-
-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Challenge52_#297_Issue #1750
base: master
Are you sure you want to change the base?
Challenge52_#297_Issue #1750
Changes from all commits
dad65ac
da29d97
43cea04
42db351
8820f79
9da9bc2
f78ade7
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
**/.classpath | ||
**/.dockerignore | ||
**/.env | ||
**/.git | ||
**/.gitignore | ||
**/.project | ||
**/.settings | ||
**/.toolstarget | ||
**/.vs | ||
**/.vscode | ||
**/*.*proj.user | ||
**/*.dbmdl | ||
**/*.jfm | ||
**/bin | ||
**/charts | ||
**/docker-compose* | ||
**/compose* | ||
**/Dockerfile* | ||
**/node_modules | ||
**/npm-debug.log | ||
**/obj | ||
**/secrets.dev.yaml | ||
**/values.dev.yaml | ||
LICENSE | ||
README.md | ||
Original file line number | Diff line number | Diff line change | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,19 @@ | ||||||||||||||
public package org.owasp.wrongsecrets.challenges.docker.challenge52; | ||||||||||||||
|
||||||||||||||
import org.assertj.core.api.Assertions; | ||||||||||||||
import org.junit.jupiter.api.Test; | ||||||||||||||
|
||||||||||||||
class Challenge52Test { | ||||||||||||||
|
||||||||||||||
@Test | ||||||||||||||
void rightAnswerShouldSolveChallenge() { | ||||||||||||||
var challenge = new Challenge52(); | ||||||||||||||
Assertions.assertThat(challenge.solved(challenge.getAnswer())).isTrue(); | ||||||||||||||
} | ||||||||||||||
} | ||||||||||||||
<<<<<<< HEAD | ||||||||||||||
======= | ||||||||||||||
Challenge52Test { | ||||||||||||||
|
||||||||||||||
} | ||||||||||||||
>>>>>>> 42db351e9a0a187e934fd9326c782d0ab9b1acbd | ||||||||||||||
Comment on lines
+14
to
+19
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
HAve you run the tests? I am not sure if this is going to work this way? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i checked again it is working . |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package org.owasp.wrongsecrets.challenges.docker.challenge52; | ||
|
||
import lombok.extern.slf4j.Slf4j; | ||
import org.springframework.stereotype.Component; | ||
|
||
import javax.crypto.Cipher; | ||
import javax.crypto.spec.SecretKeySpec; | ||
import java.util.Base64; | ||
|
||
@Slf4j | ||
@Component | ||
public class Challenge52 extends FixedAnswerChallenge { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Have you tried running hte code? because i don't think the code below will run |
||
|
||
// Replace these with your actual encrypted secret and encryption key | ||
private static final String ENCRYPTED_SECRET = "DefaultLoginPasswordDoNotChange!"; | ||
private static final String ENCRYPTION_KEY = "mISydD0En55Fq8FXbUfX720K8Vc6/aQYtkFmkp7ntsM=Y"; | ||
|
||
@Override | ||
public String getAnswer() { | ||
return decrypt(ENCRYPTED_SECRET, ENCRYPTION_KEY); | ||
} | ||
|
||
private String decrypt(String encryptedText, String base64Key) { | ||
try { | ||
byte[] decodedKey = Base64.getDecoder().decode(base64Key); | ||
SecretKeySpec keySpec = new SecretKeySpec(decodedKey, "AES"); | ||
|
||
Cipher cipher = Cipher.getInstance("AES"); | ||
cipher.init(Cipher.DECRYPT_MODE, keySpec); | ||
byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(encryptedText)); | ||
|
||
return new String(decryptedBytes); | ||
} catch (Exception e) { | ||
log.error("Decryption failed", e); | ||
return null; | ||
} | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
=== Hardcoded Encryption Key Challenge | ||
|
||
In this challenge, the encrypted secret is stored directly in the code, along with its encryption key. This is meant to demonstrate the risks associated with "bad encryption practices," specifically hardcoding sensitive information. | ||
|
||
Encryption is a strong security measure, but only if the encryption keys are properly secured. Hardcoding the encryption key into the code base significantly weakens the protection that encryption provides. Attackers can decompile or analyze the code to retrieve these keys, making it easy for them to decrypt sensitive information. | ||
|
||
This challenge serves as a reminder that encryption keys should be stored securely, preferably in a secure vault or environment variable, rather than in the source code itself. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
==== Hint | ||
|
||
Think about what makes this type of encryption insecure. What would happen if someone could read the code? The key to solving this challenge lies in understanding that the encryption key is hardcoded in the Java code. | ||
|
||
To solve this challenge, you might try to access the encrypted secret and decrypt it using the hardcoded key. Look closely at the challenge code to find both the encrypted secret and the key. | ||
Comment on lines
+3
to
+5
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you please check the other hints within the project? The hint should have the actual solution steps to solve the challenge. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
==== Reason | ||
|
||
The purpose of this challenge is to highlight a common security issue: hardcoding sensitive information, such as encryption keys, directly into source code. This practice leaves applications vulnerable because anyone with access to the code can easily retrieve the key and decrypt the sensitive data. | ||
|
||
In real-world applications, this vulnerability can lead to data breaches and other serious security issues. By solving this challenge, you will gain a better understanding of why encryption keys should be stored securely and separate from the codebase. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have you tested building out a container using this .dockerignore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah