-
-
Notifications
You must be signed in to change notification settings - Fork 381
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #938 from OWASP/feature-reporting-challenge
Add experimental key
- Loading branch information
Showing
6 changed files
with
166 additions
and
20 deletions.
There are no files selected for viewing
104 changes: 104 additions & 0 deletions
104
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| package org.owasp.wrongsecrets.challenges.docker; | ||
|
|
||
| import java.nio.charset.StandardCharsets; | ||
| import java.security.InvalidAlgorithmParameterException; | ||
| import java.security.InvalidKeyException; | ||
| import java.security.NoSuchAlgorithmException; | ||
| import java.util.List; | ||
| import javax.crypto.BadPaddingException; | ||
| import javax.crypto.Cipher; | ||
| import javax.crypto.IllegalBlockSizeException; | ||
| import javax.crypto.NoSuchPaddingException; | ||
| import javax.crypto.spec.IvParameterSpec; | ||
| import javax.crypto.spec.SecretKeySpec; | ||
| import lombok.extern.slf4j.Slf4j; | ||
| import org.bouncycastle.util.encoders.Base64; | ||
| import org.owasp.wrongsecrets.RuntimeEnvironment; | ||
| import org.owasp.wrongsecrets.ScoreCard; | ||
| import org.owasp.wrongsecrets.challenges.Challenge; | ||
| import org.owasp.wrongsecrets.challenges.ChallengeTechnology; | ||
| import org.owasp.wrongsecrets.challenges.Difficulty; | ||
| import org.owasp.wrongsecrets.challenges.Spoiler; | ||
| import org.springframework.core.annotation.Order; | ||
| import org.springframework.stereotype.Component; | ||
|
|
||
| /** This is a challenge based on the idea of leaking a secret trough a vulnerability report. */ | ||
| @Slf4j | ||
| @Component | ||
| @Order(36) | ||
| public class Challenge35 extends Challenge { | ||
|
|
||
| public Challenge35(ScoreCard scoreCard) { | ||
| super(scoreCard); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean canRunInCTFMode() { | ||
| return true; | ||
| } | ||
|
|
||
| @Override | ||
| public Spoiler spoiler() { | ||
| return new Spoiler(getKey()); | ||
| } | ||
|
|
||
| @Override | ||
| public boolean answerCorrect(String answer) { | ||
| return getKey().equals(answer); | ||
| } | ||
|
|
||
| /** {@inheritDoc} */ | ||
| @Override | ||
| public int difficulty() { | ||
| return Difficulty.EASY; | ||
| } | ||
|
|
||
| /** {@inheritDoc} This is a Documentation type of challenge */ | ||
| @Override | ||
| public String getTech() { | ||
| return ChallengeTechnology.Tech.DOCUMENTATION.id; | ||
| } | ||
|
|
||
| @Override | ||
| public boolean isLimitedWhenOnlineHosted() { | ||
| return false; | ||
| } | ||
|
|
||
| @Override | ||
| public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() { | ||
| return List.of(RuntimeEnvironment.Environment.DOCKER); | ||
| } | ||
|
|
||
| private String getKey() { | ||
| String ciphertext = "zRR77ETjg5GsXv3az1TZU73xiFWYHbVceJBvBbjChxLyMjHkF6kFdwIXIduVBHAT"; | ||
| try { | ||
| return decrypt(ciphertext); | ||
| } catch (Exception e) { | ||
| log.warn("there was an exception with decrypting content in challenge35", e); | ||
| return "error_decryption"; | ||
| } | ||
| } | ||
|
|
||
| @edu.umd.cs.findbugs.annotations.SuppressFBWarnings( | ||
| value = "CIPHER_INTEGRITY", | ||
| justification = | ||
| "The scheme is bad without hmac, but we wanted to make it a bit more fun for you") | ||
| private String decrypt(String ciphertext) | ||
| throws InvalidAlgorithmParameterException, | ||
| InvalidKeyException, | ||
| NoSuchPaddingException, | ||
| NoSuchAlgorithmException, | ||
| IllegalBlockSizeException, | ||
| BadPaddingException { | ||
| IvParameterSpec iv = new IvParameterSpec("1234567890123456".getBytes(StandardCharsets.UTF_8)); | ||
| SecretKeySpec skeySpec = | ||
| new SecretKeySpec( | ||
| "12345678901234561234567890123456".getBytes(StandardCharsets.UTF_8), "AES"); | ||
|
|
||
| Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); | ||
| cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv); | ||
| return new String( | ||
| cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8))), | ||
| StandardCharsets.UTF_8); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| === Reporting on Vulnerabilities | ||
|
|
||
| A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a GitHub security advisory. The only thing @commjoen did wrong was publish the API key as part of the advisory. Can you spot the key? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| This is a documentation challenge, which can be solved by going to the Github Advisory. | ||
|
|
||
| 1. Get to the key using the Github security advisory | ||
| - Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory]. | ||
| - Find the Google API key. | ||
| - Copy it into the answer box. | ||
| 2. Follow the Github security advisory information | ||
| - Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory]. | ||
| - Find the version that is impacted (1.6.8RC1). | ||
| - Open the tag at https://github.com/OWASP/wrongsecrets/tree/1.6.8RC1[Github]. | ||
| - Find the Google API key in challenge 35. | ||
| - Copy it into the answer box. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| *Why we need to be careful with vulnerability reports* | ||
|
|
||
| When you report a vulnerability or publish a security advisory, always be careful with the information you spread with them. Exact values of found hardcoded secrets, especially those harder to rotate, should not be put into your security report and/or the publication. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
23 changes: 23 additions & 0 deletions
23
src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| package org.owasp.wrongsecrets.challenges.docker; | ||
|
|
||
| import org.assertj.core.api.Assertions; | ||
| import org.junit.jupiter.api.Test; | ||
| import org.mockito.Mock; | ||
| import org.owasp.wrongsecrets.ScoreCard; | ||
|
|
||
| public class Challenge35Test { | ||
| @Mock private ScoreCard scoreCard; | ||
|
|
||
| @Test | ||
| void spoilerShouldGiveAnswer() { | ||
| var challenge = new Challenge35(scoreCard); | ||
| Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty(); | ||
| Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue(); | ||
| } | ||
|
|
||
| @Test | ||
| void incorrectAnswerShouldNotSolveChallenge() { | ||
| var challenge = new Challenge35(scoreCard); | ||
| Assertions.assertThat(challenge.solved("wrong answer")).isFalse(); | ||
| } | ||
| } |