v2.0.0

[kOaDT]

What's New

• Player Dashboard
  Introduced a new /player-dashboard page to track CTF progress with clear visual indicators, including overall completion, difficulty and category breakdowns, elapsed time since project initialization, and direct access to related documentation.

• Persistent Flag Progress Tracking
  Flag tracking has been migrated from browser localStorage to a database-backed system. Progress is now persisted across sessions, with timestamps recorded for each captured flag.

• Walkthrough Documentation Site
  Added a full static documentation website containing in-depth walkthroughs for all vulnerabilities, including XSS, JWT, IDOR, SSRF, mass assignment, weak cryptography, and client-side logic flaws. The site includes search, comments, analytics, and is fully compatible with GitHub Pages: https://koadt.github.io/oss-oopssec-store/

Security

• XSS Challenge Redesign
  The XSS vulnerability has been redesigned to remove automatic flag disclosure. Players must now perform a meaningful exploitation by chaining XSS with same-origin static file access, increasing the educational value of the challenge.

• JWT Vulnerability Realism
  Replaced the unrealistic alg: none JWT setup with HS256 using a weak secret, providing a more practical and instructive exploitation scenario.

Bug Fixes

On Walkthrough Documentation Site:

• Fixed Pagefind bundle path handling to ensure search works correctly when deployed under a base path.
• Corrected breadcrumb navigation issues on the walkthroughs website.
• Excluded documentation files from Next.js TypeScript compilation to prevent build errors.
• Resolved hardcoded URLs across Astro components to ensure proper behavior on GitHub Pages.
• Added .nojekyll to prevent unwanted Jekyll processing on GitHub Pages.
• Fixed Open Graph image paths for correct social sharing previews.

Improvements

• Improved documentation site build and configuration to fully support GitHub Pages subpath deployments.
• Refined CI/CD workflows to deploy documentation from the main branch only for production stability.

Breaking Changes

• Flag Progress Storage Change
  Flag progress is no longer stored in browser localStorage and is now persisted in the database.
  Who is impacted: Existing players with progress stored locally.

---

This discussion was created from the release v2.0.0.