STRLCPY/wrongsecrets

■ ■ ■ ■ ■ ■

.github/scripts/docker-create-and-push.sh

		skipped 86 lines
87	87		echo "committing changes and new pom file with version ${tag}"
88	88		git commit -am "Update POM file with new version: ${tag}"
89	89		git push
90		-	#echo "tagging version"
91		-	#git tag -a $tag -m "${message}"
92		-	#git push --tags
	90	+	echo "tagging version"
	91	+	git tag -a $tag -m "${message}"
	92	+	git push --tags
93	93
94	94		echo "Don't forget to update experiment-bed"
95	95		echo "git checkout experiment-bed && git merge master --no-edit"
		skipped 7 lines

■ ■ ■ ■ ■ ■

Dockerfile.web

1		-	FROM jeroenwillemsen/wrongsecrets:challenge20test2-no-vault
	1	+	FROM jeroenwillemsen/wrongsecrets:1.4.5-no-vault
2	2
3		-	ARG argBasedVersion="1.4.4"
	3	+	ARG argBasedVersion="1.4.5"
4	4		ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
5	5		ENV APP_VERSION=$argBasedVersion
6	6		ENV K8S_ENV=Heroku(Docker)
		skipped 7 lines

■ ■ ■ ■ ■ ■

README.md

		skipped 24 lines
25	25		You can install it by doing:
26	26
27	27		```bash
28		-	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.4-no-vault
	28	+	docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
29	29		```
30	30
31	31		Now you can try to find the secrets by means of solving the challenge offered at:
		skipped 250 lines

■ ■ ■ ■ ■ ■

aws/k8s/secret-challenge-vault-deployment.yml

		skipped 36 lines
37	37		volumeAttributes:
38	38		secretProviderClass: "wrongsecrets-aws-secretsmanager"
39	39		containers:
40		-	- image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
	40	+	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
41	41		imagePullPolicy: IfNotPresent
42	42		ports:
43	43		- containerPort: 8080
		skipped 31 lines

■ ■ ■ ■ ■ ■

azure/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 34 lines
35	35		volumeAttributes:
36	36		secretProviderClass: "azure-wrongsecrets-vault"
37	37		containers:
38		-	- image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
	38	+	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
39	39		imagePullPolicy: IfNotPresent
40	40		ports:
41	41		- containerPort: 8080
		skipped 36 lines

■ ■ ■ ■ ■ ■

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

		skipped 36 lines
37	37		volumeAttributes:
38	38		secretProviderClass: "wrongsecrets-gcp-secretsmanager"
39	39		containers:
40		-	- image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
	40	+	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
41	41		imagePullPolicy: IfNotPresent
42	42		ports:
43	43		- containerPort: 8080
		skipped 33 lines

■ ■ ■ ■ ■ ■

k8s/secret-challenge-deployment.yml

		skipped 27 lines
28	28		runAsGroup: 2000
29	29		fsGroup: 2000
30	30		containers:
31		-	- image: jeroenwillemsen/wrongsecrets:1.4.4-no-vault
	31	+	- image: jeroenwillemsen/wrongsecrets:1.4.5-no-vault
32	32		imagePullPolicy: IfNotPresent
33	33		ports:
34	34		- containerPort: 8080
		skipped 23 lines

■ ■ ■ ■ ■ ■

k8s/secret-challenge-vault-deployment.yml

		skipped 29 lines
30	30		runAsNonRoot: true
31	31		serviceAccountName: vault
32	32		containers:
33		-	- image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
	33	+	- image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
34	34		imagePullPolicy: IfNotPresent
35	35		ports:
36	36		- containerPort: 8080
		skipped 27 lines

■ ■ ■ ■ ■ ■

pom.xml

		skipped 8 lines
9	9		</parent>
10	10		<groupId>org.owasp</groupId>
11	11		<artifactId>wrongsecrets</artifactId>
12		-	<version>challenge20test2-SNAPSHOT</version>
	12	+	<version>1.4.5-SNAPSHOT</version>
13	13		<name>OWASP WrongSecrets</name>
14	14		<description>Examples with how to not use secrets</description>
15	15		<url>https://owasp.org/www-project-wrongsecrets/</url>
		skipped 416 lines

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge19.adoc

1		-	=== Obfuscating part 1 the C binary
	1	+	=== Obfuscating in binaries part 1: the C binary
2	2
3	3		We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code!
4	4		This is a misbelief we have often encountered when presenting on mobile security topics.
		skipped 3 lines

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge20.adoc

1		-	=== Obfuscating part 2: the C++ binary
	1	+	=== Obfuscating in binaries part 2: the C++ binary
2	2
3	3		Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?
4	4
		skipped 2 lines

■ ■ ■ ■ ■ ■

src/main/resources/explanations/challenge20_hint.adoc

		skipped 8 lines
9	9		- Allow the Ghidra to analyze the application.
10	10		- Search for the secret: Go to `Functions` on the left-hand side, select `__Z6secretv()` . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (`SecretContainer`).
11	11		- Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `__Z7secret2v()`. On the right hand side, you see the function: now click on the return result of the function at `__ZZ7secret2vE6harder` . Now you can see the result in the Listing view.
12		-
	12	+	- Alternatively: when you have analyzed the application with Ghirda: do a search for strings in all blocks and see if you can spot the secret ;-).
13	13
14	14		2. Find the secrets with https://www.radare.org[radare2].
15	15		- Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`
		skipped 4 lines