From 92740436df98d0d100f4c6457a9fb58199958fbc Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 16 Aug 2023 06:51:31 +0200 Subject: [PATCH 01/12] Add experimental key --- .../challenges/docker/Challenge36.java | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java new file mode 100644 index 000000000..bf7909876 --- /dev/null +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java @@ -0,0 +1,71 @@ +package org.owasp.wrongsecrets.challenges.docker; + +import com.google.common.base.Strings; +import java.util.List; +import lombok.extern.slf4j.Slf4j; +import org.owasp.wrongsecrets.RuntimeEnvironment; +import org.owasp.wrongsecrets.ScoreCard; +import org.owasp.wrongsecrets.challenges.Challenge; +import org.owasp.wrongsecrets.challenges.ChallengeTechnology; +import org.owasp.wrongsecrets.challenges.Difficulty; +import org.owasp.wrongsecrets.challenges.Spoiler; +import org.springframework.core.annotation.Order; +import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder; +import org.springframework.stereotype.Component; + +/** + * This is a challenge based on the idea of leaking a secret trough a vulnerability report. + */ +@Slf4j +@Component +@Order(36) +public class Challenge36 extends Challenge { + + public Challenge36(ScoreCard scoreCard) { + super(scoreCard); + } + + @Override + public boolean canRunInCTFMode() { + return true; + } + + @Override + public Spoiler spoiler() { + return new Spoiler(getKey()); + } + + @Override + public boolean answerCorrect(String answer) { + return getKey().equals(answer); + } + + /** {@inheritDoc} */ + @Override + public int difficulty() { + return Difficulty.EASY; + } + + /** {@inheritDoc} This is a crypto Documentation type of challenge */ + @Override + public String getTech() { + return ChallengeTechnology.Tech.DOCUMENTATION.id; + } + + @Override + public boolean isLimitedWhenOnlineHosted() { + return false; + } + + @Override + public List supportedRuntimeEnvironments() { + return List.of(RuntimeEnvironment.Environment.DOCKER); + } + + private String getKey() { + //google api key + return "AIzaSyBSpHvt8l1f9qlppJqQW280vGacXgwNnrk"; + } + + +} From 5dfc72f20ef5c048f1bc9afa1d94c7c0bf2df36c Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Wed, 16 Aug 2023 09:11:08 +0200 Subject: [PATCH 02/12] Add docs --- .../org/owasp/wrongsecrets/challenges/docker/Challenge36.java | 2 -- src/main/resources/explanations/challenge36.adoc | 3 +++ src/main/resources/explanations/challenge36_hint.adoc | 1 + src/main/resources/explanations/challenge36_reason.adoc | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 src/main/resources/explanations/challenge36.adoc create mode 100644 src/main/resources/explanations/challenge36_hint.adoc create mode 100644 src/main/resources/explanations/challenge36_reason.adoc diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java index bf7909876..b65081351 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java @@ -1,6 +1,5 @@ package org.owasp.wrongsecrets.challenges.docker; -import com.google.common.base.Strings; import java.util.List; import lombok.extern.slf4j.Slf4j; import org.owasp.wrongsecrets.RuntimeEnvironment; @@ -10,7 +9,6 @@ import org.owasp.wrongsecrets.challenges.Difficulty; import org.owasp.wrongsecrets.challenges.Spoiler; import org.springframework.core.annotation.Order; -import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder; import org.springframework.stereotype.Component; /** diff --git a/src/main/resources/explanations/challenge36.adoc b/src/main/resources/explanations/challenge36.adoc new file mode 100644 index 000000000..092f6102d --- /dev/null +++ b/src/main/resources/explanations/challenge36.adoc @@ -0,0 +1,3 @@ +=== Reporting on Vulnerabilities + +A security researcher found a Google API key. diff --git a/src/main/resources/explanations/challenge36_hint.adoc b/src/main/resources/explanations/challenge36_hint.adoc new file mode 100644 index 000000000..0db68d75e --- /dev/null +++ b/src/main/resources/explanations/challenge36_hint.adoc @@ -0,0 +1 @@ +Todo diff --git a/src/main/resources/explanations/challenge36_reason.adoc b/src/main/resources/explanations/challenge36_reason.adoc new file mode 100644 index 000000000..acaad1251 --- /dev/null +++ b/src/main/resources/explanations/challenge36_reason.adoc @@ -0,0 +1,2 @@ +*Why we need to be careful with vulnerability reports* + From 8ccc3f982bcfc89bc629a6b30bc3b2a9e883359e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Wed, 16 Aug 2023 07:21:06 +0000 Subject: [PATCH 03/12] [pre-commit.ci lite] apply automatic fixes --- .../owasp/wrongsecrets/challenges/docker/Challenge36.java | 8 ++------ src/main/resources/explanations/challenge36.adoc | 2 +- src/main/resources/explanations/challenge36_reason.adoc | 1 - 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java index b65081351..e350ade64 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java @@ -11,9 +11,7 @@ import org.springframework.core.annotation.Order; import org.springframework.stereotype.Component; -/** - * This is a challenge based on the idea of leaking a secret trough a vulnerability report. - */ +/** This is a challenge based on the idea of leaking a secret trough a vulnerability report. */ @Slf4j @Component @Order(36) @@ -61,9 +59,7 @@ public List supportedRuntimeEnvironments() { } private String getKey() { - //google api key + // google api key return "AIzaSyBSpHvt8l1f9qlppJqQW280vGacXgwNnrk"; } - - } diff --git a/src/main/resources/explanations/challenge36.adoc b/src/main/resources/explanations/challenge36.adoc index 092f6102d..bbe7e6d94 100644 --- a/src/main/resources/explanations/challenge36.adoc +++ b/src/main/resources/explanations/challenge36.adoc @@ -1,3 +1,3 @@ === Reporting on Vulnerabilities -A security researcher found a Google API key. +A security researcher found a Google API key. diff --git a/src/main/resources/explanations/challenge36_reason.adoc b/src/main/resources/explanations/challenge36_reason.adoc index acaad1251..6ab324930 100644 --- a/src/main/resources/explanations/challenge36_reason.adoc +++ b/src/main/resources/explanations/challenge36_reason.adoc @@ -1,2 +1 @@ *Why we need to be careful with vulnerability reports* - From f135892978fcc4d8f59f9cc3f7437054968e43c3 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Thu, 17 Aug 2023 08:23:03 +0200 Subject: [PATCH 04/12] Feature #687: add basics for secret advisory (challenge 35) --- .../docker/{Challenge36.java => Challenge35.java} | 6 +++--- src/main/resources/explanations/challenge35.adoc | 3 +++ .../resources/explanations/challenge35_hint.adoc | 13 +++++++++++++ .../resources/explanations/challenge35_reason.adoc | 3 +++ src/main/resources/explanations/challenge36.adoc | 3 --- .../resources/explanations/challenge36_hint.adoc | 1 - .../resources/explanations/challenge36_reason.adoc | 1 - 7 files changed, 22 insertions(+), 8 deletions(-) rename src/main/java/org/owasp/wrongsecrets/challenges/docker/{Challenge36.java => Challenge35.java} (90%) create mode 100644 src/main/resources/explanations/challenge35.adoc create mode 100644 src/main/resources/explanations/challenge35_hint.adoc create mode 100644 src/main/resources/explanations/challenge35_reason.adoc delete mode 100644 src/main/resources/explanations/challenge36.adoc delete mode 100644 src/main/resources/explanations/challenge36_hint.adoc delete mode 100644 src/main/resources/explanations/challenge36_reason.adoc diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java similarity index 90% rename from src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java rename to src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java index e350ade64..e526b7c60 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge36.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java @@ -15,9 +15,9 @@ @Slf4j @Component @Order(36) -public class Challenge36 extends Challenge { +public class Challenge35 extends Challenge { - public Challenge36(ScoreCard scoreCard) { + public Challenge35(ScoreCard scoreCard) { super(scoreCard); } @@ -42,7 +42,7 @@ public int difficulty() { return Difficulty.EASY; } - /** {@inheritDoc} This is a crypto Documentation type of challenge */ + /** {@inheritDoc} This is a Documentation type of challenge */ @Override public String getTech() { return ChallengeTechnology.Tech.DOCUMENTATION.id; diff --git a/src/main/resources/explanations/challenge35.adoc b/src/main/resources/explanations/challenge35.adoc new file mode 100644 index 000000000..df490dd26 --- /dev/null +++ b/src/main/resources/explanations/challenge35.adoc @@ -0,0 +1,3 @@ +=== Reporting on Vulnerabilities + +A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[Security Advisory]. The only thing @commjoen dit wrong, was actually publish the API key as part of the advisory. Can you spot the key? diff --git a/src/main/resources/explanations/challenge35_hint.adoc b/src/main/resources/explanations/challenge35_hint.adoc new file mode 100644 index 000000000..5af103bec --- /dev/null +++ b/src/main/resources/explanations/challenge35_hint.adoc @@ -0,0 +1,13 @@ +This is a documentation challenge, which can be solved by going to the Github Advisory. + +1. Get to the key using the Github security advisory +- Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory]. +- Find the Google API key. +- Copy it into the answer box. + +2. Follow the Github security advisory information +- Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory]. +- Find the version that is impacted (1.6.8RC1). +- Open the tag at https://github.com/OWASP/wrongsecrets/tree/1.6.8RC1[Github]. +- Find the Google API key in challenge 35. +- Copy it into the answer box. diff --git a/src/main/resources/explanations/challenge35_reason.adoc b/src/main/resources/explanations/challenge35_reason.adoc new file mode 100644 index 000000000..50f6c64a3 --- /dev/null +++ b/src/main/resources/explanations/challenge35_reason.adoc @@ -0,0 +1,3 @@ +*Why we need to be careful with vulnerability reports* + +When you report a vulnerability, or when you publish a security advisory, always be careful with the datails you spread with them. Hardcoded secrets found, especially those harder to rotate, should not be put into your security report itself and/or the publication. diff --git a/src/main/resources/explanations/challenge36.adoc b/src/main/resources/explanations/challenge36.adoc deleted file mode 100644 index bbe7e6d94..000000000 --- a/src/main/resources/explanations/challenge36.adoc +++ /dev/null @@ -1,3 +0,0 @@ -=== Reporting on Vulnerabilities - -A security researcher found a Google API key. diff --git a/src/main/resources/explanations/challenge36_hint.adoc b/src/main/resources/explanations/challenge36_hint.adoc deleted file mode 100644 index 0db68d75e..000000000 --- a/src/main/resources/explanations/challenge36_hint.adoc +++ /dev/null @@ -1 +0,0 @@ -Todo diff --git a/src/main/resources/explanations/challenge36_reason.adoc b/src/main/resources/explanations/challenge36_reason.adoc deleted file mode 100644 index 6ab324930..000000000 --- a/src/main/resources/explanations/challenge36_reason.adoc +++ /dev/null @@ -1 +0,0 @@ -*Why we need to be careful with vulnerability reports* From de4cfedccd24f7dfb67b0a84dfd3a34ef48e1d85 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Thu, 17 Aug 2023 08:26:30 +0200 Subject: [PATCH 05/12] Add test for challenge 35 for #687 --- .../challenges/docker/Challenge35Test.java | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java new file mode 100644 index 000000000..44c31f5c6 --- /dev/null +++ b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java @@ -0,0 +1,23 @@ +package org.owasp.wrongsecrets.challenges.docker; + +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.Test; +import org.mockito.Mock; +import org.owasp.wrongsecrets.ScoreCard; + +public class Challenge35Test { + @Mock private ScoreCard scoreCard; + + @Test + void spoilerShouldGiveAnswer() { + var challenge = new Challenge35(scoreCard); + Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty(); + Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue(); + } + + @Test + void incorrectAnswerShouldNotSolveChallenge() { + var challenge = new Challenge35(scoreCard); + Assertions.assertThat(challenge.solved("wrong answer")).isFalse(); + } +} From 3c91785d239d4a117e88ae3814fd90b6b711b7e2 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Fri, 18 Aug 2023 06:27:26 +0200 Subject: [PATCH 06/12] Apply suggestions from code review Co-authored-by: Ben de Haan <53901866+bendehaan@users.noreply.github.com> --- src/main/resources/explanations/challenge35.adoc | 2 +- src/main/resources/explanations/challenge35_reason.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/resources/explanations/challenge35.adoc b/src/main/resources/explanations/challenge35.adoc index df490dd26..e862a9cc6 100644 --- a/src/main/resources/explanations/challenge35.adoc +++ b/src/main/resources/explanations/challenge35.adoc @@ -1,3 +1,3 @@ === Reporting on Vulnerabilities -A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[Security Advisory]. The only thing @commjoen dit wrong, was actually publish the API key as part of the advisory. Can you spot the key? +A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a GitHub security advisory. The only thing @commjoen did wrong was publish the API key as part of the advisory. Can you spot the key? diff --git a/src/main/resources/explanations/challenge35_reason.adoc b/src/main/resources/explanations/challenge35_reason.adoc index 50f6c64a3..112ac90f7 100644 --- a/src/main/resources/explanations/challenge35_reason.adoc +++ b/src/main/resources/explanations/challenge35_reason.adoc @@ -1,3 +1,3 @@ *Why we need to be careful with vulnerability reports* -When you report a vulnerability, or when you publish a security advisory, always be careful with the datails you spread with them. Hardcoded secrets found, especially those harder to rotate, should not be put into your security report itself and/or the publication. +When you report a vulnerability or publish a security advisory, always be careful with the information you spread with them. Exact values of found hardcoded secrets, especially those harder to rotate, should not be put into your security report and/or the publication. From 557865c862169c6355b32f97f0823303f23c1e7c Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Fri, 18 Aug 2023 08:27:14 +0200 Subject: [PATCH 07/12] Update POM file with new version: 1.6.8RC1 --- src/main/resources/templates/about.html | 40 ++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/main/resources/templates/about.html b/src/main/resources/templates/about.html index effb15881..8638da5c3 100644 --- a/src/main/resources/templates/about.html +++ b/src/main/resources/templates/about.html @@ -343,32 +343,32 @@
  • (The Apache Software License, Version 2.0) thymeleaf-extras-springsecurity6 (org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.2.RELEASE - http://www.thymeleaf.org/thymeleaf-lib/thymeleaf-extras-springsecurity6)
  • (Public Domain) XZ for Java (org.tukaani:xz:1.9 - https://tukaani.org/xz/java.html)
  • (The Apache Software License, Version 2.0) unbescape (org.unbescape:unbescape:1.1.6.RELEASE - http://www.unbescape.org)
    • -
  • (Apache License, Version 2.0) Bootstrap (org.webjars:bootstrap:5.3.0 - http://webjars.org)
    • +
  • (Apache License, Version 2.0) Bootstrap (org.webjars:bootstrap:5.3.1 - http://webjars.org)
  • (MIT) DataTables (org.webjars:datatables:1.13.5 - http://webjars.org)
  • (MIT License) jquery (org.webjars:jquery:3.7.0 - http://webjars.org)
  • (Apache 2.0) Swagger UI (org.webjars:swagger-ui:4.18.2 - http://webjars.org)
  • (BSD 2-Clause) github-buttons (org.webjars.npm:github-buttons:2.14.1 - https://www.webjars.org)
  • (Common Public 1.0) pecoff4j (org.whitesource:pecoff4j:0.0.2.1 - https://github.com/whitesource/pecoff4j-maven)
  • (Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:1.33 - https://bitbucket.org/snakeyaml/snakeyaml)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Annotations (software.amazon.awssdk:annotations:2.20.115 - https://aws.amazon.com/sdkforjava/core/annotations)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Apache (software.amazon.awssdk:apache-client:2.20.115 - https://aws.amazon.com/sdkforjava/http-clients/apache-client)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Auth (software.amazon.awssdk:auth:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: AWS Core (software.amazon.awssdk:aws-core:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Json Protocol (software.amazon.awssdk:aws-json-protocol:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Query Protocol (software.amazon.awssdk:aws-query-protocol:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Endpoints SPI (software.amazon.awssdk:endpoints-spi:2.20.115 - https://aws.amazon.com/sdkforjava/core/endpoints-spi)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Client Interface (software.amazon.awssdk:http-client-spi:2.20.115 - https://aws.amazon.com/sdkforjava/http-client-spi)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Json Utils (software.amazon.awssdk:json-utils:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Metrics SPI (software.amazon.awssdk:metrics-spi:2.20.115 - https://aws.amazon.com/sdkforjava/core/metrics-spi)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Netty Non-Blocking I/O (software.amazon.awssdk:netty-nio-client:2.20.115 - https://aws.amazon.com/sdkforjava/http-clients/netty-nio-client)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Profiles (software.amazon.awssdk:profiles:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Protocol Core (software.amazon.awssdk:protocol-core:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Regions (software.amazon.awssdk:regions:2.20.115 - https://aws.amazon.com/sdkforjava/core/regions)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: SDK Core (software.amazon.awssdk:sdk-core:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS Simple Systems Management (SSM) (software.amazon.awssdk:ssm:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS STS (software.amazon.awssdk:sts:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Third Party :: Jackson-core (software.amazon.awssdk:third-party-jackson-core:2.20.115 - https://aws.amazon.com/sdkforjava)
    • -
  • (Apache License, Version 2.0) AWS Java SDK :: Utilities (software.amazon.awssdk:utils:2.20.115 - https://aws.amazon.com/sdkforjava/utils)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Annotations (software.amazon.awssdk:annotations:2.20.116 - https://aws.amazon.com/sdkforjava/core/annotations)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Apache (software.amazon.awssdk:apache-client:2.20.116 - https://aws.amazon.com/sdkforjava/http-clients/apache-client)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Auth (software.amazon.awssdk:auth:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: AWS Core (software.amazon.awssdk:aws-core:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Json Protocol (software.amazon.awssdk:aws-json-protocol:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Query Protocol (software.amazon.awssdk:aws-query-protocol:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Endpoints SPI (software.amazon.awssdk:endpoints-spi:2.20.116 - https://aws.amazon.com/sdkforjava/core/endpoints-spi)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Client Interface (software.amazon.awssdk:http-client-spi:2.20.116 - https://aws.amazon.com/sdkforjava/http-client-spi)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Json Utils (software.amazon.awssdk:json-utils:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Metrics SPI (software.amazon.awssdk:metrics-spi:2.20.116 - https://aws.amazon.com/sdkforjava/core/metrics-spi)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Netty Non-Blocking I/O (software.amazon.awssdk:netty-nio-client:2.20.116 - https://aws.amazon.com/sdkforjava/http-clients/netty-nio-client)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Profiles (software.amazon.awssdk:profiles:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Protocol Core (software.amazon.awssdk:protocol-core:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Regions (software.amazon.awssdk:regions:2.20.116 - https://aws.amazon.com/sdkforjava/core/regions)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: SDK Core (software.amazon.awssdk:sdk-core:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS Simple Systems Management (SSM) (software.amazon.awssdk:ssm:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Services :: AWS STS (software.amazon.awssdk:sts:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Third Party :: Jackson-core (software.amazon.awssdk:third-party-jackson-core:2.20.116 - https://aws.amazon.com/sdkforjava)
    • +
  • (Apache License, Version 2.0) AWS Java SDK :: Utilities (software.amazon.awssdk:utils:2.20.116 - https://aws.amazon.com/sdkforjava/utils)
  • (Apache License, Version 2.0) AWS Event Stream (software.amazon.eventstream:eventstream:1.0.1 - https://github.com/awslabs/aws-eventstream-java)
  • (Unknown license) StAX (stax:stax:1.2.0 - http://stax.codehaus.org/)
  • (The Apache Software License, Version 2.0) StAX API (stax:stax-api:1.0.1 - http://stax.codehaus.org/)
    • From d5cd483f64b4800e292584c99f2a582547b7e0bf Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Fri, 18 Aug 2023 08:51:36 +0200 Subject: [PATCH 08/12] Fix for vuln with shown key --- .../challenges/docker/Challenge35.java | 37 ++++++++++++++++++- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java index e526b7c60..e9341e7bf 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java @@ -1,7 +1,18 @@ package org.owasp.wrongsecrets.challenges.docker; +import java.nio.charset.StandardCharsets; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; import java.util.List; +import javax.crypto.BadPaddingException; +import javax.crypto.Cipher; +import javax.crypto.IllegalBlockSizeException; +import javax.crypto.NoSuchPaddingException; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; import lombok.extern.slf4j.Slf4j; +import org.apache.commons.codec.binary.Base64; import org.owasp.wrongsecrets.RuntimeEnvironment; import org.owasp.wrongsecrets.ScoreCard; import org.owasp.wrongsecrets.challenges.Challenge; @@ -59,7 +70,29 @@ public List supportedRuntimeEnvironments() { } private String getKey() { - // google api key - return "AIzaSyBSpHvt8l1f9qlppJqQW280vGacXgwNnrk"; + String ciphertext = "zRR77ETjg5GsXv3az1TZU73xiFWYHbVceJBvBbjChxLyMjHkF6kFdwIXIduVBHAT"; + try { + return decrypt(ciphertext); + } catch (Exception e) { + log.warn("there was an exception with decrypting content in challenge35", e); + return "error_decryption"; + } + } + + private String decrypt(String ciphertext) + throws InvalidAlgorithmParameterException, + InvalidKeyException, + NoSuchPaddingException, + NoSuchAlgorithmException, + IllegalBlockSizeException, + BadPaddingException { + IvParameterSpec iv = new IvParameterSpec("1234567890123456".getBytes(StandardCharsets.UTF_8)); + SecretKeySpec skeySpec = + new SecretKeySpec( + "12345678901234561234567890123456".getBytes(StandardCharsets.UTF_8), "AES"); + + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); + cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv); + return new String(cipher.doFinal(Base64.decodeBase64(ciphertext))); } } From 8077985da5a40d54dd95c51d6df00bb3d51ec3c3 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Fri, 18 Aug 2023 08:55:46 +0200 Subject: [PATCH 09/12] change to bc --- .../org/owasp/wrongsecrets/challenges/docker/Challenge35.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java index e9341e7bf..62a4f423b 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java @@ -12,7 +12,7 @@ import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import lombok.extern.slf4j.Slf4j; -import org.apache.commons.codec.binary.Base64; +import org.bouncycastle.util.encoders.Base64; import org.owasp.wrongsecrets.RuntimeEnvironment; import org.owasp.wrongsecrets.ScoreCard; import org.owasp.wrongsecrets.challenges.Challenge; @@ -93,6 +93,6 @@ private String decrypt(String ciphertext) Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv); - return new String(cipher.doFinal(Base64.decodeBase64(ciphertext))); + return new String(cipher.doFinal(Base64.decode(ciphertext))); } } From c097cdb3f1362abc9b5ea39bc3e0d18a0fe676f5 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Fri, 18 Aug 2023 09:08:22 +0200 Subject: [PATCH 10/12] Final fixes --- .../owasp/wrongsecrets/challenges/docker/Challenge35.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java index 62a4f423b..5636d7166 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java @@ -79,6 +79,10 @@ private String getKey() { } } + @edu.umd.cs.findbugs.annotations.SuppressFBWarnings( + value = "CIPHER_INTEGRITY", + justification = + "The scheme is bad without hmac, but we wanted to make it a bit more fun for you") private String decrypt(String ciphertext) throws InvalidAlgorithmParameterException, InvalidKeyException, @@ -93,6 +97,6 @@ private String decrypt(String ciphertext) Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv); - return new String(cipher.doFinal(Base64.decode(ciphertext))); + return new String(cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8)))); } } From c3adb2679e03d1ea86ab2e3824df78418b22b618 Mon Sep 17 00:00:00 2001 From: Jeroen Willemsen Date: Fri, 18 Aug 2023 09:37:41 +0200 Subject: [PATCH 11/12] Final fixes --- .../org/owasp/wrongsecrets/challenges/docker/Challenge35.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java index 5636d7166..71b0f5884 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java @@ -97,6 +97,6 @@ private String decrypt(String ciphertext) Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv); - return new String(cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8)))); + return new String(cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8); } } From 4049ba3195f23fddbad182e559b8719706d509a2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci-lite[bot]" <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com> Date: Fri, 18 Aug 2023 07:55:13 +0000 Subject: [PATCH 12/12] [pre-commit.ci lite] apply automatic fixes --- .../org/owasp/wrongsecrets/challenges/docker/Challenge35.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java index 71b0f5884..03386ea2e 100644 --- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java @@ -97,6 +97,8 @@ private String decrypt(String ciphertext) Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv); - return new String(cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8))), StandardCharsets.UTF_8); + return new String( + cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8))), + StandardCharsets.UTF_8); } }