crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 72a806a8
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/scripts/docker-create-and-push.sh
    skipped 86 lines
    87 87  echo "committing changes and new pom file with version ${tag}"
    88 88  git commit -am "Update POM file with new version: ${tag}"
    89 89  git push
    90  -#echo "tagging version"
    91  -#git tag -a $tag -m "${message}"
    92  -#git push --tags
     90 +echo "tagging version"
     91 +git tag -a $tag -m "${message}"
     92 +git push --tags
    93 93   
    94 94  echo "Don't forget to update experiment-bed"
    95 95  echo "git checkout experiment-bed && git merge master --no-edit"
    skipped 9 lines
  • ■ ■ ■ ■ ■ ■
    Dockerfile.web
    1  -FROM jeroenwillemsen/wrongsecrets:challenge21test5-no-vault
     1 +FROM jeroenwillemsen/wrongsecrets:1.4.6-no-vault
    2 2   
    3  -ARG argBasedVersion="1.4.5"
     3 +ARG argBasedVersion="1.4.6"
    4 4  ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
    5 5  ENV APP_VERSION=$argBasedVersion
    6 6  ENV K8S_ENV=Heroku(Docker)
    skipped 7 lines
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 5 lines
    6 6   
    7 7  Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
    8 8   
    9  -Can you solve all the 20 challenges?
     9 +Can you solve all the 21 challenges?
    10 10  ![screenshot.png](screenshot.png)
    11 11   
    12 12  ## Support
    skipped 2 lines
    15 15   
    16 16  ## Basic docker exercises
    17 17   
    18  -_Can be used for challenges 1-4, 8, 12-20_
     18 +_Can be used for challenges 1-4, 8, 12-21_
    19 19   
    20 20  For the basic docker exercises you currently require:
    21 21   
    skipped 3 lines
    25 25  You can install it by doing:
    26 26   
    27 27  ```bash
    28  -docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
     28 +docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.6-no-vault
    29 29  ```
    30 30   
    31 31  Now you can try to find the secrets by means of solving the challenge offered at:
    skipped 12 lines
    44 44  - [localhost:8080/challenge/18](http://localhost:8080/challenge/18)
    45 45  - [localhost:8080/challenge/19](http://localhost:8080/challenge/19)
    46 46  - [localhost:8080/challenge/20](http://localhost:8080/challenge/20)
     47 +- [localhost:8080/challenge/21](http://localhost:8080/challenge/21)
    47 48   
    48 49  Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
    49 50   
    skipped 10 lines
    60 61   
    61 62  ## Basic K8s exercise
    62 63   
    63  -_Can be used for challenges 1-6, 8, 12-19_
     64 +_Can be used for challenges 1-6, 8, 12-21_
    64 65   
    65 66  ### Minikube based
    66 67   
    skipped 40 lines
    107 108   
    108 109  ## Vault exercises with minikube
    109 110   
    110  -_Can be used for challenges 1-8, 12-19_
     111 +_Can be used for challenges 1-8, 12-21_
    111 112  Make sure you have the following installed:
    112 113   
    113 114  - minikube with docker (or comment out line 8 and work at your own k8s setup),
    skipped 4 lines
    118 119  - vault [Install from here](https://www.vaultproject.io/downloads),
    119 120  - grep, Cat, and Sed
    120 121   
    121  -Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-20.
     122 +Run `./k8s-vault-minkube-start.sh`, when the script is done, then the challenges will wait for you at <http://localhost:8080> . This will allow you to run challenges 1-8, 12-21.
    122 123   
    123 124  When you stopped the `k8s-vault-minikube-start.sh` script and want to resume the port forward run: `k8s-vault-minikube-resume.sh`. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
    124 125   
    125 126  ## Cloud Challenges
    126 127   
    127  -_Can be used for challenges 1-20_
     128 +_Can be used for challenges 1-21_
    128 129   
    129 130  **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
    130 131  never run this on an account which is related to your production environment or can influence your account-over-arching resources.
    skipped 151 lines
  • ■ ■ ■ ■
    aws/k8s/secret-challenge-vault-deployment.yml
    skipped 36 lines
    37 37   volumeAttributes:
    38 38   secretProviderClass: "wrongsecrets-aws-secretsmanager"
    39 39   containers:
    40  - - image: jeroenwillemsen/wrongsecrets:challenge21test5-k8s-vault
     40 + - image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
    41 41   imagePullPolicy: IfNotPresent
    42 42   ports:
    43 43   - containerPort: 8080
    skipped 31 lines
  • ■ ■ ■ ■
    azure/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 34 lines
    35 35   volumeAttributes:
    36 36   secretProviderClass: "azure-wrongsecrets-vault"
    37 37   containers:
    38  - - image: jeroenwillemsen/wrongsecrets:challenge21test5-k8s-vault
     38 + - image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
    39 39   imagePullPolicy: IfNotPresent
    40 40   ports:
    41 41   - containerPort: 8080
    skipped 36 lines
  • ■ ■ ■ ■
    gcp/k8s/secret-challenge-vault-deployment.yml.tpl
    skipped 36 lines
    37 37   volumeAttributes:
    38 38   secretProviderClass: "wrongsecrets-gcp-secretsmanager"
    39 39   containers:
    40  - - image: jeroenwillemsen/wrongsecrets:challenge21test5-k8s-vault
     40 + - image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
    41 41   imagePullPolicy: IfNotPresent
    42 42   ports:
    43 43   - containerPort: 8080
    skipped 33 lines
  • ■ ■ ■ ■
    k8s/secret-challenge-deployment.yml
    skipped 27 lines
    28 28   runAsGroup: 2000
    29 29   fsGroup: 2000
    30 30   containers:
    31  - - image: jeroenwillemsen/wrongsecrets:challenge21test5-no-vault
     31 + - image: jeroenwillemsen/wrongsecrets:1.4.6-no-vault
    32 32   imagePullPolicy: IfNotPresent
    33 33   ports:
    34 34   - containerPort: 8080
    skipped 23 lines
  • ■ ■ ■ ■
    k8s/secret-challenge-vault-deployment.yml
    skipped 29 lines
    30 30   runAsNonRoot: true
    31 31   serviceAccountName: vault
    32 32   containers:
    33  - - image: jeroenwillemsen/wrongsecrets:challenge21test5-k8s-vault
     33 + - image: jeroenwillemsen/wrongsecrets:1.4.6-k8s-vault
    34 34   imagePullPolicy: IfNotPresent
    35 35   ports:
    36 36   - containerPort: 8080
    skipped 27 lines
  • ■ ■ ■ ■
    pom.xml
    skipped 8 lines
    9 9   </parent>
    10 10   <groupId>org.owasp</groupId>
    11 11   <artifactId>wrongsecrets</artifactId>
    12  - <version>challenge21test5-SNAPSHOT</version>
     12 + <version>1.4.6-SNAPSHOT</version>
    13 13   <name>OWASP WrongSecrets</name>
    14 14   <description>Examples with how to not use secrets</description>
    15 15   <url>https://owasp.org/www-project-wrongsecrets/</url>
    skipped 416 lines
Please wait...
Page is in error, reload to recover