crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 11b820a9
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/scripts/docker-create.sh
    skipped 6 lines
    7 7   # Display Help
    8 8   echo "A versatile script to create a docker image for testing. Call this script with no arguments to simply create a local image that you can use to test your changes. For more complex use see the below help section"
    9 9   echo
    10  - echo "Syntax: docker-create.sh [-h (help)|-t (test)|-p (publish)|-e (herokud)|-f (herokup) [tag={tag}|message={message}|buildarg={buildarg}|springProfile={springProfile}]"
     10 + echo "Syntax: docker-create.sh [-h (help)|-t (test)|-p (publish)|-e (herokud)|-f (herokup)|-n (notag) [tag={tag}|message={message}|buildarg={buildarg}|springProfile={springProfile}]"
    11 11   echo "options: (All optional)"
    12 12   echo "tag= Write a custom tag that will be added to the container when it is build locally."
    13 13   echo "message= Write a message used for the actual tag-message in git"
    skipped 56 lines
    70 70  # Set option to local if no option provided
    71 71  script_mode="local"
    72 72  # Parse provided options
    73  -while getopts ":htpef*" option; do
     73 +while getopts ":htpefn*" option; do
    74 74   case $option in
    75 75   h) # display Help
    76 76   Help
    skipped 11 lines
    88 88   f) # Helper
    89 89   script_mode="heroku_p"
    90 90   ;;
    91  - \?) # Invalid option
    92  - echo "Error: Invalid option"
    93  - echo
    94  - Help
    95  - exit
     91 + n) #notags
     92 + disable_tagging_in_git="true"
    96 93   ;;
    97  - -*) # Anything else
     94 + \?|\*) # Invalid option
    98 95   echo "Error: Invalid option"
    99 96   echo
    100 97   Help
    skipped 55 lines
    156 153  echo "Version tag: $tag"
    157 154  echo "buildarg supplied: $buildarg"
    158 155   
     156 +if test -n "${disable_tagging_in_git+x}"; then
     157 + echo "tagging is disabled"
     158 +else
     159 + disable_tagging_in_git="false"
     160 +fi
     161 + 
    159 162  if [[ $script_mode == "heroku_d" ]] ; then
    160 163   Heroku_publish_demo
    161 164  elif [[ $script_mode == "heroku_p" ]]; then
    skipped 114 lines
    276 279   echo "committing changes and new pom file with version ${tag}"
    277 280   git commit -am "Update POM file with new version: ${tag}"
    278 281   git push
    279  - echo "tagging version with tag ${tag} and message ${message}"
    280  - git tag -a $tag -m "${message}"
    281  - git push --tags
     282 + if [[ "$disable_tagging_in_git" == "true" ]]; then
     283 + echo "Skip git tagging"
     284 + else
     285 + echo "tagging version with tag '${tag}' and message '${message}'"
     286 + git tag -a $tag -m "${message}"
     287 + git push --tags
     288 + fi
    282 289   else
    283 290   return
    284 291   fi
    skipped 51 lines
  • ■ ■ ■ ■ ■ ■
    .github/workflows/container_test.yml
    skipped 5 lines
    6 6  on:
    7 7   # Triggers the workflow on push or pull request events but only for the master branch
    8 8   push:
    9  - pull_request:
    10  - branches: [ master ]
    11 9   
    12 10   # Allows you to run this workflow manually from the Actions tab
    13 11   workflow_dispatch:
    skipped 18 lines
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 7 lines
    8 8   
    9 9  Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
    10 10   
    11  -Can you solve all the 21 challenges?
     11 +Can you solve all the 22 challenges?
    12 12  ![screenshot.png](screenshot.png)
    13 13   
    14 14  ## Support
    skipped 2 lines
    17 17   
    18 18  ## Basic docker exercises
    19 19   
    20  -_Can be used for challenges 1-4, 8, 12-21_
     20 +_Can be used for challenges 1-4, 8, 12-22_
    21 21   
    22 22  For the basic docker exercises you currently require:
    23 23   
    skipped 23 lines
    47 47  - [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
    48 48  - [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
    49 49  - [localhost:8080/challenge/21](http://localhost:8080/challenge/21)
     50 +- [localhost:8080/challenge/22](http://localhost:8080/challenge/22)
    50 51   
    51 52  Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
    52 53   
    skipped 10 lines
    63 64   
    64 65  ## Basic K8s exercise
    65 66   
    66  -_Can be used for challenges 1-6, 8, 12-21_
     67 +_Can be used for challenges 1-6, 8, 12-22_
    67 68   
    68 69  ### Minikube based
    69 70   
    skipped 40 lines
    110 111   
    111 112  ## Vault exercises with minikube
    112 113   
    113  -_Can be used for challenges 1-8, 12-21_
     114 +_Can be used for challenges 1-8, 12-22_
    114 115  Make sure you have the following installed:
    115 116   
    116 117  - minikube with docker (or comment out line 8 and work at your own k8s setup),
    skipped 4 lines
    121 122  - vault [Install from here](https://www.vaultproject.io/downloads),
    122 123  - grep, Cat, and Sed
    123 124   
    124  -Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-21.
     125 +Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-22.
    125 126   
    126 127  When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
    127 128   
    128 129  ## Cloud Challenges
    129 130   
    130  -_Can be used for challenges 1-21_
     131 +_Can be used for challenges 1-22_
    131 132   
    132 133  **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
    133 134  never run this on an account which is related to your production environment or can influence your account-over-arching resources.
    skipped 13 lines
    147 148  ### Running Challenge15 in your own cloud only
    148 149   
    149 150  When you want to include your own Canarytokens for your cloud-deployment, do the following:
     151 + 
    150 152  1. Fork the project.
    151 153  2. Make sure you use the [GCP ingress](/gcp/k8s-vault-gcp-ingress-start.sh) or [AWS ingress](aws/k8s-aws-alb-script.sh) scripts to generate an ingress for your project.
    152 154  3. Go to [canarytokens.org](https://canarytokens.org/generate) and select `AWS Keys`, in the webHook URL field add `<your-domain-created-at-step1>/canaries/tokencallback`.
    skipped 141 lines
  • ■ ■ ■ ■
    pom.xml
    skipped 8 lines
    9 9   </parent>
    10 10   <groupId>org.owasp</groupId>
    11 11   <artifactId>wrongsecrets</artifactId>
    12  - <version>1.4.6-SNAPSHOT</version>
     12 + <version>challenge22t1-SNAPSHOT</version>
    13 13   <name>OWASP WrongSecrets</name>
    14 14   <description>Examples with how to not use secrets</description>
    15 15   <url>https://owasp.org/www-project-wrongsecrets/</url>
    skipped 416 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge22.java
     1 + 
     2 +package org.owasp.wrongsecrets.challenges.docker;
     3 + 
     4 +import lombok.extern.slf4j.Slf4j;
     5 +import org.owasp.wrongsecrets.RuntimeEnvironment;
     6 +import org.owasp.wrongsecrets.ScoreCard;
     7 +import org.owasp.wrongsecrets.challenges.Challenge;
     8 +import org.owasp.wrongsecrets.challenges.Spoiler;
     9 +import org.springframework.core.annotation.Order;
     10 +import org.springframework.stereotype.Component;
     11 + 
     12 +import java.util.List;
     13 + 
     14 +import static org.owasp.wrongsecrets.RuntimeEnvironment.Environment.DOCKER;
     15 + 
     16 +@Component
     17 +@Order(22)
     18 +@Slf4j
     19 +public class Challenge22 extends Challenge {
     20 + 
     21 + private final BinaryExecutionHelper binaryExecutionHelper;
     22 + 
     23 + public Challenge22(ScoreCard scoreCard) {
     24 + super(scoreCard);
     25 + this.binaryExecutionHelper = new BinaryExecutionHelper(22);
     26 + }
     27 + 
     28 + @Override
     29 + public Spoiler spoiler() {
     30 + return new Spoiler(binaryExecutionHelper.executeCommand("", "wrongsecrets-rust"));
     31 + }
     32 + 
     33 + @Override
     34 + public boolean answerCorrect(String answer) {
     35 + return binaryExecutionHelper.executeCommand(answer, "wrongsecrets-rust").equals("This is correct! Congrats!");
     36 + }
     37 + 
     38 + public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
     39 + return List.of(DOCKER);
     40 + }
     41 +}
     42 + 
  • src/main/resources/executables/wrongsecrets-rust
    Binary file.
  • src/main/resources/executables/wrongsecrets-rust-arm
    Binary file.
  • src/main/resources/executables/wrongsecrets-rust-linux
    Binary file.
  • src/main/resources/executables/wrongsecrets-rust-linux-arm
    Binary file.
  • ■ ■ ■ ■
    src/main/resources/explanations/challenge19.adoc
    1  -=== Obfuscating in binaries part 1: the C binary
     1 +=== Hiding in binaries part 1: the C binary
    2 2   
    3 3  We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code!
    4 4  This is a misbelief we have often encountered when presenting on mobile security topics.
    skipped 3 lines
  • ■ ■ ■ ■
    src/main/resources/explanations/challenge20.adoc
    1  -=== Obfuscating in binaries part 2: the C++ binary
     1 +=== Hiding in binaries part 2: the C++ binary
    2 2   
    3 3  Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?
    4 4   
    skipped 2 lines
  • ■ ■ ■ ■
    src/main/resources/explanations/challenge21.adoc
    1  -=== Obfuscating part 3: the Go binary
     1 +=== Hiding in binaries part 3: the Go binary
    2 2   
    3 3  Our third language of choice for a compiled application is Go. With the rise of its popularity, we see an increase of secrets hidden inside the binaries. Can you find the secret in our binary?
    4 4   
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    src/main/resources/explanations/challenge22.adoc
     1 +=== Hiding in binaries part 4: the Rust binary
     2 + 
     3 +Similar like hiding secrets in an application written in C, you can do this in Rust. Ghidra is not that good at analysing Rust by default, though... Can you find the secret in our binary?
     4 + 
     5 +Let's debunk the "secrets are hard to find in native compiled applications" myth for Rust: can you find the secret in https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-rust[wrongsecrets-rust] (or https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-rust-arm[wrongsecrets-rust-arm], https://github.com/commjoen/wrongsecrets/tree/master/src/main/resources/executables/wrongsecrets-rust-linux[wrongsecrets-rust-linux])?
     6 + 
  • ■ ■ ■ ■ ■ ■
    src/main/resources/explanations/challenge22_hint.adoc
     1 +This challenge is specifically looking at a secret in a Rust binary based on a https://doc.rust-lang.org/cargo/reference/profiles.html#release[release profile].
     2 + 
     3 +You can solve this challenge using the following steps:
     4 + 
     5 +1. Find the secrets with https://ghidra-sre.org/[Ghidra].
     6 +- Install https://ghidra-sre.org/[Ghidra].
     7 +- Start it whit `ghidraRun`.
     8 +- Load the application `wrongsecrets-rust` into ghidra by choosing a new project, then import the file and then doubleclick on it.
     9 +- Allow the Ghidra to analyze the application.
     10 +- Now import https://gist.github.com/str4d/e541f4c28e2bca80d222434ac1a204f4[demangle script] and run it via the Ghidra Script manager to demangle the functions.
     11 +- Find the `main` function in the `rust` namespace
     12 +- Find the argument that needs to be compared (in our example that is `local_80` as defined in `std::env::args((env *)&local_80);`)
     13 +- Find where the argument is compared (in our example that is `iVar1 = __stubs::_memcmp(local_80,puVar2,0x3b);`)
     14 +- Now search the input it is compared to (`puVar2`) its value. Can you find the secret?
     15 +- Alternatively: Go to the data type manager in the bottom left, now filter for `string`, now right-click at `string` as a member of `wrongsecrets-rust` and select `find uses of`. Then, filter for known keywords: you should easily be able to find the secret now!
     16 + 
     17 +2. Find the secrets with https://www.radare.org[radare2].
     18 +- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
     19 +- Launch r2 analysis with `$ r2 -AAA wrongsecrets-rust`
     20 +- Print the entrypoint `s sym.rust::main::h66ace6a84e548891` and then `pdf`. (not the default `main`!)
     21 +- Find the argument that needs to be compared with `pdf | grep memcmp` (in our example that is `r12`).
     22 +- Try to find how this argument is prepared. Can you spot the secret?
     23 +- Alternatively: after launching radare2, run `iz | grep secret` and find the string.
     24 + 
  • ■ ■ ■ ■ ■ ■
    src/main/resources/explanations/challenge22_reason.adoc
     1 +*Why Using binaries to hide a secret will only delay an attacker.*
     2 + 
     3 +With beautiful free Reverse engineering applications as Ghidra, not a lot of things remain safe. Anyone who can load the executable in Ghidra or Radare2 can easily start doing a reconnaissance and find secrets within your binary.
     4 + 
     5 +Encrypting the secret with a key embedded in the binary, and other funny puzzles do delay an attacker and just make it fun finding the secret. Be aware that, if the secret needs to be used by the executable, it eventually needs to be in memory ready to be executed.
     6 + 
     7 +Still need to have a secret in the binary? Make sure it can only be retrieved remotely after authenticating against a server.
     8 + 
  • ■ ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge22Test.java
     1 +package org.owasp.wrongsecrets.challenges.docker;
     2 + 
     3 +import org.assertj.core.api.Assertions;
     4 +import org.junit.jupiter.api.Test;
     5 +import org.junit.jupiter.api.extension.ExtendWith;
     6 +import org.mockito.Mock;
     7 +import org.mockito.junit.jupiter.MockitoExtension;
     8 +import org.owasp.wrongsecrets.ScoreCard;
     9 +import org.owasp.wrongsecrets.challenges.Spoiler;
     10 + 
     11 +@ExtendWith(MockitoExtension.class)
     12 +class Challenge22Test {
     13 + 
     14 + @Mock
     15 + private ScoreCard scoreCard;
     16 + 
     17 + @Test
     18 + void spoilerShouldNotCrash() {
     19 + var challenge = new Challenge22(scoreCard);
     20 + 
     21 + Assertions.assertThat(challenge.spoiler()).isNotEqualTo(new Spoiler(BinaryExecutionHelper.ERROR_EXECUTION));
     22 + Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
     23 + }
     24 + 
     25 +}
     26 + 
Please wait...
Page is in error, reload to recover