From dad65ac8f6191102392d0e456d915220ca30db51 Mon Sep 17 00:00:00 2001
From: Btourss <toursofb@gmail.com>
Date: Sat, 9 Nov 2024 00:54:08 +0530
Subject: [PATCH 1/4] Challenge52_#297_Issue

"Bad Encryption Practices"
To address this issue in the repository for Challenge52, review the code to identify and resolve instances of bad encryption practices. Specifically, the challenge focuses on the use of hardcoded encryption keys and ciphertext within the Java code located in src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52. Ensure that best practices for secure encryption are applied, avoiding hardcoded secrets in the codebase.
---
 .dockerignore                                 | 25 ++++++++++++
 .../docker/challenge52/Challenge52Test.java   | 16 ++++++++
 .../docker/challenge52/Chanllenge52.java      | 39 +++++++++++++++++++
 .../resources/explanations/challenge52.adoc   |  7 ++++
 .../explanations/challenge52_hint.adoc        |  5 +++
 .../explanations/challenge52_reason.adoc      |  5 +++
 6 files changed, 97 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
 create mode 100644 src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java
 create mode 100644 src/main/resources/explanations/challenge52.adoc
 create mode 100644 src/main/resources/explanations/challenge52_hint.adoc
 create mode 100644 src/main/resources/explanations/challenge52_reason.adoc

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 000000000..3dbbcf3e7
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,25 @@
+**/.classpath
+**/.dockerignore
+**/.env
+**/.git
+**/.gitignore
+**/.project
+**/.settings
+**/.toolstarget
+**/.vs
+**/.vscode
+**/*.*proj.user
+**/*.dbmdl
+**/*.jfm
+**/bin
+**/charts
+**/docker-compose*
+**/compose*
+**/Dockerfile*
+**/node_modules
+**/npm-debug.log
+**/obj
+**/secrets.dev.yaml
+**/values.dev.yaml
+LICENSE
+README.md
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
new file mode 100644
index 000000000..71309bb66
--- /dev/null
+++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
@@ -0,0 +1,16 @@
+public package org.owasp.wrongsecrets.challenges.docker.challenge52;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+class Challenge52Test {
+
+    @Test
+    void rightAnswerShouldSolveChallenge() {
+        var challenge = new Challenge52();
+        Assertions.assertThat(challenge.solved(challenge.getAnswer())).isTrue();
+    }
+}
+ Challenge52Test {
+    
+}
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java
new file mode 100644
index 000000000..b6c9e7f90
--- /dev/null
+++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java
@@ -0,0 +1,39 @@
+package org.owasp.wrongsecrets.challenges.docker.challenge52;
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge;
+import org.springframework.stereotype.Component;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
+import java.util.Base64;
+
+@Slf4j
+@Component
+public class Challenge52 extends FixedAnswerChallenge {
+
+    // Replace these with your actual encrypted secret and encryption key
+    private static final String ENCRYPTED_SECRET = "DefaultLoginPasswordDoNotChange!";
+    private static final String ENCRYPTION_KEY = "mISydD0En55Fq8FXbUfX720K8Vc6/aQYtkFmkp7ntsM=Y";
+
+    @Override
+    public String getAnswer() {
+        return decrypt(ENCRYPTED_SECRET, ENCRYPTION_KEY);
+    }
+
+    private String decrypt(String encryptedText, String base64Key) {
+        try {
+            byte[] decodedKey = Base64.getDecoder().decode(base64Key);
+            SecretKeySpec keySpec = new SecretKeySpec(decodedKey, "AES");
+
+            Cipher cipher = Cipher.getInstance("AES");
+            cipher.init(Cipher.DECRYPT_MODE, keySpec);
+            byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(encryptedText));
+
+            return new String(decryptedBytes);
+        } catch (Exception e) {
+            log.error("Decryption failed", e);
+            return null;
+        }
+    }
+}
diff --git a/src/main/resources/explanations/challenge52.adoc b/src/main/resources/explanations/challenge52.adoc
new file mode 100644
index 000000000..eb6d61185
--- /dev/null
+++ b/src/main/resources/explanations/challenge52.adoc
@@ -0,0 +1,7 @@
+=== Hardcoded Encryption Key Challenge
+
+In this challenge, the encrypted secret is stored directly in the code, along with its encryption key. This is meant to demonstrate the risks associated with "bad encryption practices," specifically hardcoding sensitive information.
+
+Encryption is a strong security measure, but only if the encryption keys are properly secured. Hardcoding the encryption key into the code base significantly weakens the protection that encryption provides. Attackers can decompile or analyze the code to retrieve these keys, making it easy for them to decrypt sensitive information.
+
+This challenge serves as a reminder that encryption keys should be stored securely, preferably in a secure vault or environment variable, rather than in the source code itself.
diff --git a/src/main/resources/explanations/challenge52_hint.adoc b/src/main/resources/explanations/challenge52_hint.adoc
new file mode 100644
index 000000000..0745c06fe
--- /dev/null
+++ b/src/main/resources/explanations/challenge52_hint.adoc
@@ -0,0 +1,5 @@
+==== Hint
+
+Think about what makes this type of encryption insecure. What would happen if someone could read the code? The key to solving this challenge lies in understanding that the encryption key is hardcoded in the Java code.
+
+To solve this challenge, you might try to access the encrypted secret and decrypt it using the hardcoded key. Look closely at the challenge code to find both the encrypted secret and the key.
diff --git a/src/main/resources/explanations/challenge52_reason.adoc b/src/main/resources/explanations/challenge52_reason.adoc
new file mode 100644
index 000000000..45c797585
--- /dev/null
+++ b/src/main/resources/explanations/challenge52_reason.adoc
@@ -0,0 +1,5 @@
+==== Reason
+
+The purpose of this challenge is to highlight a common security issue: hardcoding sensitive information, such as encryption keys, directly into source code. This practice leaves applications vulnerable because anyone with access to the code can easily retrieve the key and decrypt the sensitive data.
+
+In real-world applications, this vulnerability can lead to data breaches and other serious security issues. By solving this challenge, you will gain a better understanding of why encryption keys should be stored securely and separate from the codebase.

From da29d97f9637ad6298612487fcd6458abf5c5368 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci-lite[bot]"
 <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
Date: Sat, 9 Nov 2024 09:00:40 +0000
Subject: [PATCH 2/4] [pre-commit.ci lite] apply automatic fixes

---
 .../challenges/docker/challenge52/Challenge52Test.java          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
index 71309bb66..64d78487b 100644
--- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
+++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
@@ -12,5 +12,5 @@ void rightAnswerShouldSolveChallenge() {
     }
 }
  Challenge52Test {
-    
+
 }

From 8820f79c6a43d96ffc578086a8839eacdfab6261 Mon Sep 17 00:00:00 2001
From: Btourss <toursofb@gmail.com>
Date: Fri, 15 Nov 2024 00:07:11 +0530
Subject: [PATCH 3/4] Challenge 52

some basic changes
---
 .../docker/challenge52/Challenge52Test.java        |  3 ---
 .../docker/challenge52/Chanllenge52.java           |  1 -
 .../resources/wrong-secrets-configuration.yaml     | 14 ++++++++++++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
index 71309bb66..58ee9480a 100644
--- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
+++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Challenge52Test.java
@@ -11,6 +11,3 @@ void rightAnswerShouldSolveChallenge() {
         Assertions.assertThat(challenge.solved(challenge.getAnswer())).isTrue();
     }
 }
- Challenge52Test {
-    
-}
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java
index b6c9e7f90..040a0d685 100644
--- a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java
+++ b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge52/Chanllenge52.java
@@ -1,7 +1,6 @@
 package org.owasp.wrongsecrets.challenges.docker.challenge52;
 
 import lombok.extern.slf4j.Slf4j;
-import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge;
 import org.springframework.stereotype.Component;
 
 import javax.crypto.Cipher;
diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml
index 0ce362d60..b60edec5c 100644
--- a/src/main/resources/wrong-secrets-configuration.yaml
+++ b/src/main/resources/wrong-secrets-configuration.yaml
@@ -814,3 +814,17 @@ configurations:
       category: *secrets
       ctf:
         enabled: true
+
+    - name: Challenge 52
+      short-name: "challenge-52"
+      sources:
+       - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge50"
+         explanation: "explanations/challenge52.adoc"
+         hint: "explanations/challenge52_hint.adoc"
+         reason: "explanations/challenge52_reason.adoc"
+         environments: *docker_envs
+      difficulty: *medium
+      category: *secrets
+      ctf:
+        enabled: true
+

From f78ade78ef28822baf842b45aab03f01f6b1917c Mon Sep 17 00:00:00 2001
From: "pre-commit-ci-lite[bot]"
 <117423508+pre-commit-ci-lite[bot]@users.noreply.github.com>
Date: Sat, 16 Nov 2024 04:11:09 +0000
Subject: [PATCH 4/4] [pre-commit.ci lite] apply automatic fixes

---
 src/main/resources/wrong-secrets-configuration.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/main/resources/wrong-secrets-configuration.yaml b/src/main/resources/wrong-secrets-configuration.yaml
index b60edec5c..672e94ff7 100644
--- a/src/main/resources/wrong-secrets-configuration.yaml
+++ b/src/main/resources/wrong-secrets-configuration.yaml
@@ -827,4 +827,3 @@ configurations:
       category: *secrets
       ctf:
         enabled: true
-