Skip to content

Commit

Permalink
Added 12th challenge for #43 and reverted challenge 8 to be random an…
Browse files Browse the repository at this point in the history 
…d log based again #37
  • Loading branch information
@commjoen
commjoen committed Nov 30, 2021
1 parent 6db420c commit ddb5659
Show file tree
Hide file tree
Showing 13 changed files with 133 additions and 34 deletions.
2 changes: 1 addition & 1 deletion .github/scripts/docker-create-and-push.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ echo "tagging version"
docker buildx create --name mybuilder
docker buildx use mybuilder
echo "generating challenge 12-data"
openssl rand -base64 32 > yourkey.txt
openssl rand -base64 32 | tr -d '\n' > yourkey.txt
echo "creating containers"
docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$1-no-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=without-vault" --push ./../../.
docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-example:$1-local-vault --build-arg "$3" --build-arg "PORT=8081" --build-arg "argBasedVersion=$1" --build-arg "spring_profile=local-vault" --push ./../../.
Expand Down
13 changes: 7 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.

Can you solve all the 11 challenges?
Can you solve all the 12 challenges?
![screenshot.png](screenshot.png)

## Support
Expand All @@ -13,7 +13,7 @@ Need support? Contact us via [OWASP Slack](https://owasp.slack.com/archives/C02K

## Basic docker exercises

_Can be used for challenges 1-4, 8_
_Can be used for challenges 1-4, 8, 12_

For the basic docker exercises you currently require:

Expand All @@ -33,7 +33,8 @@ Now you can try to find the secrets by means of solving the challenge offered at
- [localhost:8080/challenge/3](http://localhost:8080/challenge/3)
- [localhost:8080/challenge/4](http://localhost:8080/challenge/4)
- [localhost:8080/challenge/8](http://localhost:8080/challenge/8)

- [localhost:8080/challenge/8](http://localhost:8080/challenge/12)
-
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).

### Running these on Heroku
Expand All @@ -50,7 +51,7 @@ You can test them out at <a href="https://wrongsecrets.herokuapp.com/" target="_

## Basic K8s exercise

_Can be used for challenges 1-6, 8_
_Can be used for challenges 1-6, 8, 12_

### Minikube based

Expand Down Expand Up @@ -99,7 +100,7 @@ now you can use the provided IP address and port to further play with the K8s va

## Vault exercises with minikube

_Can be used for challenges 1-8_
_Can be used for challenges 1-8, 12_
Make sure you have the following installed:

- minikube with docker (or comment out line 8 and work at your own k8s setup),
Expand All @@ -115,7 +116,7 @@ This will allow you to run challenge 1-8.

## Cloud Challenges

_Can be used for challenges 1-11_
_Can be used for challenges 1-12_

### Running WrongSecrets in AWS

Expand Down
8 changes: 5 additions & 3 deletions src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,9 @@ public boolean environmentSupported() {
}

private String getAWSChallenge11Value() {
log.info("Getting credentials from AWS");
if (!"if_you_see_this_please_use_AWS_Setup".equals(awsRoleArn)) {

if (!"if_you_see_this_please_use_AWS_Setup".equals(awsRoleArn)) {
log.info("Getting credentials from AWS");
try { //based on https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/sts/src/main/java/com/example/sts
String webIDentityToken = Files.readString(Paths.get(tokenFileLocation));
StsClient stsClient = StsClient.builder()
Expand Down Expand Up @@ -126,12 +126,13 @@ private String getAWSChallenge11Value() {
log.error("Could not get the web identity token, due to ", e);
}
}
log.info("Skipping credentials from AWS");
return awsDefaultValue;
}

private String getGCPChallenge11Value() {
log.info("Getting credentials from GCP");
if ("gcp".equals(k8sEnvironment)) {
log.info("Getting credentials from GCP");
// Based on https://cloud.google.com/secret-manager/docs/reference/libraries
try (SecretManagerServiceClient client = SecretManagerServiceClient.create()) {
log.info("Fetching secret form Google Secret Manager...");
Expand All @@ -145,6 +146,7 @@ private String getGCPChallenge11Value() {
log.error("Could not get the web identity token, due to ", e);
}
}
log.info("Skipping credentials from GCP");
return gcpDefaultValue;
}
}
22 changes: 18 additions & 4 deletions src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,29 @@
package org.owasp.wrongsecrets.challenges.docker;


import lombok.extern.slf4j.Slf4j;
import org.owasp.wrongsecrets.ScoreCard;
import org.owasp.wrongsecrets.challenges.Challenge;
import org.owasp.wrongsecrets.challenges.ChallengeEnvironment;
import org.owasp.wrongsecrets.challenges.ChallengeNumber;
import org.owasp.wrongsecrets.challenges.Spoiler;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

import java.nio.file.Files;
import java.nio.file.Paths;

@Slf4j
@Component
@ChallengeNumber("12")
public class Challenge12 extends Challenge {

public Challenge12(ScoreCard scoreCard) {

private String dockerMountPath;

public Challenge12(ScoreCard scoreCard, @Value("${challengedockermtpath}") String dockerMountPath) {
super(scoreCard, ChallengeEnvironment.DOCKER);
this.dockerMountPath = dockerMountPath;
}

@Override
Expand All @@ -23,6 +33,7 @@ public Spoiler spoiler() {

@Override
public boolean answerCorrect(String answer) {
log.info("challenge 12, actualdata: {}, answer: {}", getActualData(), answer);
return getActualData().equals(answer);
}

Expand All @@ -33,8 +44,11 @@ public boolean environmentSupported() {


private String getActualData() {
//do logic here!

return "if_you_see_this_please_use_docker_instead";
try {
return Files.readString(Paths.get(dockerMountPath, "yourkey.txt"));
} catch (Exception e) {
log.warn("Exception during file reading, defaulting to default without cloud environment");
return "if_you_see_this_please_use_docker_instead";
}
}
}
24 changes: 22 additions & 2 deletions src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge8.java
View file
Original file line number Diff line number Diff line change
@@ -1,33 +1,53 @@
package org.owasp.wrongsecrets.challenges.docker;


import lombok.extern.slf4j.Slf4j;
import org.owasp.wrongsecrets.ScoreCard;
import org.owasp.wrongsecrets.challenges.Challenge;
import org.owasp.wrongsecrets.challenges.ChallengeEnvironment;
import org.owasp.wrongsecrets.challenges.ChallengeNumber;
import org.owasp.wrongsecrets.challenges.Spoiler;
import org.springframework.stereotype.Component;

import java.security.SecureRandom;
import java.util.Random;

@Slf4j
@Component
@ChallengeNumber("8")
public class Challenge8 extends Challenge {

private final Random RANDOM = new SecureRandom();
private final String ALPHABET = "0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm";
private String randomValue;

public Challenge8(ScoreCard scoreCard) {
super(scoreCard, ChallengeEnvironment.DOCKER);
randomValue = generateRandomString(10);
log.info("Initializing challenge 8 with value {}", randomValue);
}

@Override
public Spoiler spoiler() {
return new Spoiler(Constants.newKey);
return new Spoiler(randomValue);
}

@Override
public boolean answerCorrect(String answer) {
return Constants.newKey.equals(answer);
return randomValue.equals(answer);
}

@Override
public boolean environmentSupported() {
return true;
}


private String generateRandomString(int length) {
StringBuffer buffer = new StringBuffer(length);
for (int i = 0; i < length; i++) {
buffer.append(ALPHABET.charAt(RANDOM.nextInt(ALPHABET.length())));
}
return new String(buffer);
}
}
1 change: 1 addition & 0 deletions src/main/resources/application.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ default_gcp_value=if_you_see_this_please_use_GCP_Setup
AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup
AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup
secretmountpath=/mnt/secrets-store
challengedockermtpath=/var/tmp/helpers
AWS_REGION=if_you_see_this_please_use_AWS_Setup
GCP_PROJECT_ID=if_you_see_this_please_use_GCP_Setup
K8S_ENV=Docker
Expand Down
6 changes: 4 additions & 2 deletions src/main/resources/explanations/challenge8.adoc
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
=== Challenge 8: Generating random values

Now, let's randomize the secret... Can you find the answer?
How can we use this on the next startup ;-)?
Now, let's randomize the secret at startup... Can you find the answer?
How can we use this on the next startup ;-)?

Tip: take a look at the logging of the application at startup!
3 changes: 2 additions & 1 deletion src/main/resources/templates/challenge.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
<a class="dropdown-item" href="/challenge/9">Challenge 9</a>
<a class="dropdown-item" href="/challenge/10">Challenge 10</a>
<a class="dropdown-item" href="/challenge/11">Challenge 11</a>
<a class="dropdown-item" href="/challenge/12">Challenge 12</a>
</ul>
</li>
<li class="nav-item">
Expand Down Expand Up @@ -68,7 +69,7 @@ <h1 class="mt-3" th:text="'Challenge '+${challengeNumber}"/>
value="Reset"/></p>
</form>

There are 11 challenges (/challenge/1-11), can you solve them all? <br/>
There are 12 challenges (/challenge/1-12), can you solve them all? <br/>
<div class="row">
<div th:if="${previouschallenge!=null}" class="col-4">
<a th:href="'/challenge/'+${previouschallenge}">Previous</a>
Expand Down
1 change: 1 addition & 0 deletions src/main/resources/templates/error.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
<a class="dropdown-item" href="/challenge/9">Challenge 9</a>
<a class="dropdown-item" href="/challenge/10">Challenge 10</a>
<a class="dropdown-item" href="/challenge/11">Challenge 11</a>
<a class="dropdown-item" href="/challenge/12">Challenge 12</a>
</ul>
</li>
<li class="nav-item">
Expand Down
2 changes: 2 additions & 0 deletions src/main/resources/templates/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
<a class="dropdown-item" href="/challenge/9">Challenge 9</a>
<a class="dropdown-item" href="/challenge/10">Challenge 10</a>
<a class="dropdown-item" href="/challenge/11">Challenge 11</a>
<a class="dropdown-item" href="/challenge/12">Challenge 12</a>
</ul>
</li>
<li class="nav-item">
Expand Down Expand Up @@ -84,6 +85,7 @@ <h1 class="display-2">Welcome</h1>
10 (requires AWS or GCP)</a><br/>
<a href="challenge/11" th:class="${cloud == null} ? 'disabled' : ''">Challenge
11 (requires AWS or GCP)</a><br/>
<a href="challenge/12">Challenge 12 (requires Docker)</a><br/>
</p>
<p>Don't want to wait for Vault? here is <a href="spoil-7">the secret :(</a>.</p>
<p th:text="'You are currently running on the following environment: '+${environment}"></p>
Expand Down
2 changes: 1 addition & 1 deletion src/main/resources/templates/spoil.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@
<h1>Spoiling secret</h1>
<p th:text="${solution}"></p>

There are 11 challenges (/challenge/1-11), can you solve them all?
There are 11 challenges (/challenge/1-12), can you solve them all?
</body>
</html>
54 changes: 54 additions & 0 deletions src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge12Test.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
package org.owasp.wrongsecrets.challenges.docker;

import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.junit.jupiter.api.io.TempDir;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.owasp.wrongsecrets.ScoreCard;
import org.owasp.wrongsecrets.challenges.Spoiler;
import org.owasp.wrongsecrets.challenges.cloud.Challenge9;

import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;

@ExtendWith(MockitoExtension.class)
class Challenge12Test {

@Mock
private ScoreCard scoreCard;

@Test
void solveChallenge12WithoutFile(@TempDir Path dir) throws Exception {
var challenge = new Challenge12(scoreCard, dir.toString());

Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isFalse();
Assertions.assertThat(challenge.answerCorrect("if_you_see_this_please_use_docker_instead")).isTrue();
}

@Test
void solveChallenge12WithMNTFile(@TempDir Path dir) throws Exception {
var testFile = new File(dir.toFile(), "yourkey.txt");
var secret = "secretvalueWitFile";
Files.writeString(testFile.toPath(), secret);

var challenge = new Challenge12(scoreCard, dir.toString());

Assertions.assertThat(challenge.answerCorrect("secretvalueWitFile")).isTrue();
}

@Test
void spoilShouldReturnCorrectAnswer(@TempDir Path dir) throws IOException {
var testFile = new File(dir.toFile(), "yourkey.txt");
var secret = "secretvalueWitFile";
Files.writeString(testFile.toPath(), secret);

var challenge = new Challenge12(scoreCard, dir.toString());

Assertions.assertThat(challenge.spoiler()).isEqualTo(new Spoiler("secretvalueWitFile"));
}

}
29 changes: 15 additions & 14 deletions src/test/resources/application.properties
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,21 @@
spring.cloud.vault.enabled=false
aws.paramstore.enabled=false
password = DefaultLoginPasswordDoNotChange!
SPECIAL_K8S_SECRET = if_you_see_this_please_use_k8s
SPECIAL_SPECIAL_K8S_SECRET = if_you_see_this_please_use_k8s
ARG_BASED_PASSWORD= if_you_see_this_please_use_docker_instead
DOCKER_ENV_PASSWORD= if_you_see_this_please_use_docker_instead
vaultpassword = if_you_see_this_please_use_K8S_and_Vault
vaultpassword.password = if_you_see_this_please_use_K8S_and_Vault
default_aws_value = if_you_see_this_please_use_AWS_Setup
default_gcp_value = if_you_see_this_please_use_GCP_Setup
password=DefaultLoginPasswordDoNotChange!
SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s
SPECIAL_SPECIAL_K8S_SECRET=if_you_see_this_please_use_k8s
ARG_BASED_PASSWORD=if_you_see_this_please_use_docker_instead
DOCKER_ENV_PASSWORD=if_you_see_this_please_use_docker_instead
vaultpassword=if_you_see_this_please_use_K8S_and_Vault
vaultpassword.password=if_you_see_this_please_use_K8S_and_Vault
default_aws_value=if_you_see_this_please_use_AWS_Setup
default_gcp_value=if_you_see_this_please_use_GCP_Setup
AWS_REGION=if_you_see_this_please_use_AWS_Setup
AWS_ROLE_ARN= if_you_see_this_please_use_AWS_Setup
AWS_WEB_IDENTITY_TOKEN_FILE= if_you_see_this_please_use_AWS_Setup
GCP_PROJECT_ID= if_you_see_this_please_use_GCP_Setup
secretmountpath = ${java.io.tmpdir}
wrongsecretvalue = wrongsecret
AWS_ROLE_ARN=if_you_see_this_please_use_AWS_Setup
AWS_WEB_IDENTITY_TOKEN_FILE=if_you_see_this_please_use_AWS_Setup
GCP_PROJECT_ID=if_you_see_this_please_use_GCP_Setup
secretmountpath=${java.io.tmpdir}
challengedockermtpath=${java.io.tmpdir}
wrongsecretvalue=wrongsecret
APP_VERSION=0.0.0
K8S_ENV=test
#---
Expand Down

0 comments on commit ddb5659

Please sign in to comment.