crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits a23743db
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    Dockerfile
    skipped 7 lines
    8 8  ENV APP_VERSION=$argBasedVersion
    9 9  ENV DOCKER_ENV_PASSWORD="This is it"
    10 10  ENV AZURE_KEY_VAULT_ENABLED=false
    11  -ENV springdoc_swagger-ui_enabled=false
    12  -ENV springdoc_api-docs_enabled=false
     11 +ENV SPRINGDOC_UI=false
     12 +ENV SPRINGDOC_DOC=false
    13 13   
    14 14  RUN echo "2vars"
    15 15  RUN echo "$ARG_BASED_PASSWORD"
    skipped 7 lines
    23 23  COPY --chown=wrongsecrets src/main/resources/executables/ /home/wrongsecrets/
    24 24  COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
    25 25  USER wrongsecrets
    26  -CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) /application.jar
     26 +CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D /application.jar
    27 27   
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 66 lines
    67 67   
    68 68  ## Basic docker exercises
    69 69   
    70  -_Can be used for challenges 1-4, 8, 12-28_
     70 +_Can be used for challenges 1-4, 8, 12-29_
    71 71   
    72 72  For the basic docker exercises you currently require:
    73 73   
    skipped 30 lines
    104 104  - [localhost:8080/challenge/26](http://localhost:8080/challenge/26)
    105 105  - [localhost:8080/challenge/27](http://localhost:8080/challenge/27)
    106 106  - [localhost:8080/challenge/28](http://localhost:8080/challenge/28)
     107 +- [localhost:8080/challenge/28](http://localhost:8080/challenge/29)
    107 108   
    108 109  Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
    109 110  better ;-).
    skipped 10 lines
    120 121   
    121 122  ## Basic K8s exercise
    122 123   
    123  -_Can be used for challenges 1-6, 8, 12-28_
     124 +_Can be used for challenges 1-6, 8, 12-29_
    124 125   
    125 126  ### Minikube based
    126 127   
    skipped 46 lines
    173 174   
    174 175  ## Vault exercises with minikube
    175 176   
    176  -_Can be used for challenges 1-8, 12-28_
     177 +_Can be used for challenges 1-8, 12-29_
    177 178  Make sure you have the following installed:
    178 179   
    179 180  - minikube with docker (or comment out line 8 and work at your own k8s setup),
    skipped 11 lines
    191 192   
    192 193  ## Cloud Challenges
    193 194   
    194  -_Can be used for challenges 1-28_
     195 +_Can be used for challenges 1-29_
    195 196   
    196 197  **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
    197 198  never run this on an account which is related to your production environment or can influence your account-over-arching
    skipped 24 lines
    222 223  7. Create a container and push it to your registry
    223 224  8. Override the K8s definition files for either [AWS](/aws/k8s/secret-challenge-vault-deployment.yml) or [GCP](/gcp/k8s/secret-challenge-vault-deployment.yml.tpl).
    224 225   
    225  -## Do you want to play without guidance?
     226 +## Do you want to play without guidance or spoils?
    226 227   
    227 228  Each challenge has a `Show hints` button and a `What's wrong?` button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise.
    228 229  Therefore, you can manipulate them by overriding the following settings in your env:
    229 230   
    230 231  - `hints_enabled=false` will turn off the `Show hints` button.
    231 232  - `reason_enabled=false` will turn of the `What's wrong?` explanation button.
     233 +- `spoiling_enabled=false` will turn off the `/spoil-x` endpoint (where `x` is the number of the challenge).
     234 + 
     235 +## Enabling Swaggerdocs and UI
     236 + 
     237 +You can enable Swagger documentation and the Swagger UI by overriding the `SPRINGDOC_UI` and `SPRINGDOC_DOC` when running the Docker container. See our [Okteto Deployment](https://github.com/OWASP/wrongsecrets/blob/master/okteto/k8s/secret-challenge-deployment.yml) for more details.
    232 238   
    233 239  ## Special thanks & Contributors
    234 240   
    skipped 13 lines
    248 254  - [Filip Chyla @fchyla](https://github.com/fchyla)
    249 255  - [Dmitry Litosh @Dlitosh](https://github.com/Dlitosh)
    250 256  - [Josh Grossman @tghosth](https://github.com/tghosth)
     257 +- [Turjo Chowdhury @turjoc120](https://github.com/turjoc120)
    251 258  - [Spyros @northdpole](https://github.com/northdpole)
    252 259  - [Mike Woudenberg @mikewoudenberg](https://github.com/mikewoudenberg)
    253 260  - [Ruben Kruiver @RubenAtBinx](https://github.com/RubenAtBinx)
     261 +- [Shlomo Zalman Heigh @szh](https://github.com/szh)
    254 262  - [Nicolas Humblot @nhumblot](https://github.com/nhumblot)
     263 +- [Madhu Akula @madhuakula](https://github.com/madhuakula)
    255 264  - [Finn @f3rn0s](https://github.com/f3rn0s)
    256 265  - [Alex Bender @alex-bender](https://github.com/alex-bender)
    257 266  - [Rick M @kingthorin](https://github.com/kingthorin)
    skipped 7 lines
    265 274  Special mentions for helping out:
    266 275   
    267 276  - [Madhu Akula @madhuakula](https://github.com/madhuakula)
    268  -- [Björn Kimminich @bkimminich](https://github.com/bkimminich)
     277 +- [BjÃrn Kimminich @bkimminich](https://github.com/bkimminich)
    269 278  - [Xiaolu Dai @saragluna](https://github.com/saragluna)
    270 279  - [Jonathan Giles @jonathanGiles](https://github.com/JonathanGiles)
    271 280   
    skipped 213 lines
  • ■ ■ ■ ■ ■
    okteto/k8s/secret-challenge-ctf-deployment.yml
    skipped 27 lines
    28 28   runAsGroup: 2000
    29 29   fsGroup: 2000
    30 30   containers:
    31  - - image: jeroenwillemsen/wrongsecrets:1.6.1-no-vault
     31 + - image: jeroenwillemsen/wrongsecrets:1.6.2RC8-no-vault
    32 32   name: secret-challenge-ctf
    33 33   imagePullPolicy: IfNotPresent
    34 34   securityContext:
    skipped 57 lines
    92 92   value: "https://canarytokens.org/history?token=cs07k832u9t1u4npowbvsw4mb&auth=7f75f2b2a4207c91fbc1ea59f7a495eb"
    93 93   - name: challenge15ciphertext
    94 94   value: "k9+HuPXEiFD6efujS5h1lOL1xgAC2OIgE2alg9JweUDy8k2SHUoG6I9FOhM1mgPKIUlyPWvROo+2T5p4qrAnuPYC/xAzVjGDUoN4eIXdXn+gwcYmL+Be8TodjXUt9U3g1/B9O2wyVZTT9Q839FaDHeBR4Og="
     95 + - name: springdoc_api-docs_enabled
     96 + value: "false"
    95 97   - name: challenge_acht_ctf_host_value
    96 98   value: "not set"
    97 99   - name: K8S_ENV
    skipped 19 lines
  • ■ ■ ■ ■ ■
    okteto/k8s/secret-challenge-deployment.yml
    skipped 27 lines
    28 28   runAsGroup: 2000
    29 29   fsGroup: 2000
    30 30   containers:
    31  - - image: jeroenwillemsen/wrongsecrets:1.6.1-no-vault
     31 + - image: jeroenwillemsen/wrongsecrets:1.6.2RC8-no-vault
    32 32   name: secret-challenge
    33 33   imagePullPolicy: IfNotPresent
    34 34   securityContext:
    skipped 45 lines
    80 80   value: "k9+HuPXEiFD6efujS5h1lOL1xgAC2OIgE2alg9Jwe0qQlT+RGDJH/otpFgUzixTbCndwPW3HOqOCQYY844MgxM0N+RRbclS1bpJnYd7BT2aj8v4iA9xR8DwAjU0tt2n84PFKN4vNKjyNATETwPE1GQKBTIi1"
    81 81   - name: K8S_ENV
    82 82   value: Okteto(k8s)
     83 + - name: SPRINGDOC_UI
     84 + value: "true"
     85 + - name: SPRINGDOC_DOC
     86 + value: "true"
    83 87   - name: SPECIAL_K8S_SECRET
    84 88   valueFrom:
    85 89   configMapKeyRef:
    skipped 15 lines
  • ■ ■ ■ ■
    pom.xml
    skipped 59 lines
    60 60   <cyclonedx.core.version>7.3.2</cyclonedx.core.version>
    61 61   <KeePassJava2.version>2.1.4</KeePassJava2.version>
    62 62   <system-stubs-jupiter.version>2.0.2</system-stubs-jupiter.version>
    63  - <dependency-check-maven.version>8.1.2</dependency-check-maven.version>
     63 + <dependency-check-maven.version>8.2.1</dependency-check-maven.version>
    64 64   </properties>
    65 65   
    66 66   <dependencies>
    skipped 424 lines
  • ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/StartupListener.java
    skipped 9 lines
    10 10  import java.util.stream.Collectors;
    11 11   
    12 12  /**
    13  - * Helps handling application startup and breaks nicely if K8S_ENV is wrong.
     13 + * Helps application startup and breaks nicely if K8S_ENV is wrong.
    14 14   */
    15 15  @Slf4j
    16 16  public class StartupListener implements ApplicationListener<ApplicationEvent> {
    skipped 32 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/StatsController.java
    skipped 52 lines
    53 53   model.addAttribute("hintsEnabled", hintsEnabled);
    54 54   model.addAttribute("reasonEnabled", reasonEnabled);
    55 55   model.addAttribute("ctfModeEnabled", ctfModeEnabled);
    56  - model.addAttribute("spoilingEnabled", spoilingEnabled);
     56 + model.addAttribute("spoilingEnabled", spoilsEnabled());
    57 57   model.addAttribute("swaggerUIEnabled", swaggerUIEnabled);
    58 58   model.addAttribute("springdocenabled", springdocenabled);
    59 59   model.addAttribute("swaggerURI", swaggerURI);
    60 60   return "stats";
     61 + }
     62 + 
     63 + private boolean spoilsEnabled() {
     64 + return spoilingEnabled && !ctfModeEnabled;
    61 65   }
    62 66  }
    63 67   
  • ■ ■ ■ ■ ■ ■
    src/main/resources/templates/about.html
    skipped 195 lines
    196 196   <li>(The Apache Software License, Version 2.0) OGNL - Object Graph Navigation Library (ognl:ognl:3.3.4 - https://github.com/jkuhnert/ognl/)</li>
    197 197   <li>(Apache-2.0) jdiagnostics (org.anarres.jdiagnostics:jdiagnostics:1.0.7 - https://github.com/shevek/jdiagnostics)</li>
    198 198   <li>(Apache License, Version 2.0) Apache Commons Collections (org.apache.commons:commons-collections4:4.4 - https://commons.apache.org/proper/commons-collections/)</li>
    199  - <li>(Apache License, Version 2.0) Apache Commons Compress (org.apache.commons:commons-compress:1.22 - https://commons.apache.org/proper/commons-compress/)</li>
     199 + <li>(Apache-2.0) Apache Commons Compress (org.apache.commons:commons-compress:1.23.0 - https://commons.apache.org/proper/commons-compress/)</li>
    200 200   <li>(Apache License, Version 2.0) Apache Commons DBCP (org.apache.commons:commons-dbcp2:2.9.0 - https://commons.apache.org/dbcp/)</li>
    201 201   <li>(Apache License, Version 2.0) Apache Commons JCS :: Core (org.apache.commons:commons-jcs-core:2.2.1 - http://commons.apache.org/proper/commons-jcs/commons-jcs-core/)</li>
    202 202   <li>(Apache License, Version 2.0) Apache Commons Lang (org.apache.commons:commons-lang3:3.12.0 - https://commons.apache.org/proper/commons-lang/)</li>
    skipped 47 lines
    250 250   <li>(The Apache Software License, Version 2.0) Plexus Classworlds (org.codehaus.plexus:plexus-classworlds:2.2.3 - http://plexus.codehaus.org/plexus-classworlds/)</li>
    251 251   <li>(Apache License, Version 2.0) Plexus :: Component Annotations (org.codehaus.plexus:plexus-component-annotations:2.0.0 - http://codehaus-plexus.github.io/plexus-containers/plexus-component-annotations/)</li>
    252 252   <li>(The Apache Software License, Version 2.0) Plexus Interpolation API (org.codehaus.plexus:plexus-interpolation:1.14 - http://plexus.codehaus.org/plexus-components/plexus-interpolation)</li>
    253  - <li>(Apache License, Version 2.0) Plexus Common Utilities (org.codehaus.plexus:plexus-utils:3.5.0 - https://codehaus-plexus.github.io/plexus-utils/)</li>
     253 + <li>(Apache License, Version 2.0) Plexus Common Utilities (org.codehaus.plexus:plexus-utils:3.5.1 - https://codehaus-plexus.github.io/plexus-utils/)</li>
    254 254   <li>(The BSD License) Stax2 API (org.codehaus.woodstox:stax2-api:4.2.1 - http://github.com/FasterXML/stax2-api)</li>
    255 255   <li>(Apache 2) org.conscrypt:conscrypt-openjdk-uber (org.conscrypt:conscrypt-openjdk-uber:2.5.2 - https://conscrypt.org/)</li>
    256 256   <li>(Apache-2.0) CycloneDX Core (Java) (org.cyclonedx:cyclonedx-core-java:7.3.2 - https://github.com/CycloneDX/cyclonedx-core-java)</li>
    skipped 26 lines
    283 283   <li>(BSD-3-Clause) asm-commons (org.ow2.asm:asm-commons:9.2 - http://asm.ow2.io/)</li>
    284 284   <li>(BSD-3-Clause) asm-tree (org.ow2.asm:asm-tree:9.2 - http://asm.ow2.io/)</li>
    285 285   <li>(BSD-3-Clause) asm-util (org.ow2.asm:asm-util:9.2 - http://asm.ow2.io/)</li>
    286  - <li>(The Apache Software License, Version 2.0) Dependency-Check Core (org.owasp:dependency-check-core:8.1.2 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-core)</li>
    287  - <li>(The Apache Software License, Version 2.0) Dependency-Check Maven Plugin (org.owasp:dependency-check-maven:8.1.2 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-maven)</li>
    288  - <li>(The Apache Software License, Version 2.0) Dependency-Check Utils (org.owasp:dependency-check-utils:8.1.2 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-utils)</li>
     286 + <li>(The Apache Software License, Version 2.0) Dependency-Check Core (org.owasp:dependency-check-core:8.2.1 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-core)</li>
     287 + <li>(The Apache Software License, Version 2.0) Dependency-Check Maven Plugin (org.owasp:dependency-check-maven:8.2.1 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-maven)</li>
     288 + <li>(The Apache Software License, Version 2.0) Dependency-Check Utils (org.owasp:dependency-check-utils:8.2.1 - https://github.com/jeremylong/DependencyCheck.git/dependency-check-utils)</li>
    289 289   <li>(The MIT License) Project Lombok (org.projectlombok:lombok:1.18.26 - https://projectlombok.org)</li>
    290 290   <li>(MIT-0) reactive-streams (org.reactivestreams:reactive-streams:1.0.4 - http://www.reactive-streams.org/)</li>
    291  - <li>(The MIT License) semver4j (org.semver4j:semver4j:4.2.1 - https://github.com/semver4j/semver4j)</li>
     291 + <li>(The MIT License) semver4j (org.semver4j:semver4j:4.3.0 - https://github.com/semver4j/semver4j)</li>
    292 292   <li>(The Apache Software License, Version 2.0) Simple XML (org.simpleframework:simple-xml:2.7.1 - http://simple.sourceforge.net)</li>
    293 293   <li>(Apache License, Version 2.0) JCL 1.2 implemented over SLF4J (org.slf4j:jcl-over-slf4j:2.0.7 - http://www.slf4j.org)</li>
    294 294   <li>(MIT License) JUL to SLF4J bridge (org.slf4j:jul-to-slf4j:2.0.7 - http://www.slf4j.org)</li>
    skipped 93 lines
  • ■ ■ ■ ■ ■ ■
    src/main/resources/templates/stats.html
    skipped 13 lines
    14 14   Number of active sessions: <span th:text="${sessioncounter}"></span><br/>
    15 15   Number of canary callbacks since boot: <span th:text="${canaryCounter}"></span><br/>
    16 16   Active sessions are currently active visitors to challenges.<br/>
    17  - <span class="d-none d-lg-block"><br/></span>
    18  - <span class="d-none d-lg-block" th:if="${springdocenabled==true}"><br/><br/><br/></span>
     17 + <span class="d-none d-lg-block"><br/><br/></span>
     18 + <span class="d-none d-lg-block" th:if="${springdocenabled==true}"><br/><br/></span>
    19 19   </p>
    20 20   
    21 21   </div>
    skipped 40 lines
  • ■ ■ ■ ■
    src/main/resources/templates/welcome.html
    skipped 88 lines
    89 89   <li><a href="https://github.com/remakingeden">Joss Sparkes @remakingeden</a></li>
    90 90   <li><a href="https://github.com/tiborhercz">Tibor Hercz @tiborhercz</a></li>
    91 91   <li><a href="https://github.com/neatzsche">Chris Elbring Jr. @neatzsche</a>
    92  - <li><a href="https://github.com/puneeth072003">Puneeth Y</a>
     92 + <li><a href="https://github.com/puneeth072003">Puneeth Y @puneeth072003</a>
    93 93   <li><a href="https://github.com/fchyla">Filip Chyla @fchyla</a></li>
    94 94   <li><a href="https://github.com/Dlitosh">Dmitry Litosh @Dlitosh</a></li>
    95 95   <li><a href="https://github.com/tghosth">Josh Grossman @tghosth</a></li>
     96 + <li><a href="https://github.com/turjoc120">Turjo Chowdhury @turjoc120</a></li>
    96 97   <li><a href="https://github.com/northdpole">Spyros @northdpole</a></li>
    97 98   <li><a href="https://github.com/mikewoudenberg">Mike Woudenberg @mikewoudenberg</a></li>
    98 99   <li><a href="https://github.com/RubenAtBinx">Ruben Kruiver @RubenAtBinx</a></li>
     100 + <li><a href="https://github.com/szh">Shlomo Zalman Heigh @szhx</a></li>
    99 101   <li><a href="https://github.com/nhumblot">Nicolas Humblot @nhumblot</a></li>
     102 + <li><a href="https://github.com/madhuakula">Madhu Akula @madhuakula</a></li>
    100 103   <li><a href="https://github.com/alex-bender">Alex Bender @alex-bender</a></li>
    101 104   <li><a href="https://github.com/f3rn0s">Finn @f3rn0s</a></li>
    102 105   <li><a href="https://github.com/kingthorin">Rick M @kingthorin</a></li>
    skipped 70 lines
Please wait...
Page is in error, reload to recover