Challenge52_#297_Issue #1750
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| **/.classpath | ||
| **/.dockerignore | ||
| **/.env | ||
| **/.git | ||
| **/.gitignore | ||
| **/.project | ||
| **/.settings | ||
| **/.toolstarget | ||
| **/.vs | ||
| **/.vscode | ||
| **/*.*proj.user | ||
| **/*.dbmdl | ||
| **/*.jfm | ||
| **/bin | ||
| **/charts | ||
| **/docker-compose* | ||
| **/compose* | ||
| **/Dockerfile* | ||
| **/node_modules | ||
| **/npm-debug.log | ||
| **/obj | ||
| **/secrets.dev.yaml | ||
| **/values.dev.yaml | ||
| LICENSE | ||
| README.md | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,19 @@ | ||||||||||||||
| public package org.owasp.wrongsecrets.challenges.docker.challenge52; | ||||||||||||||
|
|
||||||||||||||
| import org.assertj.core.api.Assertions; | ||||||||||||||
| import org.junit.jupiter.api.Test; | ||||||||||||||
|
|
||||||||||||||
| class Challenge52Test { | ||||||||||||||
|
|
||||||||||||||
| @Test | ||||||||||||||
| void rightAnswerShouldSolveChallenge() { | ||||||||||||||
| var challenge = new Challenge52(); | ||||||||||||||
| Assertions.assertThat(challenge.solved(challenge.getAnswer())).isTrue(); | ||||||||||||||
| } | ||||||||||||||
| } | ||||||||||||||
| <<<<<<< HEAD | ||||||||||||||
| ======= | ||||||||||||||
| Challenge52Test { | ||||||||||||||
|
|
||||||||||||||
| } | ||||||||||||||
| >>>>>>> 42db351e9a0a187e934fd9326c782d0ab9b1acbd | ||||||||||||||
|
Comment on lines
+14
to
+19
There was a problem hiding this comment.
Suggested change
HAve you run the tests? I am not sure if this is going to work this way? There was a problem hiding this comment. i checked again it is working . |
||||||||||||||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| package org.owasp.wrongsecrets.challenges.docker.challenge52; | ||
|
|
||
| import lombok.extern.slf4j.Slf4j; | ||
| import org.springframework.stereotype.Component; | ||
|
|
||
| import javax.crypto.Cipher; | ||
| import javax.crypto.spec.SecretKeySpec; | ||
| import java.util.Base64; | ||
|
|
||
| @Slf4j | ||
| @Component | ||
| public class Challenge52 extends FixedAnswerChallenge { | ||
|
There was a problem hiding this comment. Have you tried running hte code? because i don't think the code below will run |
||
|
|
||
| // Replace these with your actual encrypted secret and encryption key | ||
| private static final String ENCRYPTED_SECRET = "DefaultLoginPasswordDoNotChange!"; | ||
| private static final String ENCRYPTION_KEY = "mISydD0En55Fq8FXbUfX720K8Vc6/aQYtkFmkp7ntsM=Y"; | ||
|
|
||
| @Override | ||
| public String getAnswer() { | ||
| return decrypt(ENCRYPTED_SECRET, ENCRYPTION_KEY); | ||
| } | ||
|
|
||
| private String decrypt(String encryptedText, String base64Key) { | ||
| try { | ||
| byte[] decodedKey = Base64.getDecoder().decode(base64Key); | ||
| SecretKeySpec keySpec = new SecretKeySpec(decodedKey, "AES"); | ||
|
|
||
| Cipher cipher = Cipher.getInstance("AES"); | ||
| cipher.init(Cipher.DECRYPT_MODE, keySpec); | ||
| byte[] decryptedBytes = cipher.doFinal(Base64.getDecoder().decode(encryptedText)); | ||
|
|
||
| return new String(decryptedBytes); | ||
| } catch (Exception e) { | ||
| log.error("Decryption failed", e); | ||
| return null; | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| === Hardcoded Encryption Key Challenge | ||
|
|
||
| In this challenge, the encrypted secret is stored directly in the code, along with its encryption key. This is meant to demonstrate the risks associated with "bad encryption practices," specifically hardcoding sensitive information. | ||
|
|
||
| Encryption is a strong security measure, but only if the encryption keys are properly secured. Hardcoding the encryption key into the code base significantly weakens the protection that encryption provides. Attackers can decompile or analyze the code to retrieve these keys, making it easy for them to decrypt sensitive information. | ||
|
|
||
| This challenge serves as a reminder that encryption keys should be stored securely, preferably in a secure vault or environment variable, rather than in the source code itself. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| ==== Hint | ||
|
|
||
| Think about what makes this type of encryption insecure. What would happen if someone could read the code? The key to solving this challenge lies in understanding that the encryption key is hardcoded in the Java code. | ||
|
|
||
| To solve this challenge, you might try to access the encrypted secret and decrypt it using the hardcoded key. Look closely at the challenge code to find both the encrypted secret and the key. | ||
|
Comment on lines
+3
to
+5
There was a problem hiding this comment. Can you please check the other hints within the project? The hint should have the actual solution steps to solve the challenge. |
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| ==== Reason | ||
|
|
||
| The purpose of this challenge is to highlight a common security issue: hardcoding sensitive information, such as encryption keys, directly into source code. This practice leaves applications vulnerable because anyone with access to the code can easily retrieve the key and decrypt the sensitive data. | ||
|
|
||
| In real-world applications, this vulnerability can lead to data breaches and other serious security issues. By solving this challenge, you will gain a better understanding of why encryption keys should be stored securely and separate from the codebase. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
have you tested building out a container using this .dockerignore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah