Merge branch 'master' into experiment-bed

Author: commjoen

.github/scripts/docker-create-and-push.sh

@@ -35,7 +35,7 @@ echo "buildarg supplied: $buildarg"
 echo "check if al required binaries are installed"
 source ../../scripts/check-available-commands.sh
 
-checkCommandsAvailable java git docker mvn
+checkCommandsAvailable java git docker mvn gsed
 
 echo "Start building assets required for container"
 
@@ -49,10 +49,11 @@ SECENDKEYPART4=$(openssl rand -base64 3 | tr -d '\n')
 echo -n "${SECENDKEYPART1}9${SECENDKEYPART2}6${SECENDKEYPART3}2${SECENDKEYPART4}7" > secondkey.txt
 printf "function secret() { \n var password = \"$SECENDKEYPART1\" + 9 + \"$SECENDKEYPART2\" + 6 + \"$SECENDKEYPART3\" + 2 + \"$SECENDKEYPART4\" + 7;\n return password;\n }\n" > ../../js/index.js
 echo "generating challenge 17"
+rm thirdkey.txt
 openssl rand -base64 32 | tr -d '\n' > thirdkey.txt
 answer=$(<thirdkey.txt)
-answerRegexSafe="$(printf '%s' "$answer" | sed -e 's/[]\/$*.^|[]/\\&/g' | sed ':a;N;$!ba;s,\n,\\n,g')"
-sed -i "s/Placeholder Password, find the real one in the history of the container/$answerRegexSafe/g" ../../src/main/resources/.bash_history
+answerRegexSafe="$(printf '%s' "$answer" | gsed -e 's/[]\/$*.^|[]/\\&/g' | gsed ':a;N;$!ba;s,\n,\\n,g')"
+gsed -i "s/Placeholder Password, find the real one in the history of the container/$answerRegexSafe/g" ../../src/main/resources/.bash_history
 
 # preps for #178:
 #echo "Building and publishing to maven central, did you set: a settings.xml file with:"
@@ -69,9 +70,7 @@ sed -i "s/Placeholder Password, find the real one in the history of the containe
 echo "Building and updating pom.xml file so we can use it in our docker"
 cd ../.. && mvn clean && mvn --batch-mode release:update-versions -DdevelopmentVersion=${tag}-SNAPSHOT && mvn install
 git add pom.xml
-git commit -am "Update POM file with new version: ${tag}"
-cd .github/scripts && git push
-#cd .github/scripts
+cd .github/scripts
 docker buildx create --name mybuilder
 docker buildx use mybuilder
 echo "creating containers"
@@ -81,13 +80,16 @@ docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/addo-e
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-no-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=without-vault" --push ./../../.
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
-
+cd ../..
 echo "restoring temporal change"
 git restore js/index.js
-
+git restore src/main/resources/.bash_history
+echo "committing changes and new pom file with version ${tag}"
+git commit -am "Update POM file with new version: ${tag}"
+git push
 echo "tagging version"
-#git tag -a $tag -m "${message}"
-#git push --tags
+git tag -a $tag -m "${message}"
+git push --tags
 
 echo "Don't forget to update experiment-bed"
 echo "git checkout experiment-bed && git merge master --no-edit"

Dockerfile.web

@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:1.4.0-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.4.1-no-vault
 
-ARG argBasedVersion="1.4.0"
+ARG argBasedVersion="1.4.1"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)

README.md

@@ -6,7 +6,7 @@
 
 Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
 
-Can you solve all the 16 challenges?
+Can you solve all the 17 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -21,7 +21,7 @@ We will keep providing updates to this branch, and you can track the status quo
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-15_
+_Can be used for challenges 1-4, 8, 12-17_
 
 For the basic docker exercises you currently require:
 
@@ -31,7 +31,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.0-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.1-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:
@@ -46,6 +46,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/14](http://localhost:8080/challenge/14)
 - [localhost:8080/challenge/15](http://localhost:8080/challenge/15)
 - [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
+- [localhost:8080/challenge/17](http://localhost:8080/challenge/17)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 
@@ -62,7 +63,7 @@ You can test them out at [https://wrongsecrets.herokuapp.com/](https://wrongsecr
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-16_
+_Can be used for challenges 1-6, 8, 12-17_
 
 ### Minikube based
 
@@ -109,7 +110,7 @@ now you can use the provided IP address and port to further play with the K8s va
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-16_
+_Can be used for challenges 1-8, 12-17_
 Make sure you have the following installed:
 
 - minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -120,13 +121,13 @@ Make sure you have the following installed:
 - vault [Install from here](https://www.vaultproject.io/downloads),
 - grep, Cat, and Sed
 
-Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-15.
+Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-17.
 
 When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-16_
+_Can be used for challenges 1-17_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises, 
 never run this on an account which is related to your production environment or can influence your account-over-arching resources.

aws/k8s/secret-challenge-vault-deployment.yml

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

js/index.js

@@ -1,4 +1,4 @@
 function secret() { 
- var password = "kY3HAYM=" + 9 + "iKBa" + 6 + "vQo=" + 2 + "VpEk" + 7;
+ var password = "jLJIQZM=" + 9 + "aG7l" + 6 + "LAQ=" + 2 + "UdiM" + 7;
  return password;
  }

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.0-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.1-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-vault-deployment.yml

@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.1-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

pom.xml

@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>1.4.1-dev-SNAPSHOT</version>
+    <version>1.4.1-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>

secretscache/curl.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+curl -H Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== https://en.wikipedia.org/wiki/Basic_access_authentication

src/main/resources/.bash_history

@@ -709,4 +709,4 @@ w
 pinky
 history
 pwd
-cat .bash_history
+cat .bash_history