OWASP#810 Created a challenge to read password from settings.xml

pom.xml

@@ -248,7 +248,12 @@
       <artifactId>spotbugs-annotations</artifactId>
       <version>4.7.3</version>
     </dependency>
-    <!--        <dependency>-->
+      <dependency>
+          <groupId>org.apache.commons</groupId>
+          <artifactId>commons-configuration2</artifactId>
+          <version>2.7</version> <!-- Replace with the latest version available -->
+      </dependency>
+      <!--        <dependency>-->
     <!--            <groupId>com.h2database</groupId>-->
     <!--            <artifactId>h2</artifactId>-->
     <!--            <version>2.1.214</version>-->

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge41.java

@@ -0,0 +1,88 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.io.StringReader;
+import java.nio.charset.Charset;
+import java.util.List;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.configuration2.XMLConfiguration;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.annotation.Order;
+import org.springframework.core.io.Resource;
+import org.springframework.stereotype.Component;
+
+/**
+ * This is a challenge based on leaking secrets due to keeping the encryption key and secret
+ * together
+ */
+@Slf4j
+@Component
+@Order(41)
+public class Challenge41 extends Challenge {
+
+    private final Resource resource;
+
+    public Challenge41(
+        ScoreCard scoreCard, @Value("classpath:maven/settings/settings.xml") Resource resource) {
+        super(scoreCard);
+        this.resource = resource;
+    }
+
+    @Override
+    public boolean canRunInCTFMode() {
+        return true;
+    }
+
+    @Override
+    public Spoiler spoiler() {
+        return new Spoiler(getSolution());
+    }
+
+    @Override
+    public boolean answerCorrect(String answer) {
+        return getSolution().equals(answer);
+    }
+
+    /** {@inheritDoc} */
+    @Override
+    public int difficulty() {
+        return Difficulty.EASY;
+    }
+
+    /** {@inheritDoc} Cryptography based. */
+    @Override
+    public String getTech() {
+        return ChallengeTechnology.Tech.CRYPTOGRAPHY.id;
+    }
+
+    @Override
+    public boolean isLimitedWhenOnlineHosted() {
+        return false;
+    }
+
+    @Override
+    public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+        return List.of(RuntimeEnvironment.Environment.DOCKER);
+    }
+
+    private String getSolution() {
+        try {
+            String config = resource.getContentAsString(Charset.defaultCharset());
+            StringReader stringReader = new StringReader(config);
+
+            XMLConfiguration xmlConfiguration = new XMLConfiguration();
+            xmlConfiguration.read(stringReader);
+
+            // Retrieve the Nexus password
+            return xmlConfiguration.getString("nexus.password");
+        } catch (Exception e) {
+            log.warn("there was an exception with decrypting content in challenge41", e);
+            return "error_decryption";
+        }
+    }
+}

src/main/resources/explanations/challenge41.adoc

@@ -0,0 +1,3 @@
+=== Nexus credential read
+
+Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.

src/main/resources/explanations/challenge41_hint.adoc

@@ -0,0 +1,10 @@
+This challenge can be solved by decrypting the base64 encoded secret in `secrchallenge.json`. You can do this either by:
+
+1. Using an online aes decryption tool like https://www.devglan.com/online-tools/aes-encryption-decryption[https://www.devglan.com/online-tools/aes-encryption-decryption]
+- Copy the value of `secret` from `secrchallenge.json` and paste it into the textbox of the decryptor.
+- Ensure the input format is `Base64` and the cipher mode is `ECB`.
+- Use the value of `key` from `secrchallenge.json` as decryption key and click on `Decrypt` to get the secret.
+
+2. Using the terminal
+- Launch the terminal while you are in the `maven` directory.
+- Copy the value of `password` from `settings.xml`.

src/main/resources/explanations/challenge41_reason.adoc

@@ -0,0 +1,7 @@
+*Why you should not have nexus deployment credentials in your github project hardcoded*
+
+Storing nexus deployment credentials in your github project hardcoded is generally considered a bad practice because it undermines the security provided by encryption.
+
+In such scenarios, an attacker has the key the moment the file is in his possession.
+
+It is always recommended to store your credentials securely.

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge41Test.java

@@ -0,0 +1,41 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.springframework.core.io.Resource;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class Challenge41Test {
+  @Mock private ScoreCard scoreCard;
+
+  @Mock private Resource resource;
+
+  @BeforeEach
+  void setUp() throws IOException {
+      when(resource.getContentAsString(Charset.defaultCharset()))
+          .thenReturn("<root><nexus><username>test_user</username><password>test_password</password></nexus></root>");
+  }
+
+  @Test
+  void spoilerShouldGiveAnswer() {
+    var challenge = new Challenge41(scoreCard, resource);
+    Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty();
+    Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge41(scoreCard, resource);
+    Assertions.assertThat(challenge.answerCorrect("wrong answer")).isFalse();
+  }
+}