From 00e0f79c724021c06af811eac2227bd9caa10f4a Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Tue, 30 Nov 2021 09:10:01 +0100 Subject: [PATCH] Added challenge 12 for #43 and reverted challenge 8 for #37 --- .github/scripts/docker-create-and-push.sh | 3 +- .gitignore | 3 ++ Dockerfile | 1 + README.md | 12 ++--- .../challenges/cloud/Challenge11.java | 9 ++-- .../challenges/docker/Challenge12.java | 54 +++++++++++++++++++ .../challenges/docker/Challenge8.java | 23 +++++++- src/main/resources/application.properties | 1 + .../resources/explanations/challenge12.adoc | 6 +++ .../resources/explanations/challenge8.adoc | 6 ++- src/main/resources/templates/challenge.html | 3 +- src/main/resources/templates/error.html | 1 + src/main/resources/templates/index.html | 2 + src/main/resources/templates/spoil.html | 2 +- .../challenges/docker/Challenge12Test.java | 54 +++++++++++++++++++ src/test/resources/application.properties | 29 +++++----- 16 files changed, 179 insertions(+), 30 deletions(-) create mode 100644 src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java create mode 100644 src/main/resources/explanations/challenge12.adoc create mode 100644 src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java diff --git a/.github/scripts/docker-create-and-push.sh b/.github/scripts/docker-create-and-push.sh index 3bf8e49cb..2ca9e39e1 100755 --- a/.github/scripts/docker-create-and-push.sh +++ b/.github/scripts/docker-create-and-push.sh @@ -9,7 +9,8 @@ fi echo "tag supplied: $1" echo "tag message: $2" echo "buildarg supplied: $3" - +echo "generating challenge 12-data" +openssl rand -base64 32 | tr -d '\n' > yourkey.txt echo "tagging version" git tag -a $1 -m "$2" git push --tags diff --git a/.gitignore b/.gitignore index 3b74a75cd..e172c9487 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,6 @@ aws/.terraform.tfstate.lock.info # Templated gcp/k8s/secret-volume.yml gcp/k8s/secret-challenge-vault-deployment.yml + +# Challenge 12 ;-) +.github/scripts/yourkey.txt diff --git a/Dockerfile b/Dockerfile index 9a291a4f5..04fdd3b69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,4 +13,5 @@ RUN echo "$ARG_BASED_PASSWORD" RUN echo "$argBasedPassword" ADD target/wrongsecrets-0.0.2-SNAPSHOT.jar /application.jar +COPY .github/scripts/ /var/tmp/helpers CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) application.jar \ No newline at end of file diff --git a/README.md b/README.md index 828fb0c94..b8fde743f 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques. -Can you solve all the 11 challenges? +Can you solve all the 12 challenges? ![screenshot.png](screenshot.png) ## Support @@ -13,7 +13,7 @@ Need support? Contact us via [OWASP Slack](https://owasp.slack.com/archives/C02K ## Basic docker exercises -_Can be used for challenges 1-4, 8_ +_Can be used for challenges 1-4, 8, 12_ For the basic docker exercises you currently require: @@ -33,7 +33,7 @@ Now you can try to find the secrets by means of solving the challenge offered at - [localhost:8080/challenge/3](http://localhost:8080/challenge/3) - [localhost:8080/challenge/4](http://localhost:8080/challenge/4) - [localhost:8080/challenge/8](http://localhost:8080/challenge/8) - +- [localhost:8080/challenge/12](http://localhost:8080/challenge/12) Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-). ### Running these on Heroku @@ -50,7 +50,7 @@ You can test them out at Challenge 9 Challenge 10 Challenge 11 + Challenge 12
  • @@ -68,7 +69,7 @@

    value="Reset"/>

    - There are 11 challenges (/challenge/1-11), can you solve them all?
    + There are 12 challenges (/challenge/1-12), can you solve them all?
    Previous diff --git a/src/main/resources/templates/error.html b/src/main/resources/templates/error.html index e5d5c2a71..c7978d3f5 100644 --- a/src/main/resources/templates/error.html +++ b/src/main/resources/templates/error.html @@ -37,6 +37,7 @@ Challenge 9 Challenge 10 Challenge 11 + Challenge 12

  • diff --git a/src/main/resources/templates/index.html b/src/main/resources/templates/index.html index 2c1238753..3cc644edf 100644 --- a/src/main/resources/templates/index.html +++ b/src/main/resources/templates/index.html @@ -37,6 +37,7 @@ Challenge 9 Challenge 10 Challenge 11 + Challenge 12
  • @@ -84,6 +85,7 @@

    Welcome

    10 (requires AWS or GCP)
    Challenge 11 (requires AWS or GCP)
    + Challenge 12 (requires Docker)

    Don't want to wait for Vault? here is the secret :(.

    diff --git a/src/main/resources/templates/spoil.html b/src/main/resources/templates/spoil.html index a5414b4a1..ab30769d5 100644 --- a/src/main/resources/templates/spoil.html +++ b/src/main/resources/templates/spoil.html @@ -8,6 +8,6 @@

    Spoiling secret

    -There are 11 challenges (/challenge/1-11), can you solve them all? +There are 12 challenges (/challenge/1-12), can you solve them all? \ No newline at end of file diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java new file mode 100644 index 000000000..f16732a77 --- /dev/null +++ b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java @@ -0,0 +1,54 @@ +package org.owasp.wrongsecrets.challenges.docker; + +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.junit.jupiter.api.io.TempDir; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.owasp.wrongsecrets.ScoreCard; +import org.owasp.wrongsecrets.challenges.Spoiler; +import org.owasp.wrongsecrets.challenges.cloud.Challenge9; + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; + +@ExtendWith(MockitoExtension.class) +class Challenge12Test { + + @Mock + private ScoreCard scoreCard; + + @Test + void solveChallenge12WithoutFile(@TempDir Path dir) throws Exception { + var challenge = new Challenge12(scoreCard, dir.toString()); + + Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isFalse(); + Assertions.assertThat(challenge.answerCorrect("if_you_see_this_please_use_docker_instead")).isTrue(); + } + + @Test + void solveChallenge12WithMNTFile(@TempDir Path dir) throws Exception { + var testFile = new File(dir.toFile(), "yourkey.txt"); + var secret = "secretvalueWitFile"; + Files.writeString(testFile.toPath(), secret); + + var challenge = new Challenge12(scoreCard, dir.toString()); + + Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isTrue(); + } + + @Test + void spoilShouldReturnCorrectAnswer(@TempDir Path dir) throws IOException { + var testFile = new File(dir.toFile(), "yourkey.txt"); + var secret = "secretvalueWitFile"; + Files.writeString(testFile.toPath(), secret); + + var challenge = new Challenge12(scoreCard, dir.toString()); + + Assertions.assertThat(challenge.spoiler()).isEqualTo(new Spoiler("secretvalueWitFile")); + } + +} \ No newline at end of file diff --git a/src/test/resources/application.properties b/src/test/resources/application.properties index 539402936..206553f0e 100644 --- a/src/test/resources/application.properties +++ b/src/test/resources/application.properties @@ -1,20 +1,21 @@ spring.cloud.vault.enabled=false aws.paramstore.enabled=false -password = DefaultLoginPasswordDoNotChange! -SPECIAL_K8S_SECRET = if_you_see_this_please_use_k8s -SPECIAL_SPECIAL_K8S_SECRET = if_you_see_this_please_use_k8s -ARG_BASED_PASSWORD= if_you_see_this_please_use_docker_instead -DOCKER_ENV_PASSWORD= if_you_see_this_please_use_docker_instead -vaultpassword = if_you_see_this_please_use_K8S_and_Vault -vaultpassword.password = if_you_see_this_please_use_K8S_and_Vault -default_aws_value = if_you_see_this_please_use_AWS_Setup -default_gcp_value = if_you_see_this_please_use_GCP_Setup +password=DefaultLoginPasswordDoNotChange! +SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s +SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s +ARG_BASED_PASSWORD=if_you_see_this_please_use_docker_instead +DOCKER_ENV_PASSWORD=if_you_see_this_please_use_docker_instead +vaultpassword=if_you_see_this_please_use_K8S_and_Vault +vaultpassword.password=if_you_see_this_please_use_K8S_and_Vault +default_aws_value=if_you_see_this_please_use_AWS_Setup +default_gcp_value=if_you_see_this_please_use_GCP_Setup AWS_REGION=if_you_see_this_please_use_AWS_Setup -AWS_ROLE_ARN= if_you_see_this_please_use_AWS_Setup -AWS_WEB_IDENTITY_TOKEN_FILE= if_you_see_this_please_use_AWS_Setup -GCP_PROJECT_ID= if_you_see_this_please_use_GCP_Setup -secretmountpath = ${java.io.tmpdir} -wrongsecretvalue = wrongsecret +AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup +AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup +GCP_PROJECT_ID=if_you_see_this_please_use_GCP_Setup +secretmountpath=${java.io.tmpdir} +challengedockermtpath=${java.io.tmpdir} +wrongsecretvalue=wrongsecret APP_VERSION=0.0.0 K8S_ENV=test #---