Update Challenge 59 documentation to use webhook URLs instead of tokens and clarify webhook-specific risks

Co-authored-by: commjoen <[email protected]>

Author: Copilot

src/main/resources/explanations/challenge59.adoc

@@ -1,37 +1,40 @@
-=== Find the Slack API Token
+=== Find the Slack Webhook URL
 
-Welcome to this challenge that demonstrates the vulnerability of hardcoded Slack API tokens in environment variables!
+Welcome to this challenge that demonstrates the vulnerability of hardcoded Slack webhook URLs in environment variables!
 
 This challenge simulates a real-world scenario where:
 
-1. **Slack API tokens are stored as environment variables** for application integration
-2. **The tokens are obfuscated** to avoid detection by secret scanning tools
-3. **Employee turnover risk**: When an employee leaves, the token may not be rotated, allowing continued access
+1. **Slack webhook URLs are stored as environment variables** for application notifications
+2. **The URLs are obfuscated** to avoid detection by secret scanning tools
+3. **Employee turnover risk**: When an employee leaves, the webhook may not be rotated, allowing continued access
 
 ==== Your Mission
 
-In this scenario, a developer has stored a Slack API token as an environment variable `CHALLENGE59_SLACK_TOKEN`. The token has been obfuscated using double base64 encoding to bypass Slack's secret scanning detection.
+In this scenario, a developer has stored a Slack webhook URL as an environment variable `CHALLENGE59_SLACK_WEBHOOK_URL`. The URL has been obfuscated using double base64 encoding to bypass Slack's secret scanning detection.
 
 Your task is to:
 
-1. Find the obfuscated Slack API token in the environment variable
-2. Deobfuscate it to reveal the original token
-3. Submit the deobfuscated token as your answer
+1. Find the obfuscated Slack webhook URL in the environment variable
+2. Deobfuscate it to reveal the original URL
+3. Submit the deobfuscated webhook URL as your answer
 
 ==== Real-World Impact
 
-This vulnerability demonstrates why:
+This vulnerability demonstrates the specific risks of exposed Slack webhook URLs:
 
-- Hardcoded secrets in environment variables are risky
-- Obfuscation is not a security measure
-- API tokens should be rotated when employees leave
-- Proper secrets management solutions should be used
+- **Unauthorized message posting**: Attackers can send malicious messages to your Slack channels
+- **Social engineering attacks**: Fake announcements or phishing attempts via trusted channels
+- **Information disclosure**: Sensitive channel names and workspace information revealed
+- **Reputation damage**: Spam or inappropriate content posted under your organization's name
+- **Obfuscation is not security**: Base64 encoding provides no real protection
+- **Webhook persistence**: Unlike tokens, webhooks may remain active for extended periods
 
 ==== Educational Note
 
 In production environments:
 - Use proper secrets management (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
-- Implement token rotation policies
-- Monitor API token usage
-- Revoke access immediately when employees leave
+- Implement webhook rotation policies when employees leave
+- Monitor webhook usage and establish alerts for unusual activity
+- Revoke and regenerate webhooks immediately when employees leave
 - Never obfuscate secrets as a security measure
+- Consider using webhook signing secrets for additional validation

src/main/resources/explanations/challenge59_hint.adoc

@@ -1,25 +1,26 @@
 === Hint for Challenge 59
 
-Looking for the Slack API token? Here are some hints to get you started:
+Looking for the Slack webhook URL? Here are some hints to get you started:
 
 ==== Where to Look
 
-1. **Environment Variables**: The token is stored in an environment variable called `CHALLENGE59_SLACK_TOKEN`
+1. **Environment Variables**: The webhook URL is stored in an environment variable called `CHALLENGE59_SLACK_WEBHOOK_URL`
 2. **Check the Application**: You can inspect environment variables through the application or container
 
 ==== Deobfuscation Process
 
-The token has been obfuscated using a common technique:
+The webhook URL has been obfuscated using a common technique:
 
-1. **Double Base64 Encoding**: The original token has been base64 encoded twice
+1. **Double Base64 Encoding**: The original URL has been base64 encoded twice
 2. **Process**: Original → Base64 → Base64 again
 3. **To decode**: Reverse the process (decode base64 twice)
 
 ==== What You're Looking For
 
-- Slack API tokens typically start with `xoxb-` for bot tokens
-- They follow the pattern: `xoxb-numbers-numbers-letters`
-- Example format: `xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx`
+- Slack webhook URLs follow the pattern: `https://hooks.slack.com/services/...`
+- They contain three path segments after `/services/`
+- Example format: `https://hooks.slack.com/services/T123456789/B123456789/abcdefghijklmnopqrstuvwx`
+- The URL segments represent: Team ID / Channel ID / Secret Token
 
 ==== Tools You Can Use
 
@@ -29,8 +30,9 @@ The token has been obfuscated using a common technique:
 
 ==== Security Learning
 
-This challenge teaches you:
-- How attackers find obfuscated secrets
-- Why obfuscation is not encryption
-- The importance of proper secrets management
-- Risk of hardcoded tokens in environment variables
+This challenge teaches you about webhook-specific risks:
+- How attackers can find obfuscated webhook URLs
+- Why webhook URLs are sensitive credentials that need protection
+- The potential for unauthorized message posting and social engineering
+- Risk of hardcoded webhook URLs in environment variables
+- How exposed webhooks can lead to reputation damage and information disclosure