crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits 8ef4b2dd
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/scripts/secondkey.txt
     1 +GsJy3Ko=9Aplb6tUA=2hYby7
     2 + 
  • ■ ■ ■ ■ ■ ■
    .github/scripts/thirdkey.txt
     1 +NY6u6RObCYuu5wm2X4/pQkP4kGaonuHGsVoJAC/r16c=
     2 + 
  • ■ ■ ■ ■ ■ ■
    .gitignore
    skipped 56 lines
    57 57  azure/k8s/pod-id.yml
    58 58   
    59 59  # Challenge 12 ;-)
    60  -.github/scripts/yourkey.txt
     60 +# .github/scripts/yourkey.txt
    61 61   
    62 62  # Challenge 16
    63  -.github/scripts/secondkey.txt
     63 +# .github/scripts/secondkey.txt
    64 64   
    65 65  # Challenge 17
    66  -.github/scripts/thirdkey.txt
     66 +# .github/scripts/thirdkey.txt
    67 67   
    68 68  yourkey.txt
    69 69   
    skipped 10 lines
  • ■ ■ ■ ■ ■ ■
    aws/.terraform.lock.hcl
    skipped 64 lines
    65 65  }
    66 66   
    67 67  provider "registry.terraform.io/hashicorp/kubernetes" {
    68  - version = "2.18.1"
     68 + version = "2.20.0"
    69 69   constraints = ">= 2.10.0"
    70 70   hashes = [
    71  - "h1:y4VED+vsulAqE7YbQC7x1XXrzvi/dEIjupttSyzSA/M=",
    72  - "zh:09d69d244f5e688d9b1582112aa5d151c5336278e43d39c88ae920c26536b753",
    73  - "zh:0df4c988056f7d84d9161c6c955ad7346364c261d100ef510a6cc7fa4a235197",
    74  - "zh:2d3d0cb2931b6153a7971ce8c6fae92722b1116e16f42abbaef115dba895c8d8",
    75  - "zh:47830e8fc1760860bfa4aaf418627ff3c6ffcac6cebbbc490e5e0e6b31287d80",
    76  - "zh:49467177b514bada0fb3b6982897a347498af8ef9ef8d9fd611fe21dfded2e25",
    77  - "zh:5c7eae2c51ba175822730a63ad59cf41604c76c46c5c97332506ab42023525ce",
    78  - "zh:6efae755f02df8ab65ce7a831f33bd4817359db205652fd4bc4b969302072b15",
    79  - "zh:7e6e97b79fecd25aaf0f4fb91da945a65c36fe2ba2a4313288a60ede55506aad",
    80  - "zh:b75f2c9dd24b355ffe73e7b2fcd3145fc32735068f0ec2eba2df63f792dd16e8",
    81  - "zh:dbef9698d842eb49a846db6d7694f159ae5154ffbb7a753a9d4cab88c462a6d4",
    82  - "zh:f1b1fd580d92eedd9c8224d463997ccff1a62851fea65106aac299efe9ab622a",
     71 + "h1:E7VAZorKe5oXn6h1nxP3ROwWNiQSrZlTawzix1sh8kM=",
     72 + "zh:30bc224c94d2c90a7d44554f2ad30e3b62c7ffc6ddb7d4fd31b9acafb8b5ad77",
     73 + "zh:3903cc9f0c3169a24265c4920d925ed7e37cbc4312237b29bd5b4ddcd6bdc535",
     74 + "zh:512240f6dad36c0116a8717487a4ea12a6b4191028782c5b6749037892e2c6ed",
     75 + "zh:57d5f77dcde7781803b465205aec3507780bfaa77031f5b893ae7cbebd4789b6",
     76 + "zh:6274ab8c3b59634c344c337218223640e9d954996b9299587ca924e4dfb77aa4",
     77 + "zh:6d838a25f3e3c696cf894f0adb44b41b461a2c76f914f1ae2c318ccbb1ec4e36",
     78 + "zh:92f09e3e03311c4e24601b704d85de57677f49e29f42cc3479fafa68f5de300a",
     79 + "zh:abb3cd606e485a46c076d6f60d37b5e5ecaa128c0150c8235627b484f2fac902",
     80 + "zh:afc07f5c0d7ce2cc907600e4f87a1290203a36221951e19e5d3f1409a0502377",
     81 + "zh:d9c01e4f12fabf5d6d9d11ceb409585b71c2abcad478496446de6ff18bbf2f5f",
     82 + "zh:f40faba2269184b305f229503945400ed6eeafec7ac395c23f243bccab7b11b2",
    83 83   "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
    84 84   ]
    85 85  }
    skipped 61 lines
  • ■ ■ ■ ■ ■ ■
    aws/shared-state/.terraform.lock.hcl
     1 +# This file is maintained automatically by "terraform init".
     2 +# Manual edits may be lost in future updates.
     3 + 
     4 +provider "registry.terraform.io/hashicorp/aws" {
     5 + version = "4.67.0"
     6 + constraints = "~> 4.0"
     7 + hashes = [
     8 + "h1:5Zfo3GfRSWBaXs4TGQNOflr1XaYj6pRnVJLX5VAjFX4=",
     9 + "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060",
     10 + "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6",
     11 + "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183",
     12 + "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1",
     13 + "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29",
     14 + "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7",
     15 + "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043",
     16 + "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362",
     17 + "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b",
     18 + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
     19 + "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf",
     20 + "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b",
     21 + "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c",
     22 + "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c",
     23 + "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d",
     24 + ]
     25 +}
     26 + 
  • ■ ■ ■ ■
    aws/shared-state/README.md
    skipped 12 lines
    13 13   
    14 14  | Name | Version |
    15 15  |------|---------|
    16  -| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.0 |
     16 +| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.67.0 |
    17 17   
    18 18  ## Modules
    19 19   
    skipped 22 lines
  • ■ ■ ■ ■ ■ ■
    cypress/e2e/challenges.cy.js
    1 1  import ChallengesPage from '../pages/challengesPage'
     2 +import HomePage from '../pages/homePage'
    2 3  const challengesPage = new ChallengesPage()
    3 4   
    4 5  describe('Challenge Tests', () => {
    skipped 82 lines
    87 88   cy.dataCy(ChallengesPage.SUBMIT_TEXTBOX_BTN).click()
    88 89   cy.dataCy(ChallengesPage.SUCCESS_ALERT).should('contain', 'Your answer is correct!')
    89 90   cy.dataCy(ChallengesPage.PROGRESS_BAR).should('be.visible').should('not.have.attr', 'aria-valuenow', '0')
     91 + })
     92 + 
     93 + it('Submitting right answer gives visual cue on homepage that the challenge is successfully solved', () => {
     94 + cy.visit('/challenge/0')
     95 + cy.dataCy(ChallengesPage.ANSWER_TEXTBOX).type('The first answer')
     96 + cy.dataCy(ChallengesPage.SUBMIT_TEXTBOX_BTN).click()
     97 + cy.visit('/')
     98 + cy.dataCy(HomePage.CHALLENGE_TABLE_ROW).first().should('have.class', 'solved')
     99 + cy.dataCy(HomePage.CHALLENGE_0_COMPLETED).should('exist')
     100 + cy.dataCy(HomePage.TOTAL_SCORE).scrollIntoView()
     101 + cy.dataCy(HomePage.TOTAL_SCORE).should('contain', '100')
    90 102   })
    91 103  })
    92 104   
  • ■ ■ ■ ■ ■ ■
    cypress/pages/homePage.js
     1 +export default class HomePage {
     2 + static CHALLENGE_TABLE = 'challenge-overview'
     3 + static CHALLENGE_TABLE_ROW = 'challenge-row'
     4 + static CHALLENGE_0_COMPLETED = '"challenge 0_completed-link"'
     5 + static TOTAL_SCORE = 'total-score'
     6 +}
     7 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/InMemoryScoreCard.java
    1 1  package org.owasp.wrongsecrets;
    2 2   
     3 +import java.util.ArrayList;
    3 4  import java.util.HashSet;
     5 +import java.util.List;
    4 6  import java.util.Set;
    5 7  import org.owasp.wrongsecrets.challenges.Challenge;
    6 8   
    skipped 27 lines
    34 36   return solvedChallenges.stream()
    35 37   .map(challenge -> challenge.difficulty() * (100 + (challenge.difficulty() - 1) * 25))
    36 38   .reduce(0, Integer::sum);
     39 + }
     40 + 
     41 + @Override
     42 + public List<String> getCompletedChallenges() {
     43 + List<String> completed = new ArrayList<>();
     44 + for (Challenge challenge : solvedChallenges) {
     45 + completed.add(challenge.getNumber());
     46 + }
     47 + return completed;
    37 48   }
    38 49   
    39 50   @Override
    skipped 5 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/IndexController.java
    1 1  package org.owasp.wrongsecrets;
    2 2   
     3 +import com.google.common.base.Strings;
    3 4  import io.swagger.v3.oas.annotations.Operation;
    4 5  import lombok.extern.slf4j.Slf4j;
     6 +import org.springframework.beans.factory.annotation.Value;
    5 7  import org.springframework.stereotype.Controller;
     8 +import org.springframework.ui.Model;
    6 9  import org.springframework.web.bind.annotation.GetMapping;
    7 10   
    8 11  /** Controller used to return the dynamic data for the welcome screen. */
    skipped 1 lines
    10 13  @Slf4j
    11 14  public class IndexController {
    12 15   
     16 + private final ScoreCard scoreCard;
     17 + 
     18 + private final String ctfServerAddress;
     19 + 
     20 + public IndexController(
     21 + ScoreCard scoreCard, @Value("${CTF_SERVER_ADDRESS}") String ctfServerAddress) {
     22 + this.scoreCard = scoreCard;
     23 + this.ctfServerAddress = ctfServerAddress;
     24 + }
     25 + 
    13 26   @GetMapping("/")
    14 27   @Operation(description = "Returns all dynamic data for the welcome screen")
    15  - public String index() {
     28 + public String index(Model model) {
     29 + if ((!"not_set".equals(ctfServerAddress)) && !Strings.isNullOrEmpty(ctfServerAddress)) {
     30 + model.addAttribute("ctfServerAddress", ctfServerAddress);
     31 + } else {
     32 + model.addAttribute("totalScore", scoreCard.getTotalReceivedPoints());
     33 + }
     34 + 
    16 35   return "welcome";
    17 36   }
    18 37  }
    skipped 1 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/ScoreCard.java
    1 1  package org.owasp.wrongsecrets;
    2 2   
     3 +import java.util.List;
    3 4  import org.owasp.wrongsecrets.challenges.Challenge;
    4 5   
    5 6  /** Interface of a scorecard where a player's progress is stored into. */
    skipped 27 lines
    33 34   * @return int with points
    34 35   */
    35 36   int getTotalReceivedPoints();
     37 + 
     38 + /**
     39 + * Gives all completed challenges
     40 + *
     41 + * @return Set of ints
     42 + */
     43 + List<String> getCompletedChallenges();
    36 44   
    37 45   /**
    38 46   * Resets the status of a given challenge its entry in the score-card.
    skipped 6 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java
    skipped 112 lines
    113 113   public String getReason() {
    114 114   return this.getClass().getSimpleName().toLowerCase() + "_reason";
    115 115   }
     116 + 
     117 + /**
     118 + * Returns the number of the challenge extracted from the classname
     119 + *
     120 + * @return int of the challenge
     121 + */
     122 + public String getNumber() {
     123 + return this.getClass().getSimpleName().replaceAll("[^0-9]", "");
     124 + }
    116 125  }
    117 126   
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java
    skipped 145 lines
    146 146   }
    147 147   
    148 148   /**
     149 + * Used to setup the label for the link to the challenge on the homescreen return "challenge
     150 + * 1(_disabled)(_solveD)-link"
     151 + *
     152 + * @return label
     153 + */
     154 + public String getDataLabel() {
     155 + String label = getName().trim().toLowerCase();
     156 + if (!this.isChallengeEnabled()) {
     157 + label = label + "_disabled";
     158 + }
     159 + if (challengeCompleted()) {
     160 + label = label + "_completed";
     161 + }
     162 + label = label + "-link";
     163 + return label;
     164 + }
     165 + 
     166 + /**
     167 + * Used to return whether the challenge is completed or not
     168 + *
     169 + * @return boolean
     170 + */
     171 + public boolean challengeCompleted() {
     172 + return challenge.getScoreCard().getChallengeCompleted(challenge);
     173 + }
     174 + 
     175 + /**
    149 176   * Returns the difficulty level in stars, for example for level NORMAL it will return "☆☆".
    150 177   *
    151 178   * @return stars
    skipped 36 lines
  • ■ ■ ■ ■ ■
    src/main/resources/static/css/style.css
    skipped 33 lines
    34 34   border-bottom: 1px solid var(--bs-gray-300);
    35 35  }
    36 36   
     37 +tr.solved {
     38 + --bs-success-soft: rgba(0, 188, 140, 0.5);
     39 + background-color: var(--bs-success-soft) !important;
     40 +}
     41 + 
  • ■ ■ ■ ■ ■ ■
    src/main/resources/templates/welcome.html
    1  -<html xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" xmlns:th="http://www.thymeleaf.org"
    2  - layout:decorate="~{index.html}">
    3  -<body>
    4  - 
    5  -<div layout:fragment="content">
    6  - <div class="container-fluid mt-3 text-sm p-4 bg-light">
    7  - <div class="display-5">Welcome</div>
    8  - <p class="lead">Welcome to OWASP WrongSecrets. With this app, we hope you will re-evaluate your secrets
    9  - management
    10  - strategy.</p>
    11  - <hr class="my-2 my-lg-3">
    12  - <p>For each of the challenges below: try to find the secret! Enter it in the `Answer to solution` box and
    13  - score points! Note that some challenges require this app to run on additional infrastructure (see in the
    14  - table below).
    15  - </p>
    16  - </div>
    17  - <div class="container-fluid text-sm p-2 p-lg-3">
    18  - <div class="row">
    19  - <div class="col-12 col-lg-7">
    20  - <table class="table table-responsive" id="challenge_overview">
    21  - <thead>
    22  - <tr>
    23  - <th scope="col" class="d-none d-xl-table-cell">#</th>
    24  - <th scope="col">&nbsp;Challenge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
    25  - <th scope="col">Focus&nbsp;&nbsp;&nbsp;</th>
    26  - <th scope="col" class="d-none d-md-table-cell">Difficulty&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
    27  - <th scope="col"
    28  - th:text="'Runs on environment (current: '+${#strings.replace(environment,'_',' _')}+')'"></th>
    29  - </tr>
    30  - </thead>
    31  - <tbody>
    32  - <tr th:each="challenge: ${challenges}">
    33  - <th scope="row" class="d-none d-xl-table-cell" th:text="${challenge.link}"></th>
    34  - <td>&nbsp;<a th:href="@{/challenge} + '/' + ${challenge.link}"
    35  - th:class="${challenge.isChallengeEnabled} ? '' : 'disabled'"
    36  - th:attr="data-cy=${#strings.toLowerCase(challenge.name)} + '-link'"><span
    37  - th:text="${challenge.name}"
    38  - th:remove="tag"></span></a></td>
    39  - <td th:text="${challenge.tech}"></td>
    40  - <td class="d-none d-md-table-cell" th:text="${challenge.starsOnScale}">
    41  - </td>
    42  - <th:block th:if="${challenge.requiredEnv} == 'DOCKER'">
    43  - <td class="" >Docker</td>
    44  - </th:block>
    45  - <th:block th:if="${challenge.requiredEnv} == 'K8S'">
    46  - <td class="" >K8S</td>
    47  - </th:block>
    48  - <th:block th:if="${challenge.requiredEnv} == 'VAULT'">
    49  - <td class="" >K8S with Vault</td>
    50  - </th:block>
    51  - <th:block
    52  - th:if="${challenge.requiredEnv} == 'AWS' or ${challenge.requiredEnv} == 'GCP' or ${challenge.requiredEnv} == 'AZURE'">
    53  - <td class="" >AWS, GCP, Azure</td>
    54  - </th:block>
    55  - </tr>
    56  - </tbody>
    57  - </table>
    58  - 
    59  - 
    60  - <!-- <p th:text="'You are currently running on the following environment: '+${environment}"></p>-->
    61  - <p>Hasty? Here is the Vault <a href="spoil-7">secret;-)</a></p>
    62  - 
    63  - 
     1 +<html
     2 + xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
     3 + xmlns:th="http://www.thymeleaf.org"
     4 + layout:decorate="~{index.html}"
     5 +>
     6 + <body>
     7 + <div layout:fragment="content">
     8 + <div class="container-fluid mt-3 text-sm p-4 bg-light">
     9 + <div class="display-5">Welcome</div>
     10 + <p class="lead">
     11 + Welcome to OWASP WrongSecrets. With this app, we hope you will re-evaluate your secrets management
     12 + strategy.
     13 + </p>
     14 + <hr class="my-2 my-lg-3" />
     15 + <p>
     16 + For each of the challenges below: try to find the secret! Enter it in the `Answer to solution` box
     17 + and score points! Note that some challenges require this app to run on additional infrastructure
     18 + (see in the table below).
     19 + </p>
    64 20   </div>
    65  - <div class="col-12 col-lg-4 offset-lg-1">
    66  - <div class="border border-dark thank-you text-center">
    67  - Like what you see? Please <br/>
    68  - <a class="github-button"
    69  - href="https://github.com/OWASP/wrongsecrets"
    70  - data-icon="octicon-star"
    71  - data-size="large"
    72  - data-color-scheme="dark: light;"
    73  - data-show-count="true"
    74  - aria-label="Star commjoen/wrongsecrets on GitHub">Star us on Github</a>
    75  - </div>
    76  - <div class="border border-dark thank-you">
    77  - OWASP Project Leaders:
    78  - <ul>
    79  - <li><a href="https://github.com/bendehaan">Ben de Haan @bendehaan</a></li>
    80  - <li><a href="https://github.com/commjoen">Jeroen willemsen @commjoen</a></li>
    81  - </ul>
    82  - Top Contributors:
    83  - <ul>
    84  - <li><a href="https://github.com/nbaars">Nanne Baars @nbaars</a></li>
    85  - <li><a href="https://github.com/MarcinNowak-codes">Marcin Nowak @MarcinNowak-codes</a></li>
    86  - <li><a href="https://github.com/remakingeden">Joss Sparkes @remakingeden</a></li>
    87  - <li><a href="https://github.com/tiborhercz">Tibor Hercz @tiborhercz</a></li>
    88  - <li><a href="https://github.com/neatzsche">Chris Elbring Jr. @neatzsche</a>
    89  - <li><a href="https://github.com/puneeth072003">Puneeth Y @puneeth072003</a>
    90  - <li><a href="https://github.com/mikewoudenberg">Mike Woudenberg @mikewoudenberg</a></li>
    91  - <li><a href="https://github.com/Novice-expert">Divyanshu Dev @Novice-expert</a></li>
    92  - <li><a href="https://github.com/fchyla">Filip Chyla @fchyla</a></li>
    93  - <li><a href="https://github.com/Dlitosh">Dmitry Litosh @Dlitosh</a></li>
    94  - <li><a href="https://github.com/tghosth">Josh Grossman @tghosth</a></li>
    95  - <li><a href="https://github.com/turjoc120">Turjo Chowdhury @turjoc120</a></li>
    96  - <li><a href="https://github.com/northdpole">Spyros @northdpole</a></li>
    97  - <li><a href="https://github.com/RubenAtBinx">Ruben Kruiver @RubenAtBinx</a></li>
    98  - <li><a href="https://github.com/szh">Shlomo Zalman Heigh @szhx</a></li>
    99  - <li><a href="https://github.com/nhumblot">Nicolas Humblot @nhumblot</a></li>
    100  - <li><a href="https://github.com/madhuakula">Madhu Akula @madhuakula</a></li>
    101  - <li><a href="https://github.com/alex-bender">Alex Bender @alex-bender</a></li>
    102  - <li><a href="https://github.com/f3rn0s">Finn @f3rn0s</a></li>
    103  - <li><a href="https://github.com/kingthorin">Rick M @kingthorin</a></li>
    104  - </ul>
    105  - Testers:
    106  - <ul>
    107  - <li><a href="https://github.com/davevs">Dave van Stein @davevs</a></li>
    108  - <li><a href="https://github.com/MarcinNowak-codes">Marcin Nowak @MarcinNowak-codes</a></li>
    109  - <li><a href="https://github.com/mchangsp">Marc Chang Sing Pang @mchangsp</a></li>
    110  - </ul>
    111  - Special mentions for helping out:
    112  - <ul>
    113  - <li><a href="https://github.com/madhuakula">Madhu Akula @madhuakula</a></li>
    114  - <li><a href="https://github.com/bkimminich">Björn Kimminich @bkimminich</a></li>
    115  - <li><a href="https://github.com/saragluna">Xiaolu Dai @saragluna</a></li>
    116  - <li><a href="https://github.com/JonathanGiles">Jonathan Giles @jonathanGiles</a></li>
    117  - </ul>
    118  - </div>
    119  - <div class="border border-dark thank-you text-center">
    120  - Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills?
    121  - <a href="https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets" target="_blank">Donate</a>.
    122  - </div>
    123  - </div>
    124  - <div class="col-12 col-lg-7">
    125  - <div class="border border-dark thank-you">
    126  - Resources/further reading on secrets management:<br/>
    127  - <ul>
    128  - <li><a href="https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j">Blog:
    129  - 10 Pointers on Secrets Management</a></li>
    130  - <li><a href="https://owaspsamm.org/model/implementation/secure-deployment/stream-b/">OWASP SAMM
    131  - on Secret Management</a></li>
    132  - <li><a href="https://github.com/topics/secrets-detection">The secret detection topic at
    133  - Github</a></li>
    134  - <li><a
    135  - href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_Cheat_Sheet.md">OWASP
    136  - Secretsmanagement Cheatsheet</a></li>
    137  - <li><a
    138  - href="https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w==">Open
    139  - CRE on Secrets Management</a></li>
    140  - </ul>
    141  - </div>
    142  - </div>
    143  - <div class="col-12 col-lg-7">
    144  - <div class="border border-dark thank-you">
    145  - Wondering what a secret is? A secret is often a confidential piece of information that is required
    146  - to unlock certain functionalities or information.
    147  - It can exists in many shapes or forms, for instance:
    148  - <ul>
    149  - <li>2FA keys</li>
    150  - <li>Activation/Callback links</li>
    151  - <li>API keys</li>
    152  - <li>Credentials</li>
    153  - <li>Passwords</li>
    154  - <li>Private keys (decryption, signing, TLS, SSH, GPG)</li>
    155  - <li>Secret keys (symmetric encryption, HMAC)</li>
    156  - <li>Session cookies</li>
    157  - <li>Tokens (Session, Refresh, Authentication, Activation, etc.)</li>
    158  - </ul>
    159  - </div>
    160  - </div>
    161  - <div class="col-12 col-lg-7">
    162  - <div class="border border-dark thank-you">
    163  - Want to see if your tool of choice detects all the secrets available in this project? <a
    164  - href="https://github.com/OWASP/wrongsecrets/#use-owasp-wrongsecrets-as-a-secret-detection-benchmark">Check
    165  - the instructions in the README</a>.
     21 + <div class="container-fluid text-sm p-2 p-lg-3">
     22 + <div class="row">
     23 + <div class="col-12 col-lg-7">
     24 + <table class="table table-responsive" id="challenge_overview" data-cy="challenge-overview">
     25 + <thead>
     26 + <tr>
     27 + <th scope="col" class="d-none d-xl-table-cell">#</th>
     28 + <th scope="col">&nbsp;Challenge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</th>
     29 + <th scope="col">Focus&nbsp;&nbsp;&nbsp;</th>
     30 + <th scope="col" class="d-none d-md-table-cell">
     31 + Difficulty&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
     32 + </th>
     33 + <th
     34 + scope="col"
     35 + th:text="'Runs on environment (current: '+${#strings.replace(environment,'_',' _')}+')'"
     36 + ></th>
     37 + <th scope="col" class="d-none d-xl-table-cell">Solved</th>
     38 + </tr>
     39 + </thead>
     40 + <tbody>
     41 + <tr
     42 + th:each="challenge: ${challenges}"
     43 + th:class="${challenge.challengeCompleted} ? solved : ''"
     44 + data-cy="challenge-row" >
     45 + <th scope="row" class="d-none d-xl-table-cell" th:text="${challenge.link}"></th>
     46 + <td>
     47 + &nbsp;<span
     48 + class="d-xl-none"
     49 + th:if="${challenge.challengeCompleted}"
     50 + >&#9745; </span>
     51 + <a th:href="'/challenge/' + ${challenge.link}" th:class="${challenge.isChallengeEnabled} ? '' : 'disabled'">
     52 + <span th:text="${challenge.name}" th:attr="data-cy=${challenge.getDataLabel}"></span>
     53 + </a>
     54 + </td>
     55 + <td th:text="${challenge.tech}"></td>
     56 + <td class="d-none d-md-table-cell" th:text="${challenge.starsOnScale}"></td>
     57 + <th:block th:if="${challenge.requiredEnv} == 'DOCKER'">
     58 + <td class="">Docker</td>
     59 + </th:block>
     60 + <th:block th:if="${challenge.requiredEnv} == 'K8S'">
     61 + <td class="">K8S</td>
     62 + </th:block>
     63 + <th:block th:if="${challenge.requiredEnv} == 'VAULT'">
     64 + <td class="">K8S with Vault</td>
     65 + </th:block>
     66 + <th:block
     67 + th:if="${challenge.requiredEnv} == 'AWS' or ${challenge.requiredEnv} == 'GCP' or ${challenge.requiredEnv} == 'AZURE'"
     68 + >
     69 + <td class="">AWS, GCP, Azure</td>
     70 + </th:block>
     71 + <td class="d-none d-xl-table-cell">
     72 + <span
     73 + th:if="${challenge.challengeCompleted}"
     74 + >&#9745;</span
     75 + >
     76 + </td>
     77 + </tr>
     78 + </tbody>
     79 + </table>
     80 + <p th:if="${ctfServerAddress == null}" th:text="'Total score: '+${totalScore}" th:attr="data-cy='total-score'"></p>
     81 + <p
     82 + th:if="${ctfServerAddress != null}"
     83 + th:text="'Scoring and progress keeping is disabled in CTF mode, have a look at '+${ctfServerAddress}+' for your actual score and progress'"
     84 + ></p>
     85 + <!-- <p th:text="'You are currently running on the following environment: '+${environment}"></p>-->
     86 + <p>Hasty? Here is the Vault <a href="spoil-7">secret;-)</a></p>
     87 + </div>
     88 + <div class="col-12 col-lg-4 offset-lg-1">
     89 + <div class="border border-dark thank-you text-center">
     90 + Like what you see? Please <br />
     91 + <a
     92 + class="github-button"
     93 + href="https://github.com/OWASP/wrongsecrets"
     94 + data-icon="octicon-star"
     95 + data-size="large"
     96 + data-color-scheme="dark: light;"
     97 + data-show-count="true"
     98 + aria-label="Star commjoen/wrongsecrets on GitHub"
     99 + >Star us on Github</a
     100 + >
     101 + </div>
     102 + <div class="border border-dark thank-you">
     103 + OWASP Project Leaders:
     104 + <ul>
     105 + <li><a href="https://github.com/bendehaan">Ben de Haan @bendehaan</a></li>
     106 + <li><a href="https://github.com/commjoen">Jeroen willemsen @commjoen</a></li>
     107 + </ul>
     108 + Top Contributors:
     109 + <ul>
     110 + <li><a href="https://github.com/nbaars">Nanne Baars @nbaars</a></li>
     111 + <li>
     112 + <a href="https://github.com/MarcinNowak-codes">Marcin Nowak @MarcinNowak-codes</a>
     113 + </li>
     114 + <li><a href="https://github.com/remakingeden">Joss Sparkes @remakingeden</a></li>
     115 + <li><a href="https://github.com/tiborhercz">Tibor Hercz @tiborhercz</a></li>
     116 + <li><a href="https://github.com/neatzsche">Chris Elbring Jr. @neatzsche</a></li>
     117 + <li><a href="https://github.com/puneeth072003">Puneeth Y @puneeth072003</a></li>
     118 + <li><a href="https://github.com/mikewoudenberg">Mike Woudenberg @mikewoudenberg</a></li>
     119 + <li><a href="https://github.com/Novice-expert">Divyanshu Dev @Novice-expert</a></li>
     120 + <li><a href="https://github.com/fchyla">Filip Chyla @fchyla</a></li>
     121 + <li><a href="https://github.com/Dlitosh">Dmitry Litosh @Dlitosh</a></li>
     122 + <li><a href="https://github.com/tghosth">Josh Grossman @tghosth</a></li>
     123 + <li><a href="https://github.com/turjoc120">Turjo Chowdhury @turjoc120</a></li>
     124 + <li><a href="https://github.com/northdpole">Spyros @northdpole</a></li>
     125 + <li><a href="https://github.com/RubenAtBinx">Ruben Kruiver @RubenAtBinx</a></li>
     126 + <li><a href="https://github.com/szh">Shlomo Zalman Heigh @szhx</a></li>
     127 + <li><a href="https://github.com/nhumblot">Nicolas Humblot @nhumblot</a></li>
     128 + <li><a href="https://github.com/madhuakula">Madhu Akula @madhuakula</a></li>
     129 + <li><a href="https://github.com/alex-bender">Alex Bender @alex-bender</a></li>
     130 + <li><a href="https://github.com/f3rn0s">Finn @f3rn0s</a></li>
     131 + <li><a href="https://github.com/kingthorin">Rick M @kingthorin</a></li>
     132 + </ul>
     133 + Testers:
     134 + <ul>
     135 + <li><a href="https://github.com/davevs">Dave van Stein @davevs</a></li>
     136 + <li>
     137 + <a href="https://github.com/MarcinNowak-codes">Marcin Nowak @MarcinNowak-codes</a>
     138 + </li>
     139 + <li><a href="https://github.com/mchangsp">Marc Chang Sing Pang @mchangsp</a></li>
     140 + </ul>
     141 + Special mentions for helping out:
     142 + <ul>
     143 + <li><a href="https://github.com/madhuakula">Madhu Akula @madhuakula</a></li>
     144 + <li><a href="https://github.com/bkimminich">Björn Kimminich @bkimminich</a></li>
     145 + <li><a href="https://github.com/saragluna">Xiaolu Dai @saragluna</a></li>
     146 + <li><a href="https://github.com/JonathanGiles">Jonathan Giles @jonathanGiles</a></li>
     147 + </ul>
     148 + </div>
     149 + <div class="border border-dark thank-you text-center">
     150 + Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills?
     151 + <a
     152 + href="https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets"
     153 + target="_blank"
     154 + >Donate</a
     155 + >.
     156 + </div>
     157 + </div>
     158 + <div class="col-12 col-lg-7">
     159 + <div class="border border-dark thank-you">
     160 + Resources/further reading on secrets management:<br />
     161 + <ul>
     162 + <li>
     163 + <a
     164 + href="https://dev.to/commjoen/secure-deployment-10-pointers-on-secrets-management-187j"
     165 + >Blog: 10 Pointers on Secrets Management</a
     166 + >
     167 + </li>
     168 + <li>
     169 + <a href="https://owaspsamm.org/model/implementation/secure-deployment/stream-b/"
     170 + >OWASP SAMM on Secret Management</a
     171 + >
     172 + </li>
     173 + <li>
     174 + <a href="https://github.com/topics/secrets-detection"
     175 + >The secret detection topic at Github</a
     176 + >
     177 + </li>
     178 + <li>
     179 + <a
     180 + href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Secrets_Management_Cheat_Sheet.md"
     181 + >OWASP Secretsmanagement Cheatsheet</a
     182 + >
     183 + </li>
     184 + <li>
     185 + <a
     186 + href="https://www.opencre.org/cre/223-780?register=true&type=tool&tool_type=training&tags=secrets,training&description=With%20this%20app%2C%20we%20have%20packed%20various%20ways%20of%20how%20to%20not%20store%20your%20secrets.%20These%20can%20help%20you%20to%20realize%20whether%20your%20secret%20management%20is%20ok.%20The%20challenge%20is%20to%20find%20all%20the%20different%20secrets%20by%20means%20of%20various%20tools%20and%20techniques.%20Can%20you%20solve%20all%20the%2014%20challenges%3F&trk=flagship-messaging-web&messageThreadUrn=urn:li:messagingThread:2-YmRkNjRkZTMtNjRlYS00OWNiLWI2YmUtMDYwNzY3ZjI1MDcyXzAxMg==&lipi=urn:li:page:d_flagship3_feed;J58Sgd80TdanpKWFMH6z+w=="
     187 + >Open CRE on Secrets Management</a
     188 + >
     189 + </li>
     190 + </ul>
     191 + </div>
     192 + </div>
     193 + <div class="col-12 col-lg-7">
     194 + <div class="border border-dark thank-you">
     195 + Wondering what a secret is? A secret is often a confidential piece of information that is
     196 + required to unlock certain functionalities or information. It can exists in many shapes or
     197 + forms, for instance:
     198 + <ul>
     199 + <li>2FA keys</li>
     200 + <li>Activation/Callback links</li>
     201 + <li>API keys</li>
     202 + <li>Credentials</li>
     203 + <li>Passwords</li>
     204 + <li>Private keys (decryption, signing, TLS, SSH, GPG)</li>
     205 + <li>Secret keys (symmetric encryption, HMAC)</li>
     206 + <li>Session cookies</li>
     207 + <li>Tokens (Session, Refresh, Authentication, Activation, etc.)</li>
     208 + </ul>
     209 + </div>
     210 + </div>
     211 + <div class="col-12 col-lg-7">
     212 + <div class="border border-dark thank-you">
     213 + Want to see if your tool of choice detects all the secrets available in this project?
     214 + <a
     215 + href="https://github.com/OWASP/wrongsecrets/#use-owasp-wrongsecrets-as-a-secret-detection-benchmark"
     216 + >Check the instructions in the README</a
     217 + >.
     218 + </div>
     219 + </div>
    166 220   </div>
    167 221   </div>
    168 222   </div>
    169  - </div>
    170  -</div>
    171  -</body>
     223 + </body>
    172 224  </html>
    173 225   
  • ■ ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/IndexControllerTest.java
     1 +package org.owasp.wrongsecrets;
     2 + 
     3 +import static org.mockito.Mockito.when;
     4 +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
     5 +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
     6 +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
     7 + 
     8 +import org.junit.jupiter.api.Test;
     9 +import org.junit.jupiter.api.extension.ExtendWith;
     10 +import org.mockito.Mock;
     11 +import org.mockito.junit.jupiter.MockitoExtension;
     12 +import org.springframework.test.web.servlet.MockMvc;
     13 +import org.springframework.test.web.servlet.setup.MockMvcBuilders;
     14 + 
     15 +@ExtendWith(MockitoExtension.class)
     16 +class IndexControllerTest {
     17 + 
     18 + private MockMvc mvc;
     19 + @Mock private ScoreCard scoreCard;
     20 + 
     21 + @Test
     22 + void disableScoringWhenAddressIsSet() throws Exception {
     23 + var controller = new IndexController(scoreCard, "address");
     24 + mvc = MockMvcBuilders.standaloneSetup(controller).build();
     25 + mvc.perform(get("/"))
     26 + .andExpect(status().isOk())
     27 + .andExpect(model().attributeExists("ctfServerAddress"))
     28 + .andExpect(model().attributeDoesNotExist("totalScore"));
     29 + }
     30 + 
     31 + @Test
     32 + void enableScoringWhenAddressIsNotSet() throws Exception {
     33 + var controller = new IndexController(scoreCard, "not_set");
     34 + mvc = MockMvcBuilders.standaloneSetup(controller).build();
     35 + mvc.perform(get("/"))
     36 + .andExpect(status().isOk())
     37 + .andExpect(model().attributeDoesNotExist("ctfServerAddress"))
     38 + .andExpect(model().attributeExists("totalScore"));
     39 + }
     40 + 
     41 + @Test
     42 + void shouldShowScoreAndChallengeWhenCompleted() throws Exception {
     43 + when(scoreCard.getTotalReceivedPoints()).thenReturn(1000);
     44 + var controller = new IndexController(scoreCard, "not_set");
     45 + mvc = MockMvcBuilders.standaloneSetup(controller).build();
     46 + mvc.perform(get("/"))
     47 + .andExpect(status().isOk())
     48 + .andExpect(model().attribute("totalScore", 1000));
     49 + }
     50 +}
     51 + 
  • ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFClientModeTest.java
    skipped 70 lines
    71 71   }
    72 72   
    73 73   @Test
    74  - void shouldEnableK8sExercises() throws Exception {
     74 + void shouldNotEnableK8sExercises() throws Exception {
    75 75   mvc.perform(get("/"))
    76 76   .andExpect(status().isOk())
    77  - .andExpect(
    78  - content()
    79  - .string(
    80  - containsString(
    81  - "class=\"disabled\" data-cy=\"challenge 5-link\">Challenge 5</a></td>")))
    82  - .andExpect(
    83  - content()
    84  - .string(
    85  - containsString(
    86  - "class=\"disabled\" data-cy=\"challenge 6-link\">Challenge 6</a></td>")))
    87  - .andExpect(
    88  - content()
    89  - .string(
    90  - containsString(
    91  - "class=\"disabled\" data-cy=\"challenge 7-link\">Challenge 7</a></td>")));
     77 + .andExpect(content().string(containsString("challenge 5_disabled-link")))
     78 + .andExpect(content().string(containsString("challenge 6_disabled-link")))
     79 + .andExpect(content().string(containsString("challenge 7_disabled-link")));
    92 80   }
    93 81   
    94 82   @Test
    skipped 26 lines
  • ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeTest.java
    skipped 63 lines
    64 64   }
    65 65   
    66 66   @Test
    67  - void shouldEnableK8sExercises() throws Exception {
     67 + void shouldNotEnableK8sExercises() throws Exception {
    68 68   mvc.perform(get("/"))
    69 69   .andExpect(status().isOk())
    70  - .andExpect(
    71  - content()
    72  - .string(
    73  - containsString(
    74  - "class=\"disabled\" data-cy=\"challenge 5-link\">Challenge 5</a></td>")))
    75  - .andExpect(
    76  - content()
    77  - .string(
    78  - containsString(
    79  - "class=\"disabled\" data-cy=\"challenge 6-link\">Challenge 6</a></td>")))
    80  - .andExpect(
    81  - content()
    82  - .string(
    83  - containsString(
    84  - "class=\"disabled\" data-cy=\"challenge 7-link\">Challenge 7</a></td>")));
     70 + .andExpect(content().string(containsString("challenge 5_disabled-link")))
     71 + .andExpect(content().string(containsString("challenge 6_disabled-link")))
     72 + .andExpect(content().string(containsString("challenge 7_disabled-link")));
    85 73   }
    86 74   
    87 75   @Test
    skipped 26 lines
  • ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetCloudValuesTest.java
    skipped 124 lines
    125 125   void shouldEnableCloudExerciseBut11() throws Exception {
    126 126   mvc.perform(get("/"))
    127 127   .andExpect(status().isOk())
    128  - .andExpect(
    129  - content()
    130  - .string(
    131  - not(
    132  - containsString(
    133  - "class=\"disabled\" data-cy=\"challenge 9-link\">Challenge"
    134  - + " 9</a></td>"))))
    135  - .andExpect(
    136  - content()
    137  - .string(
    138  - not(
    139  - containsString(
    140  - "class=\"disabled\" data-cy=\"challenge 10-link\">Challenge"
    141  - + " 10</a></td>"))))
    142  - .andExpect(
    143  - content()
    144  - .string(
    145  - containsString(
    146  - "class=\"disabled\" data-cy=\"challenge 11-link\">Challenge 11</a></td>")));
     128 + .andExpect(content().string(not(containsString("challenge 9_disabled-link"))))
     129 + .andExpect(content().string(not(containsString("challenge 10_disabled-link"))))
     130 + .andExpect(content().string(containsString("challenge 11_disabled-link")));
    147 131   }
    148 132   
    149 133   @Test
    150 134   void shouldEnableK8sExercises() throws Exception {
    151 135   mvc.perform(get("/"))
    152 136   .andExpect(status().isOk())
    153  - .andExpect(
    154  - content()
    155  - .string(
    156  - not(
    157  - containsString(
    158  - "class=\"disabled\" data-cy=\"challenge 5-link\">Challenge"
    159  - + " 5</a></td>"))))
    160  - .andExpect(
    161  - content()
    162  - .string(
    163  - not(
    164  - containsString(
    165  - "class=\"disabled\" data-cy=\"challenge 6-link\">Challenge"
    166  - + " 6</a></td>"))))
    167  - .andExpect(
    168  - content()
    169  - .string(
    170  - not(
    171  - containsString(
    172  - "class=\"disabled\" data-cy=\"challenge 7-link\">Challenge"
    173  - + " 7</a></td>"))));
     137 + .andExpect(content().string(not(containsString("challenge 5_disabled-link"))))
     138 + .andExpect(content().string(not(containsString("challenge 6_disabled-link"))))
     139 + .andExpect(content().string(not(containsString("challenge 7_disabled-link"))));
    174 140   }
    175 141  }
    176 142   
  • ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sAndVaultValuesTest.java
    skipped 86 lines
    87 87   void shouldEnableK8sAndVaultExercises() throws Exception {
    88 88   mvc.perform(get("/"))
    89 89   .andExpect(status().isOk())
    90  - .andExpect(
    91  - content()
    92  - .string(
    93  - not(
    94  - containsString(
    95  - "class=\"disabled\" data-cy=\"challenge 5-link\">Challenge"
    96  - + " 5</a></td>"))))
    97  - .andExpect(
    98  - content()
    99  - .string(
    100  - not(
    101  - containsString(
    102  - "class=\"disabled\" data-cy=\"challenge 6-link\">Challenge"
    103  - + " 6</a></td>"))))
    104  - .andExpect(
    105  - content()
    106  - .string(
    107  - not(
    108  - containsString(
    109  - "class=\"disabled\" data-cy=\"challenge 7-link\">Challenge"
    110  - + " 7</a></td>"))));
     90 + .andExpect(content().string(not(containsString("challenge 5_disabled-link"))))
     91 + .andExpect(content().string(not(containsString("challenge 6_disabled-link>"))))
     92 + .andExpect(content().string(not(containsString("challenge 7_disabled-link"))));
    111 93   }
    112 94  }
    113 95   
  • ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/ctftests/ChallengesControllerCTFModeWithPresetK8sNoVaultValuesTest.java
    skipped 85 lines
    86 86   void shouldEnableK8sButVaultExercises() throws Exception {
    87 87   mvc.perform(get("/"))
    88 88   .andExpect(status().isOk())
    89  - .andExpect(
    90  - content()
    91  - .string(
    92  - not(
    93  - containsString(
    94  - "class=\"disabled\" data-cy=\"challenge 5-link\">Challenge"
    95  - + " 5</a></td>"))))
    96  - .andExpect(
    97  - content()
    98  - .string(
    99  - not(
    100  - containsString(
    101  - "class=\"disabled\" data-cy=\"challenge 6-link\">Challenge"
    102  - + " 6</a></td>"))))
    103  - .andExpect(
    104  - content()
    105  - .string(
    106  - containsString(
    107  - "class=\"disabled\" data-cy=\"challenge 7-link\">Challenge 7</a></td>")));
     89 + .andExpect(content().string(not(containsString("challenge 5_disabled-link"))))
     90 + .andExpect(content().string(not(containsString("challenge 6_disabled-link"))))
     91 + .andExpect(content().string(containsString("challenge 7_disabled-link")));
    108 92   }
    109 93  }
    110 94   
Please wait...
Page is in error, reload to recover