diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..3dbbcf3e7 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,25 @@ +**/.classpath +**/.dockerignore +**/.env +**/.git +**/.gitignore +**/.project +**/.settings +**/.toolstarget +**/.vs +**/.vscode +**/*.*proj.user +**/*.dbmdl +**/*.jfm +**/bin +**/charts +**/docker-compose* +**/compose* +**/Dockerfile* +**/node_modules +**/npm-debug.log +**/obj +**/secrets.dev.yaml +**/values.dev.yaml +LICENSE +README.md diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java new file mode 100644 index 000000000..ae9a0a629 --- /dev/null +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java @@ -0,0 +1,19 @@ +public package org.owasp.wrongsecrets.challenges.docker.challenge52; + +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.Test; + +class Challenge52Test { + + @Test + void rightAnswerShouldSolveChallenge() { + var challenge = new Challenge52(); + Assertions.assertThat(challenge.solved(challenge.getAnswer())).isTrue(); + } +} +<<<<<<< HEAD +======= + Challenge52Test { + +} +>>>>>>> 42db351e9a0a187e934fd9326c782d0ab9b1acbd diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java new file mode 100644 index 000000000..040a0d685 --- /dev/null +++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java @@ -0,0 +1,38 @@ +package org.owasp.wrongsecrets.challenges.docker.challenge52; + +import lombok.extern.slf4j.Slf4j; +import org.springframework.stereotype.Component; + +import javax.crypto.Cipher; +import javax.crypto.spec.SecretKeySpec; +import java.util.Base64; + +@Slf4j +@Component +public class Challenge52 extends FixedAnswerChallenge { + + // Replace these with your actual encrypted secret and encryption key + private static final String ENCRYPTED_SECRET = "DefaultLoginPasswordDoNotChange!"; + private static final String ENCRYPTION_KEY = "mISydD0En55Fq8FXbUfX720K8Vc6/aQYtkFmkp7ntsM=Y"; + + @Override + public String getAnswer() { + return decrypt(ENCRYPTED_SECRET, ENCRYPTION_KEY); + } + + private String decrypt(String encryptedText, String base64Key) { + try { + byte[] decodedKey = Base64.getDecoder().decode(base64Key); + SecretKeySpec keySpec = new SecretKeySpec(decodedKey, "AES"); + + Cipher cipher = Cipher.getInstance("AES"); + cipher.init(Cipher.DECRYPT_MODE, keySpec); + byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(encryptedText)); + + return new String(decryptedBytes); + } catch (Exception e) { + log.error("Decryption failed", e); + return null; + } + } +} diff --git a/src/main/resources/explanations/challenge52.adoc b/src/main/resources/explanations/challenge52.adoc new file mode 100644 index 000000000..eb6d61185 --- /dev/null +++ b/src/main/resources/explanations/challenge52.adoc @@ -0,0 +1,7 @@ +=== Hardcoded Encryption Key Challenge + +In this challenge, the encrypted secret is stored directly in the code, along with its encryption key. This is meant to demonstrate the risks associated with "bad encryption practices," specifically hardcoding sensitive information. + +Encryption is a strong security measure, but only if the encryption keys are properly secured. Hardcoding the encryption key into the code base significantly weakens the protection that encryption provides. Attackers can decompile or analyze the code to retrieve these keys, making it easy for them to decrypt sensitive information. + +This challenge serves as a reminder that encryption keys should be stored securely, preferably in a secure vault or environment variable, rather than in the source code itself. diff --git a/src/main/resources/explanations/challenge52_hint.adoc b/src/main/resources/explanations/challenge52_hint.adoc new file mode 100644 index 000000000..0745c06fe --- /dev/null +++ b/src/main/resources/explanations/challenge52_hint.adoc @@ -0,0 +1,5 @@ +==== Hint + +Think about what makes this type of encryption insecure. What would happen if someone could read the code? The key to solving this challenge lies in understanding that the encryption key is hardcoded in the Java code. + +To solve this challenge, you might try to access the encrypted secret and decrypt it using the hardcoded key. Look closely at the challenge code to find both the encrypted secret and the key. diff --git a/src/main/resources/explanations/challenge52_reason.adoc b/src/main/resources/explanations/challenge52_reason.adoc new file mode 100644 index 000000000..45c797585 --- /dev/null +++ b/src/main/resources/explanations/challenge52_reason.adoc @@ -0,0 +1,5 @@ +==== Reason + +The purpose of this challenge is to highlight a common security issue: hardcoding sensitive information, such as encryption keys, directly into source code. This practice leaves applications vulnerable because anyone with access to the code can easily retrieve the key and decrypt the sensitive data. + +In real-world applications, this vulnerability can lead to data breaches and other serious security issues. By solving this challenge, you will gain a better understanding of why encryption keys should be stored securely and separate from the codebase. diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml index 0ce362d60..672e94ff7 100644 --- a/src/main/resources/wrong-secrets-configuration.yaml +++ b/src/main/resources/wrong-secrets-configuration.yaml @@ -814,3 +814,16 @@ configurations: category: *secrets ctf: enabled: true + + - name: Challenge 52 + short-name: "challenge-52" + sources: + - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge50" + explanation: "explanations/challenge52.adoc" + hint: "explanations/challenge52_hint.adoc" + reason: "explanations/challenge52_reason.adoc" + environments: *docker_envs + difficulty: *medium + category: *secrets + ctf: + enabled: true