Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Challenge 54 & Challenge55 hidden secrets in gitignore and .ssh #1929

Open
wants to merge 33 commits into
base: master
Choose a base branch
from
Open

Challenge 54 & Challenge55 hidden secrets in gitignore and .ssh #1929

wants to merge 33 commits into from
+230 −0

Conversation

Pastekitoo
Copy link
Contributor

@Pastekitoo Pastekitoo commented Mar 14, 2025
edited
Loading

What kind of changes does this PR include?

  • Fixes or refactors
  • A new challenge
  • Additional documentation
  • Something else

Description

Challenge 54 is about a hidden secret in gitignore and Challenge 55 is about a hidden secret in .ssh.
Both secrets are encrypted and in base64 format to hide them from detection engines.
You can decrypt them with openssl and the passphrase given in the Description of the challenge.
The passphrase has to be available to all users in main page of the challenges.

Relations

Closes #613

Checklist:

  • All the contributions made are solely the work of me and my co-authors
  • I tested the changes in this PR (if applicable)
  • I added unit tests to ensure my change works (when change in Java or on front-end code)
  • I added UI tests to ensure my UI changes work (when change in the overall UI, not needed if just adding a challenge)
  • The PR passes pre-commit hooks and automated tests

Sorry, something went wrong.

@pre-commit-ci-lite
[pre-commit.ci lite] apply automatic fixes
Loading
Loading status checks…
504180b
commjoen
commjoen requested changes Mar 16, 2025
View reviewed changes
Copy link
Collaborator

@commjoen commjoen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love the challenges, can you fix the feedback, the pipeline and maybe add the plain pubkey and privatekwy in the same ssh config conmit by mistake challenge please?

.ssh/config Outdated
User wrongsecrets
Port 4444
# Cha-llen-ge 5-5 (to avoid detection by scanning tools)
# Se-cret en-cry-pted : U2FsdGVkX18Z71msuvueMq5Tyioi7zYt6FJM/z6qJIvXM8q587ZT4ogr49ccs9Mv
Copy link
Collaborator

@commjoen commjoen Mar 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if we make this just an ssh pubkey instead? (Or add a pubkey as another challenge)
Because I have not seen a secret like that in real life: I did see the “why doesn’t it work let’s put both public and private key here”. So let’s make this a “the pub and private key are here by mistake” challenge.

Pastekitoo and others added 3 commits March 16, 2025 23:54
@Pastekitoo @commjoen
Update src/main/resources/wrong-secrets-configuration.yaml
Loading
Loading status checks…
b28fcce 
Co-authored-by: Jeroen Willemsen <jeroenwillemsen2001@gmail.com>
@Pastekitoo @commjoen
Update src/main/resources/wrong-secrets-configuration.yaml
Loading
Loading status checks…
81999ef 
Co-authored-by: Jeroen Willemsen <jeroenwillemsen2001@gmail.com>
@Pastekitoo
Merge branch 'master' into fix/issue613
Loading
Loading status checks…
f0d5429
Pastekitoo and others added 11 commits March 17, 2025 15:00
@Pastekitoo
Rename Challenge55.java to Challenge55Test.java
Loading
Loading status checks…
161eb6f
@Pastekitoo
Update Challenge54Test.java
Loading
Loading status checks…
06a65d1
@Pastekitoo
Update Challenge54Test.java
Loading
Loading status checks…
13408c7
@Pastekitoo
Update Challenge54.java
Loading
Loading status checks…
6a8cb83
@Pastekitoo
Update Challenge54.java
Loading
Loading status checks…
0f0983b
@Pastekitoo
Update Challenge55Test.java
Loading
Loading status checks…
98fed75
@Pastekitoo
Update Challenge55.java
Loading
Loading status checks…
9a764c9
@pre-commit-ci-lite
[pre-commit.ci lite] apply automatic fixes
Loading
Loading status checks…
f03f8d8
@Pastekitoo
Update Challenge55.java
Loading
Loading status checks…
28d0260
@Pastekitoo
Update Challenge55.java
Loading
Loading status checks…
907e35a
@Pastekitoo
Update Challenge55.java
Loading
Loading status checks…
b5ba75a
Pastekitoo and others added 5 commits March 18, 2025 12:56
@Pastekitoo
Update Challenge54.java
Loading
Loading status checks…
fab6156
@Pastekitoo
Update wrong-secrets-configuration.yaml
Loading
Loading status checks…
0e3849e
@Pastekitoo
Merge branch 'OWASP:master' into fix/issue613
Loading
Loading status checks…
3b85c52
add encryption of the input in test
Loading
Loading status checks…
7284ea6
@pre-commit-ci-lite
[pre-commit.ci lite] apply automatic fixes
Loading
Loading status checks…
d654405
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 26, 2025
View reviewed changes
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge54.java

public static String encryptAES(String input) throws Exception {
SecretKeySpec secretKey = getKeyFromPassphrase(passphrase);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm
AES/ECB/PKCS5Padding
Loading
is insecure. ECB mode, as in AES/ECB/NoPadding for example, is vulnerable to replay and other attacks. Consider using GCM instead.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to use a insecure padding to have an deterministic function. Else, the tests will always fail because we encrypt the user input and compare with the encrypted secret we already have to test if the user give the correct answer.

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge55.java

public static String encryptAES(String input) throws Exception {
SecretKeySpec secretKey = getKeyFromPassphrase(passphrase);
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm
AES/ECB/PKCS5Padding
Loading
is insecure. ECB mode, as in AES/ECB/NoPadding for example, is vulnerable to replay and other attacks. Consider using GCM instead.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have to use a insecure padding to have an deterministic function. Else, the tests will always fail because we encrypt the user input and compare with the encrypted secret we already have to test if the user give the correct answer.

@Pastekitoo
Update .gitignore
Loading
Loading status checks…
5d2c90f
@Pastekitoo
Update config
Loading
Loading status checks…
6269a33
@Pastekitoo
Merge branch 'OWASP:master' into fix/issue613
Loading
Loading status checks…
4aa3c17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@commjoen commjoen

@bendehaan bendehaan

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Have a secret in .gitignore /.ssh
2 participants
@Pastekitoo @commjoen