security flaw of how this header is actually being used and can be abused by attackers.",
"Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.": "Reducing the rate limit from 100 requests in 5min to 10 reqests in 3min could be seen as a security improvement, if there wasn't an entirely unrelated misconfiguration at play here.",
"Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.": "Removing the custom key generator that lets an arbitrary HTTP header take precedence over the client IP is the best option here. Now an attacker at least needs to fake their actual IP to bypass the rate limiting, as this is the default key for the RateLimit module used here. There is a functional downside though, as now users behin e.g. corporate proxies might be rate limited as a group and not individually. But with 100 allowed password resets in 5min this should not occur too frequently.",
"Find all places in the code which are handling the product descriptions.": "Find all places in the code which are handling the product descriptions.",
"Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.": "Manually encoding the angular brackets of the HTML tags does not add any security. It is likely to break descriptions with legitimate HTML tags for styling or links, though.",
"The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.": "The removed code block deals with handling of different screen sizes and is entirely unrelated to the given XSS vulnerability.",
"Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.": "Using bypassSecurityTrustScript() instead of bypassSecurityTrustHtml() changes the context for which input sanitization is bypassed. If at all, this switch might only accidentally keep XSS prevention intact.",
"Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken authorization in this case, as users should not be allowed to change product descriptions in the first place.": "Removing the bypass of sanitization entirely is the best way to fix the XSS vulnerability here. It should be noted, that XSS is only a consequence of broken authorization in this case, as users should not be allowed to change product descriptions in the first place.",
"To find the culprit lines, you need to understand how MongoDB handles updating records.": "To find the culprit lines, you need to understand how MongoDB handles updating records.",
"Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.": "Did you notice that the developers retrieved a reference to the user but never actually use it for anything? This might be part of the problem.",
"Another problematic line you need to select, is actually missing something that ties the user to the review.": "Another problematic line you need to select, is actually missing something that ties the user to the review.",
"This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.": "This solution would reassign an updated review to the last editor, but it would not prevent to change other user's reviews in the first place.",
"Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.": "Removing the option to update multiple documents at once is a good idea and might actually help against another flaw in this code. But it does not fix the problem of allowing users to update other user's reviews.",
"Setting the author on server-side based on the user retrieved from the authentication token in the HTTP request is the right call. It prevents users from just passing any author email they like along with the request.": "Setting the author on server-side based on the user retrieved from the authentication token in the HTTP request is the right call. It prevents users from just passing any author email they like along with the request.",
"Does this query really need to allow updating more than one review at once?": "這查詢真的需要允許一次更新一個以上評論嗎?",
"Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.": "Consider the query parameters under control of the attacker and try to find the one where they might inject some query-altering command.",
"Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.": "Removing the option to update multiple documents at once combined with avoiding a \"not-equal\"-based injection is insufficient against any attacker with at least moderate MongoDB query knowledge.",
"Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.": "Removing the option to update multiple documents at once is definitely necessary. But it is unfortunately not a sufficient fix, as an attacker might still be able to \"add back\" the multi-update behavior.",
"Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.": "Removing the option to update multiple documents at once combined with only allowing plain strings in the ID parameter is the right call. This will prevent any attacker from injecting their own JSON payload to manipulate the query in their favor.",
"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.": "Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.",
"Close multiple \"Challenge solved\"-notifications in one go.": "一次關閉多個\"解決挑戰\"通知",
"Either check the official documentation or inspect a notification UI element directly.": "確認官方文件或直接檢視一個通知介面元素",
"Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.": "Find a form which updates the username and then construct a malicious page in the online HTML editor. You probably need an older browser version for this.",
"Register a user with an empty email and password.": "Register a user with an empty email and password.",
"Consider intercepting and playing with the request payload.": "Consider intercepting and playing with the request payload.",
"Mint the Honey Pot NFT by gathering BEEs from the bee haven.": "Mint the Honey Pot NFT by gathering BEEs from the bee haven.",
"Discover NFT wonders among the captivating visual memories.": "Discover NFT wonders among the captivating visual memories.",
"Take over the wallet containing our official Soul Bound Token (NFT).": "Take over the wallet containing our official Soul Bound Token (NFT).",
"Find the seed phrase posted accidentally.": "Find the seed phrase posted accidentally.",
"Withdraw more ETH from the new wallet than you deposited.": "Withdraw more ETH from the new wallet than you deposited.",
"Try to exploit the contract of the wallet.": "Try to exploit the contract of the wallet.",
"Find an accidentally deployed code sandbox for writing smart contracts on the fly.": "Find an accidentally deployed code sandbox for writing smart contracts on the fly.",
"It is just as easy as finding the Score Board.": "It is just as easy as finding the Score Board.",
"He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.": "He might have trumpeted it on at least one occasion where a camera was running. Maybe elsewhere as well.",
"Find the hidden <a href=\"https://en.wikipedia.org/wiki/Easter_egg_(media)\" target=\"_blank\">easter egg</a>.": "Find the hidden <a href=\"https://en.wikipedia.org/wiki/Easter_egg_(media)\" target=\"_blank\">easter egg</a>.",
"Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.": "Try either a) a knowledgeable brute force attack or b) reverse engineering or c) some research in the cloud.",
"Bypass a security control with a <a href=\"https://hakipedia.com/index.php/Poison_Null_Byte\">Poison Null Byte</a> to access a file not meant for your eyes.": "Bypass a security control with a <a href=\"https://hakipedia.com/index.php/Poison_Null_Byte\">Poison Null Byte</a> to access a file not meant for your eyes.",
"Undoubtedly you want to read our security policy before conducting any research on our application.": "Undoubtedly you want to read our security policy before conducting any research on our application."
}