crash.software
Projects
Pull Requests
Issues
Builds
wrongsecrets
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY wrongsecrets Commits b84b13e9
🤬
Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)
  • ■ ■ ■ ■ ■ ■
    .github/scripts/docker-create.sh
    skipped 44 lines
    45 45   cd ../..
    46 46   heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
    47 47   heroku container:release web --app arcane-scrubland-42646
     48 + heroku container:push --recursive --arg argBasedVersion=${tag}heroku --arg ctf_enabled=true --arg HINTS_ENABLED=false --app wrongsecrets-ctf
     49 + heroku container:release web --app wrongsecrets-ctf
    48 50   exit
    49 51  }
    50 52   
    skipped 292 lines
  • ■ ■ ■ ■ ■
    Dockerfile.web
    1  -FROM jeroenwillemsen/wrongsecrets:1.4.7-no-vault
     1 +FROM jeroenwillemsen/wrongsecrets:ctfdtest7-no-vault
    2 2   
    3 3  ARG argBasedVersion="1.4.7"
    4 4  ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
     5 +ARG ctf_enabled=false
     6 +ARG HINTS_ENABLED=true
    5 7  ENV APP_VERSION=$argBasedVersion
    6 8  ENV K8S_ENV=Heroku(Docker)
    7 9  ENV canarytokenURLs=$CANARY_URLS
     10 +ENV CTF_ENABLED=$ctf_enabled
     11 +ENV hints_enabled=$HINTS_ENABLED
    8 12  ENV challengedockermtpath="/var/helpers"
    9 13  ENV keepasspath="/var/helpers/alibabacreds.kdbx"
    10 14  COPY .github/scripts/ /var/helpers
    skipped 3 lines
  • ■ ■ ■ ■ ■ ■
    README.md
    skipped 212 lines
    213 213  Want to know if your tool detects everything? We will keep track of the embedded secrets in [this issue](https://github.com/commjoen/wrongsecrets/issues/201) and have a [branch](https://github.com/commjoen/wrongsecrets/tree/experiment-bed) in which we put additional secrets for your tool to detect.
    214 214  The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
    215 215   
     216 +## CTFD Support - Experimental
     217 + 
     218 +NOTE: CTFD support is experimental, but can work based on the [Juiceshop CTF CLI](https://github.com/juice-shop/juice-shop-ctf).
     219 +NOTE-II: https://wrongsecrets-ctf.herokuapp.com is based on a free heroku instance, which takes time to warm up. Initial creation of the zip file for CTFD requires you to visit [https://wrongsecrets-ctf.herokuapp.com/api/Challenges](https://wrongsecrets-ctf.herokuapp.com/api/Challenges) once before executing the steps below.
     220 + 
     221 +Follow the following steps:
     222 + 
     223 +```shell
     224 + npm install -g juice-shop-ctf-cli
     225 + juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T'
     226 + docker run -p 8001:8000 -it ctfd/ctfd:3.4.3 # configure challenge and import the zip from juice-shop-ctf
     227 +```
     228 + 
     229 +Game on using [https://wrongsecrets-ctf.herokuapp.com](https://wrongsecrets-ctf.herokuapp.com) !
     230 +Want to setup your own? You can!
     231 + 
    216 232  ## Notes on development
    217 233   
    218 234  For development on local machine use the `local` profile `./mvnw spring-boot:run -Dspring-boot.run.profiles=local`
    skipped 77 lines
  • ■ ■ ■ ■ ■ ■
    config/.lycheeignore
    skipped 2 lines
    3 3   
    4 4  # This is used as an example when creating a pull request
    5 5  https://github.com/Your_Github_Handle.*
     6 +https://wrongsecrets-ctf.herokuapp.com/api/Challenges
     7 + 
  • ■ ■ ■ ■ ■
    heroku.yml
    1 1  build:
    2 2   docker:
    3 3   web: Dockerfile.web
     4 + 
  • ■ ■ ■ ■ ■
    pom.xml
    skipped 198 lines
    199 199   <version>${dependency-check-maven.version}</version>
    200 200   <type>maven-plugin</type>
    201 201   </dependency>
     202 + <dependency>
     203 + <groupId>com.h2database</groupId>
     204 + <artifactId>h2</artifactId>
     205 + <version>2.1.214</version>
     206 + </dependency>
    202 207   </dependencies>
    203 208   
    204 209   <dependencyManagement>
    skipped 227 lines
  • ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/WrongSecretsApplication.java
    skipped 18 lines
    19 19   @Bean
    20 20   @Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
    21 21   public InMemoryScoreCard scoreCard() {
    22  - return new InMemoryScoreCard(11);
     22 + return new InMemoryScoreCard(22);
    23 23   }
    24 24   
    25 25   
    skipped 3 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/Challenge.java
    skipped 18 lines
    19 19   
    20 20   public abstract List<Environment> supportedRuntimeEnvironments();
    21 21   
     22 + public abstract int difficulty();
     23 + 
    22 24   public boolean solved(String answer) {
    23 25   var correctAnswer = answerCorrect(answer);
    24 26   if (correctAnswer) {
    skipped 18 lines
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/ChallengesAPIController.java
     1 +package org.owasp.wrongsecrets.challenges;
     2 + 
     3 +import com.nimbusds.jose.shaded.json.JSONArray;
     4 +import com.nimbusds.jose.shaded.json.JSONObject;
     5 +import lombok.extern.slf4j.Slf4j;
     6 +import org.asciidoctor.Asciidoctor;
     7 +import org.asciidoctor.OptionsBuilder;
     8 +import org.owasp.wrongsecrets.RuntimeEnvironment;
     9 +import org.owasp.wrongsecrets.ScoreCard;
     10 +import org.owasp.wrongsecrets.asciidoc.TemplateGenerator;
     11 +import org.springframework.beans.factory.annotation.Autowired;
     12 +import org.springframework.http.MediaType;
     13 +import org.springframework.util.ResourceUtils;
     14 +import org.springframework.web.bind.annotation.GetMapping;
     15 +import org.springframework.web.bind.annotation.RestController;
     16 + 
     17 +import java.io.BufferedReader;
     18 +import java.io.IOException;
     19 +import java.io.InputStreamReader;
     20 +import java.util.ArrayList;
     21 +import java.util.List;
     22 + 
     23 +@Slf4j
     24 +@RestController
     25 +public class ChallengesAPIController {
     26 + 
     27 + private final ScoreCard scoreCard;
     28 + private final List<ChallengeUI> challenges;
     29 + 
     30 + private final List<String> descriptions;
     31 + 
     32 + private final List<String> hints;
     33 + 
     34 + private final TemplateGenerator templateGenerator;
     35 + 
     36 + public ChallengesAPIController(ScoreCard scoreCard, List<ChallengeUI> challenges, RuntimeEnvironment runtimeEnvironment, TemplateGenerator templateGenerator) {
     37 + this.scoreCard = scoreCard;
     38 + this.challenges = challenges;
     39 + this.descriptions = new ArrayList<>();
     40 + this.hints = new ArrayList<>();
     41 + this.templateGenerator = templateGenerator;
     42 + }
     43 + 
     44 + 
     45 + @GetMapping(value = {"/api/Challenges", "/api/challenges"}, produces = MediaType.APPLICATION_JSON_VALUE)
     46 + public String getChallenges() {
     47 + if (descriptions.size() == 0) {
     48 + initiaLizeHintsAndDescriptions();
     49 + }
     50 + JSONObject json = new JSONObject();
     51 + JSONArray jsonArray = new JSONArray();
     52 + for (int i = 0; i < challenges.size(); i++) {
     53 + JSONObject jsonChallenge = new JSONObject();
     54 + jsonChallenge.put("id", i);
     55 + jsonChallenge.put("name", challenges.get(i).getName());
     56 + jsonChallenge.put("key", challenges.get(i).getExplanation());
     57 + jsonChallenge.put("category", getCategory(challenges.get(i)));
     58 + jsonChallenge.put("description", descriptions.get(i));
     59 + jsonChallenge.put("hint", hints.get(i));
     60 + jsonChallenge.put("solved", scoreCard.getChallengeCompleted(challenges.get(i).getChallenge()));
     61 + jsonChallenge.put("disabledEnv", getDisabledEnv(challenges.get(i)));
     62 + jsonChallenge.put("difficulty", challenges.get(i).getChallenge().difficulty());
     63 + jsonArray.add(jsonChallenge);
     64 + }
     65 + json.put("status", "success");
     66 + json.put("data", jsonArray);
     67 + String result = json.toJSONString();
     68 + log.info("returning {}", result);
     69 + return result;
     70 + }
     71 + 
     72 + private String getCategory(ChallengeUI challengeUI) {
     73 + return switch (challengeUI.getChallenge().supportedRuntimeEnvironments().get(0)) {
     74 + case DOCKER, HEROKU_DOCKER -> "Docker";
     75 + case GCP, AWS, AZURE -> "Cloud";
     76 + case VAULT -> "Vault";
     77 + case K8S -> "Kubernetes";
     78 + };
     79 + }
     80 + 
     81 + private void initiaLizeHintsAndDescriptions() {
     82 + log.info("Initialize hints and descriptions");
     83 + challenges.forEach(challengeUI -> { //note requires mvn install to generate the html files!
     84 + try {
     85 + String hint = templateGenerator.generate("explanations/" + challengeUI.getExplanation() + "_hint");
     86 + hints.add(hint);
     87 + String description = templateGenerator.generate("explanations/" + challengeUI.getExplanation());
     88 + descriptions.add(description);
     89 + } catch (IOException e) {
     90 + String rawHint = extractResource("classpath:explanations/" + challengeUI.getExplanation() + "_hint.adoc");
     91 + String hint = Asciidoctor.Factory.create().convert(rawHint, OptionsBuilder.options().build());
     92 + hints.add(hint);
     93 + String rawDescription = extractResource("classpath:explanations/" + challengeUI.getExplanation() + ".adoc");
     94 + String description = Asciidoctor.Factory.create().convert(rawDescription, OptionsBuilder.options().build());
     95 + descriptions.add(description);
     96 + throw new RuntimeException(e);
     97 + }
     98 + 
     99 + });
     100 + }
     101 + 
     102 + private String extractResource(String resourceName) {
     103 + try {
     104 + var resource = ResourceUtils.getURL(resourceName);
     105 + final StringBuilder resourceStringbuilder = new StringBuilder();
     106 + new BufferedReader(
     107 + new InputStreamReader(resource.openStream())
     108 + ).lines().forEach(s -> {
     109 + resourceStringbuilder.append(s);
     110 + });
     111 + return resourceStringbuilder.toString();
     112 + } catch (IOException e) {
     113 + throw new RuntimeException(e);
     114 + }
     115 + }
     116 + 
     117 + private String getDisabledEnv(ChallengeUI challenge) {
     118 + if (!challenge.getChallenge().supportedRuntimeEnvironments().contains(RuntimeEnvironment.Environment.DOCKER)) {
     119 + return "Docker";
     120 + }
     121 + return null;
     122 + }
     123 +}
     124 + 
  • ■ ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java
    1 1  package org.owasp.wrongsecrets.challenges;
    2 2   
     3 +import com.nimbusds.jose.crypto.impl.HMAC;
    3 4  import org.owasp.wrongsecrets.RuntimeEnvironment;
    4 5  import org.owasp.wrongsecrets.ScoreCard;
     6 +import org.spongycastle.crypto.CryptoException;
    5 7  import org.springframework.beans.factory.annotation.Value;
     8 +import org.springframework.security.crypto.codec.Hex;
    6 9  import org.springframework.stereotype.Controller;
    7 10  import org.springframework.ui.Model;
    8 11  import org.springframework.web.bind.annotation.GetMapping;
    skipped 1 lines
    10 13  import org.springframework.web.bind.annotation.PathVariable;
    11 14  import org.springframework.web.bind.annotation.PostMapping;
    12 15   
     16 +import javax.crypto.Mac;
     17 +import javax.crypto.spec.SecretKeySpec;
     18 +import java.nio.charset.StandardCharsets;
     19 +import java.security.InvalidKeyException;
     20 +import java.security.NoSuchAlgorithmException;
    13 21  import java.util.List;
    14 22  import java.util.stream.Collectors;
    15 23   
    skipped 3 lines
    19 27   private final ScoreCard scoreCard;
    20 28   private final List<ChallengeUI> challenges;
    21 29   private final RuntimeEnvironment runtimeEnvironment;
     30 + 
    22 31   @Value("${hints_enabled}")
    23 32   private boolean hintsEnabled;
    24 33   @Value("${reason_enabled}")
    25 34   private boolean reasonEnabled;
     35 + 
     36 + @Value("${CTF_ENABLED}")
     37 + private boolean ctfModeEnabled;
     38 + 
     39 + @Value("${CTF_KEY}")
     40 + private String ctfKey;
    26 41   
    27 42   public ChallengesController(ScoreCard scoreCard, List<ChallengeUI> challenges, RuntimeEnvironment runtimeEnvironment) {
    28 43   this.scoreCard = scoreCard;
    skipped 49 lines
    78 93   var challenge = challenges.get(id - 1);
    79 94   
    80 95   if (challenge.getChallenge().solved(challengeForm.solution())) {
    81  - model.addAttribute("answerCorrect", "Your answer is correct!");
     96 + if (ctfModeEnabled) {
     97 + String code = generateCode(challenge);
     98 + model.addAttribute("answerCorrect", "Your answer is correct! " + "fill in the following code in CTF scoring: " + code);
     99 + } else {
     100 + model.addAttribute("answerCorrect", "Your answer is correct!");
     101 + }
    82 102   } else {
    83 103   model.addAttribute("answerIncorrect", "Your answer is incorrect, try harder ;-)");
    84 104   }
    skipped 3 lines
    88 108   enrichWithHintsAndReasons(model);
    89 109   fireEnding(model);
    90 110   return "challenge";
     111 + }
     112 + 
     113 + private String generateCode(ChallengeUI challenge) {
     114 + SecretKeySpec secretKeySpec = new SecretKeySpec(ctfKey.getBytes(StandardCharsets.UTF_8), "HmacSHA1");
     115 + try {
     116 + Mac mac = Mac.getInstance("HmacSHA1");
     117 + mac.init(secretKeySpec);
     118 + byte[] result = mac.doFinal(challenge.getName().getBytes(StandardCharsets.UTF_8));
     119 + return new String(Hex.encode(result));
     120 + } catch (NoSuchAlgorithmException | InvalidKeyException e) {
     121 + throw new RuntimeException(e);
     122 + }
    91 123   }
    92 124   
    93 125   private void includeScoringStatus(Model model, Challenge challenge) {
    skipped 39 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge10.java
    skipped 55 lines
    56 56   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    57 57   return List.of(GCP, AWS, AZURE);
    58 58   }
     59 + 
     60 + @Override
     61 + public int difficulty() {
     62 + return 4;
     63 + }
    59 64  }
    60 65   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge11.java
    skipped 83 lines
    84 84   return List.of(AWS, GCP, AZURE);
    85 85   }
    86 86   
     87 + @Override
     88 + public int difficulty() {
     89 + return 4;
     90 + }
     91 + 
    87 92   private String getChallenge11Value(RuntimeEnvironment runtimeEnvironment) {
    88 93   if (runtimeEnvironment != null && runtimeEnvironment.getRuntimeEnvironment() != null) {
    89 94   return switch (runtimeEnvironment.getRuntimeEnvironment()) {
    skipped 83 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/cloud/Challenge9.java
    skipped 55 lines
    56 56   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    57 57   return List.of(GCP, AWS, AZURE);
    58 58   }
     59 + 
     60 + @Override
     61 + public int difficulty() {
     62 + return 3;
     63 + }
    59 64  }
    60 65   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge1.java
    skipped 32 lines
    33 33   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    34 34   return List.of(DOCKER);
    35 35   }
     36 + 
     37 + @Override
     38 + public int difficulty() {
     39 + return 1;
     40 + }
    36 41  }
    37 42   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java
    skipped 41 lines
    42 42   return List.of(RuntimeEnvironment.Environment.DOCKER);
    43 43   }
    44 44   
     45 + @Override
     46 + public int difficulty() {
     47 + return 3;
     48 + }
     49 + 
    45 50   private String getActualData() {
    46 51   try {
    47 52   return Files.readString(Paths.get(dockerMountPath, "yourkey.txt"));
    skipped 7 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge13.java
    skipped 47 lines
    48 48   return List.of(RuntimeEnvironment.Environment.DOCKER);
    49 49   }
    50 50   
     51 + @Override
     52 + public int difficulty() {
     53 + return 3;
     54 + }
     55 + 
    51 56   private boolean isKeyCorrect(String base64EncodedKey) {
    52 57   if (Strings.isEmpty(base64EncodedKey) || Strings.isEmpty(plainText) || Strings.isEmpty(cipherText)) {
    53 58   log.info("Checking secret with values {}, {}, {}", base64EncodedKey, plainText, cipherText);
    skipped 26 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge14.java
    skipped 53 lines
    54 54   return List.of(RuntimeEnvironment.Environment.DOCKER);
    55 55   }
    56 56   
     57 + @Override
     58 + public int difficulty() {
     59 + return 4;
     60 + }
     61 + 
    57 62   private String findAnswer() {
    58 63   if (Strings.isEmpty(keepassxPassword)) {
    59 64   log.info("Checking secret with values {}", keepassxPassword);
    skipped 24 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge15.java
    skipped 48 lines
    49 49   return List.of(RuntimeEnvironment.Environment.DOCKER);
    50 50   }
    51 51   
     52 + @Override
     53 + public int difficulty() {
     54 + return 2;
     55 + }
     56 + 
    52 57   private String quickDecrypt(String cipherText) {
    53 58   try {
    54 59   final byte[] keyData = Base64.getDecoder().decode(encryptionKey);
    skipped 29 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge16.java
    skipped 41 lines
    42 42   return List.of(RuntimeEnvironment.Environment.DOCKER);
    43 43   }
    44 44   
     45 + @Override
     46 + public int difficulty() {
     47 + return 3;
     48 + }
     49 + 
    45 50   public String getActualData() {
    46 51   try {
    47 52   return Files.readString(Paths.get(dockerMountPath, "secondkey.txt"));
    skipped 7 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge17.java
    skipped 41 lines
    42 42   return List.of(RuntimeEnvironment.Environment.DOCKER);
    43 43   }
    44 44   
     45 + @Override
     46 + public int difficulty() {
     47 + return 3;
     48 + }
     49 + 
    45 50   public String getActualData() {
    46 51   try {
    47 52   return Files.readString(Paths.get(dockerMountPath, "thirdkey.txt"));
    skipped 7 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge18.java
    skipped 64 lines
    65 65   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    66 66   return List.of(DOCKER);
    67 67   }
     68 + 
     69 + @Override
     70 + public int difficulty() {
     71 + return 5;
     72 + }
    68 73  }
    69 74   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge19.java
    skipped 38 lines
    39 39   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    40 40   return List.of(DOCKER);
    41 41   }
     42 + 
     43 + @Override
     44 + public int difficulty() {
     45 + return 4;
     46 + }
    42 47  }
    43 48   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge2.java
    skipped 36 lines
    37 37   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    38 38   return List.of(DOCKER);
    39 39   }
     40 + 
     41 + @Override
     42 + public int difficulty() {
     43 + return 1;
     44 + }
    40 45  }
    41 46   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge20.java
    skipped 38 lines
    39 39   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    40 40   return List.of(DOCKER);
    41 41   }
     42 + 
     43 + @Override
     44 + public int difficulty() {
     45 + return 4;
     46 + }
    42 47  }
    43 48   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge21.java
    skipped 38 lines
    39 39   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    40 40   return List.of(DOCKER);
    41 41   }
     42 + 
     43 + @Override
     44 + public int difficulty() {
     45 + return 5;
     46 + }
    42 47  }
    43 48   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge22.java
    skipped 37 lines
    38 38   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    39 39   return List.of(DOCKER);
    40 40   }
     41 + 
     42 + @Override
     43 + public int difficulty() {
     44 + return 5;
     45 + }
    41 46  }
    42 47   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge3.java
    skipped 36 lines
    37 37   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    38 38   return List.of(DOCKER);
    39 39   }
     40 + 
     41 + @Override
     42 + public int difficulty() {
     43 + return 1;
     44 + }
    40 45  }
    41 46   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge4.java
    skipped 38 lines
    39 39   return List.of(DOCKER);
    40 40   }
    41 41   
     42 + @Override
     43 + public int difficulty() {
     44 + return 2;
     45 + }
     46 + 
    42 47  }
    43 48   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge8.java
    skipped 44 lines
    45 45   return List.of(DOCKER);
    46 46   }
    47 47   
     48 + @Override
     49 + public int difficulty() {
     50 + return 2;
     51 + }
     52 + 
    48 53   private String generateRandomString(int length) {
    49 54   StringBuilder builder = new StringBuilder(length);
    50 55   for (int i = 0; i < length; i++) {
    skipped 6 lines
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge5.java
    skipped 36 lines
    37 37   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    38 38   return List.of(K8S);
    39 39   }
     40 + 
     41 + @Override
     42 + public int difficulty() {
     43 + return 2;
     44 + }
    40 45  }
    41 46   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge6.java
    skipped 36 lines
    37 37   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    38 38   return List.of(K8S);
    39 39   }
     40 + 
     41 + @Override
     42 + public int difficulty() {
     43 + return 2;
     44 + }
    40 45  }
    41 46   
  • ■ ■ ■ ■ ■
    src/main/java/org/owasp/wrongsecrets/challenges/kubernetes/Challenge7.java
    skipped 41 lines
    42 42   public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
    43 43   return List.of(RuntimeEnvironment.Environment.VAULT);
    44 44   }
     45 + 
     46 + @Override
     47 + public int difficulty() {
     48 + return 4;
     49 + }
    45 50  }
    46 51   
  • ■ ■ ■ ■
    src/main/resources/application.properties
    skipped 24 lines
    25 25  server.servlet.session.tracking-modes=COOKIE
    26 26  asciidoctor.enabled=false
    27 27  hints_enabled=true
     28 +CTF_ENABLED=false
     29 +CTF_KEY=TRwzkRJnHOTckssAeyJbysWgP!Qc2T
    28 30  reason_enabled=true
    29 31  plainText13=This is not the secret
    30 32  cipherText13=hRZqOEB0V0kU6JhEXdm8UH32VDAbAbdRxg5RMpo/fA8caUCvJhs=
    skipped 18 lines
    49 51  #---
    50 52  spring.config.activate.on-profile=local
    51 53  challengedockermtpath=./
     54 +asciidoctor.enabled=true
    52 55  #---
    53 56  spring.config.activate.on-profile=local-vault
    54 57  wrongsecretvalue=wrongsecret
    skipped 9 lines
    64 67  spring.config.activate.on-profile=without-vault
    65 68  wrongsecretvalue=wrongsecret
    66 69  spring.cloud.vault.enabled=false
    67  -asciidoctor.enabled=true
     70 +asciidoctor.enabled=false
    68 71   
  • ■ ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/ChallengeAPiControllerTest.java
     1 +package org.owasp.wrongsecrets;
     2 + 
     3 +import org.junit.jupiter.api.Test;
     4 +import org.owasp.wrongsecrets.canaries.AdditionalCanaryData;
     5 +import org.owasp.wrongsecrets.canaries.CanaryToken;
     6 +import org.springframework.beans.factory.annotation.Autowired;
     7 +import org.springframework.boot.test.context.SpringBootTest;
     8 +import org.springframework.boot.web.client.RestTemplateBuilder;
     9 +import org.springframework.boot.web.server.LocalServerPort;
     10 +import org.springframework.http.HttpStatus;
     11 +import org.springframework.web.client.RestClientResponseException;
     12 + 
     13 +import static org.assertj.core.api.Assertions.assertThat;
     14 +import static org.junit.jupiter.api.Assertions.fail;
     15 + 
     16 +@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
     17 +public class ChallengeAPiControllerTest {
     18 + @LocalServerPort
     19 + private int port;
     20 + 
     21 + @Autowired
     22 + private RestTemplateBuilder builder;
     23 + 
     24 + public ChallengeAPiControllerTest() {
     25 + }
     26 + 
     27 + @Test
     28 + void shouldGetListOfChallenges() {
     29 + var restTemplate = builder.build();
     30 + 
     31 + var callbackAdress = "http://localhost:"+port+"/api/Challenges";
     32 + 
     33 + try {
     34 + var response = restTemplate.getForEntity(callbackAdress, String.class);
     35 + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
     36 + } catch (RestClientResponseException e) {
     37 + fail(e);
     38 + }
     39 + }
     40 +}
     41 + 
     42 +/*
     43 +"manageUrl" : "url", "memo" : "memo", "channel" : "channel", "time" : "time", "additionalData" : { "srcIp" : "soruce", "useragent" : "agent", "referer" : "referer", "location" : "locatoin"}}
     44 + */
     45 + 
  • ■ ■ ■ ■ ■ ■
    src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge24Test.java
    1  -package org.owasp.wrongsecrets.challenges.docker;
    2  - 
    3  -import org.assertj.core.api.Assertions;
    4  -import org.junit.jupiter.api.Test;
    5  -import org.junit.jupiter.api.extension.ExtendWith;
    6  -import org.mockito.Mock;
    7  -import org.mockito.Mockito;
    8  -import org.mockito.junit.jupiter.MockitoExtension;
    9  -import org.owasp.wrongsecrets.ScoreCard;
    10  -import org.owasp.wrongsecrets.challenges.Spoiler;
    11  - 
    12  -@ExtendWith(MockitoExtension.class)
    13  -class Challenge24Test {
    14  - 
    15  - @Mock
    16  - private ScoreCard scoreCard;
    17  - 
    18  - @Test
    19  - void spoilerShouldRevealAnswer() {
    20  - var challenge = new Challenge4(scoreCard, "test");
    21  - 
    22  - Assertions.assertThat(challenge.spoiler()).isEqualTo(new Spoiler("test"));
    23  - }
    24  - 
    25  - @Test
    26  - void rightAnswerShouldSolveChallenge() {
    27  - var challenge = new Challenge4(scoreCard, "test");
    28  - 
    29  - Assertions.assertThat(challenge.solved("test")).isTrue();
    30  - Mockito.verify(scoreCard).completeChallenge(challenge);
    31  - }
    32  - 
    33  - @Test
    34  - void incorrectAnswerShouldNotSolveChallenge() {
    35  - var challenge = new Challenge4(scoreCard, "test");
    36  - 
    37  - Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
    38  - Mockito.verifyNoInteractions(scoreCard);
    39  - }
    40  - 
    41  -}
    42  - 
Please wait...
Page is in error, reload to recover