Replace Slack token with webhook URL for Challenge 59 and add generation script

- Changed Challenge59 to use CHALLENGE59_SLACK_WEBHOOK_URL instead of CHALLENGE59_SLACK_TOKEN
- Updated SlackNotificationService to use webhook URLs directly without token authentication
- Created generate-slack-webhook.sh script to easily generate new obfuscated webhook URLs
- Updated all tests to reflect the webhook URL approach
- Fixed Java 17 compatibility issues with getFirst/getLast methods across codebase
- Answer is now a deobfuscated Slack webhook URL instead of API token

Co-authored-by: commjoen <[email protected]>

Author: Copilot

scripts/generate-slack-webhook.sh

@@ -0,0 +1,102 @@
+#!/bin/bash
+
+# Script to generate obfuscated Slack webhook URLs for Challenge 59
+# Usage: ./generate-slack-webhook.sh [webhook-url]
+# If no webhook URL is provided, generates a realistic example
+
+set -e
+
+# Default webhook URL if none provided
+DEFAULT_WEBHOOK="https://hooks.slack.com/services/T123456789/B123456789/1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p"
+
+# Function to validate webhook URL format
+validate_webhook_url() {
+    local url="$1"
+    if [[ ! "$url" =~ ^https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]+ ]]; then
+        echo "Error: Invalid Slack webhook URL format" >&2
+        echo "Expected format: https://hooks.slack.com/services/T123456789/B123456789/abcdef123..." >&2
+        exit 1
+    fi
+}
+
+# Function to obfuscate webhook URL with double base64 encoding
+obfuscate_webhook() {
+    local webhook_url="$1"
+    # First base64 encoding (no line wrapping)
+    local first_encode=$(echo -n "$webhook_url" | base64 -w 0)
+    # Second base64 encoding (no line wrapping)
+    local double_encode=$(echo -n "$first_encode" | base64 -w 0)
+    echo "$double_encode"
+}
+
+# Function to deobfuscate webhook URL (for verification)
+deobfuscate_webhook() {
+    local obfuscated="$1"
+    # First base64 decode
+    local first_decode=$(echo -n "$obfuscated" | base64 -d)
+    # Second base64 decode
+    local original=$(echo -n "$first_decode" | base64 -d)
+    echo "$original"
+}
+
+# Main script logic
+main() {
+    echo "=== Slack Webhook URL Generator for Challenge 59 ==="
+    echo
+    
+    # Use provided webhook URL or default
+    local webhook_url="${1:-$DEFAULT_WEBHOOK}"
+    
+    # Validate the webhook URL format
+    validate_webhook_url "$webhook_url"
+    
+    echo "Original webhook URL: $webhook_url"
+    echo
+    
+    # Obfuscate the webhook URL
+    local obfuscated=$(obfuscate_webhook "$webhook_url")
+    echo "Obfuscated webhook URL (double base64 encoded):"
+    echo "$obfuscated"
+    echo
+    
+    # Verification - deobfuscate to ensure it works
+    local verified=$(deobfuscate_webhook "$obfuscated")
+    echo "Verification (deobfuscated): $verified"
+    echo
+    
+    if [ "$webhook_url" = "$verified" ]; then
+        echo "✅ Obfuscation/deobfuscation successful!"
+        echo
+        echo "To use this in Challenge 59:"
+        echo "1. Update application.properties:"
+        echo "   CHALLENGE59_SLACK_WEBHOOK_URL=$obfuscated"
+        echo
+        echo "2. The challenge answer will be:"
+        echo "   $webhook_url"
+    else
+        echo "❌ Error: Obfuscation/deobfuscation failed!"
+        exit 1
+    fi
+}
+
+# Show usage if help is requested
+if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+    echo "Usage: $0 [webhook-url]"
+    echo
+    echo "Generates double base64 encoded Slack webhook URLs for Challenge 59."
+    echo
+    echo "Arguments:"
+    echo "  webhook-url    Slack webhook URL to obfuscate (optional)"
+    echo "                 If not provided, uses a realistic example"
+    echo
+    echo "Examples:"
+    echo "  $0"
+    echo "  $0 'https://hooks.slack.com/services/TXXXXXXXX/BXXXXXXXX/abcdef123456'"
+    echo
+    echo "The webhook URL should follow Slack's format:"
+    echo "  https://hooks.slack.com/services/T[TEAM_ID]/B[CHANNEL_ID]/[TOKEN]"
+    exit 0
+fi
+
+# Run main function
+main "$@"

src/main/java/org/owasp/wrongsecrets/Challenges.java

@@ -96,11 +96,12 @@ public List<Difficulty> difficulties() {
   }
 
   public boolean isFirstChallenge(ChallengeDefinition challengeDefinition) {
-    return challengeDefinition.equals(definitions.challenges().getFirst());
+    return challengeDefinition.equals(definitions.challenges().get(0));
   }
 
   public boolean isLastChallenge(ChallengeDefinition challengeDefinition) {
-    return challengeDefinition.equals(definitions.challenges().getLast());
+    var challenges = definitions.challenges();
+    return challengeDefinition.equals(challenges.get(challenges.size() - 1));
   }
 
   public List<ChallengeDefinition> getChallengeDefinitions() {

src/main/java/org/owasp/wrongsecrets/challenges/ChallengeUI.java

@@ -109,7 +109,7 @@ private String documentation(Function<ChallengeSource, String> extractor) {
       return challengeDefinition.source(runtimeEnvironment).map(extractor).orElse("");
     } else {
       // We cannot run the challenge but showing documentation should still be possible
-      return extractor.apply(challengeDefinition.sources().getFirst());
+      return extractor.apply(challengeDefinition.sources().get(0));
     }
   }
 

src/main/java/org/owasp/wrongsecrets/challenges/ChallengesController.java

@@ -102,7 +102,7 @@ public String spoiler(@PathVariable("short-name") String shortName, Model model)
       Supplier<Spoiler> spoilerFromRandomChallenge =
           () -> {
             var challengeDefinition = findByShortName(shortName);
-            return challenges.getChallenge(challengeDefinition).getFirst().spoiler();
+            return challenges.getChallenge(challengeDefinition).get(0).spoiler();
           };
 
       // We always want to show the spoiler even if we run in a non-supported environment

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge59.java

@@ -8,45 +8,45 @@
 import org.springframework.stereotype.Component;
 
 /**
- * This challenge demonstrates the security risk of hardcoded Slack API keys in environment
- * variables. Shows how an ex-employee could misuse the key if it's not rotated when they leave.
+ * This challenge demonstrates the security risk of hardcoded Slack webhook URLs in environment
+ * variables. Shows how an ex-employee could misuse the webhook if it's not rotated when they leave.
  */
 @Component
 public class Challenge59 extends FixedAnswerChallenge {
 
-  private final String obfuscatedSlackKey;
+  private final String obfuscatedSlackWebhookUrl;
 
-  public Challenge59(@Value("${CHALLENGE59_SLACK_TOKEN}") String obfuscatedSlackKey) {
-    this.obfuscatedSlackKey = obfuscatedSlackKey;
+  public Challenge59(@Value("${CHALLENGE59_SLACK_WEBHOOK_URL}") String obfuscatedSlackWebhookUrl) {
+    this.obfuscatedSlackWebhookUrl = obfuscatedSlackWebhookUrl;
   }
 
   @Override
   public String getAnswer() {
-    return deobfuscateSlackKey(obfuscatedSlackKey);
+    return deobfuscateSlackWebhookUrl(obfuscatedSlackWebhookUrl);
   }
 
   /**
-   * Deobfuscates the Slack API key. The key is base64 encoded twice to avoid detection by Slack's
-   * secret scanning.
+   * Deobfuscates the Slack webhook URL. The URL is base64 encoded twice to avoid detection by
+   * security scanners.
    */
-  private String deobfuscateSlackKey(String obfuscatedKey) {
+  private String deobfuscateSlackWebhookUrl(String obfuscatedUrl) {
     try {
       // First decode from base64
-      byte[] firstDecode = Base64.getDecoder().decode(obfuscatedKey);
+      byte[] firstDecode = Base64.getDecoder().decode(obfuscatedUrl);
       // Second decode from base64
       byte[] secondDecode = Base64.getDecoder().decode(firstDecode);
       return new String(secondDecode, UTF_8);
     } catch (Exception e) {
       // Return a default value if the environment variable is not properly set
-      return "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
+      return "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX";
     }
   }
 
   /**
-   * Gets the deobfuscated Slack key for use in Slack notifications. This method is used by the
+   * Gets the deobfuscated Slack webhook URL for use in Slack notifications. This method is used by the
    * Slack integration service.
    */
-  public String getSlackKey() {
+  public String getSlackWebhookUrl() {
     return getAnswer();
   }
 }

src/main/java/org/owasp/wrongsecrets/challenges/docker/SlackNotificationService.java

@@ -22,17 +22,14 @@ public class SlackNotificationService {
   private final RestTemplate restTemplate;
   private final ObjectMapper objectMapper;
   private final Optional<Challenge59> challenge59;
-  private final String slackWebhookUrl;
 
   public SlackNotificationService(
       RestTemplate restTemplate,
       ObjectMapper objectMapper,
-      @Autowired(required = false) Challenge59 challenge59,
-      @Value("${SLACK_WEBHOOK_URL:}") String slackWebhookUrl) {
+      @Autowired(required = false) Challenge59 challenge59) {
     this.restTemplate = restTemplate;
     this.objectMapper = objectMapper;
     this.challenge59 = Optional.ofNullable(challenge59);
-    this.slackWebhookUrl = slackWebhookUrl;
   }
 
   /**
@@ -53,14 +50,11 @@ public void notifyChallengeCompletion(String challengeName, String userName) {
 
       HttpHeaders headers = new HttpHeaders();
       headers.setContentType(MediaType.APPLICATION_JSON);
-      
-      if (challenge59.isPresent()) {
-        headers.setBearerAuth(challenge59.get().getSlackKey());
-      }
 
       HttpEntity<SlackMessage> request = new HttpEntity<>(slackMessage, headers);
 
-      restTemplate.postForEntity(slackWebhookUrl, request, String.class);
+      String webhookUrl = challenge59.get().getSlackWebhookUrl();
+      restTemplate.postForEntity(webhookUrl, request, String.class);
       logger.info("Successfully sent Slack notification for challenge completion: {}", challengeName);
 
     } catch (Exception e) {
@@ -70,9 +64,10 @@ public void notifyChallengeCompletion(String challengeName, String userName) {
 
   private boolean isSlackConfigured() {
     return challenge59.isPresent() 
-        && slackWebhookUrl != null 
-        && !slackWebhookUrl.trim().isEmpty()
-        && !slackWebhookUrl.equals("not_set");
+        && challenge59.get().getSlackWebhookUrl() != null 
+        && !challenge59.get().getSlackWebhookUrl().trim().isEmpty()
+        && !challenge59.get().getSlackWebhookUrl().equals("not_set")
+        && challenge59.get().getSlackWebhookUrl().startsWith("https://hooks.slack.com");
   }
 
   private String buildCompletionMessage(String challengeName, String userName) {

src/main/resources/application.properties

@@ -74,8 +74,7 @@ challenge27ciphertext=gYPQPfb0TUgWK630tHCWGwwME6IWtPWA51eU0Qpb9H7/lMlZPdLGZWmYE8
 challenge41password=UEBzc3dvcmQxMjM=
 challenge49pin=NDQ0NDQ=
 challenge49ciphertext=k800mdwu8vlQoqeAgRMHDQ==
-CHALLENGE59_SLACK_TOKEN=ZUc5NFlpMHhNak0wTlRZM09Ea3dMVEV5TXpRMU5qYzRPVEF0WVdKalpHVm1aMmhwYW10c2JXNXZjSEZ5YzNSMWRuZDQ=
-SLACK_WEBHOOK_URL=not_set
+CHALLENGE59_SLACK_WEBHOOK_URL=YUhSMGNITTZMeTlvYjI5cmN5NXpiR0ZqYXk1amIyMHZjMlZ5ZG1salpYTXZWREV5TXpRMU5qYzRPUzlDTVRJek5EVTJOemc1THpGaE1tSXpZelJrTldVMlpqZG5PR2c1YVRCcU1Xc3liRE50Tkc0MWJ6WndDZz09
 DOCKER_SECRET_CHALLENGE51=Fald';alksAjhdna'/
 management.endpoint.health.probes.enabled=true
 management.health.livenessState.enabled=true

src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge59Test.java

@@ -8,61 +8,61 @@
 class Challenge59Test {
 
   @Test
-  void answerCorrectWithValidKey() {
-    // Create a properly obfuscated Slack key
-    String originalKey = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
-    String firstEncode = Base64.getEncoder().encodeToString(originalKey.getBytes());
+  void answerCorrectWithValidWebhookUrl() {
+    // Create a properly obfuscated Slack webhook URL
+    String originalUrl = "https://hooks.slack.com/services/T123456789/B123456789/1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p";
+    String firstEncode = Base64.getEncoder().encodeToString(originalUrl.getBytes());
     String doubleEncoded = Base64.getEncoder().encodeToString(firstEncode.getBytes());
 
     Challenge59 challenge = new Challenge59(doubleEncoded);
-    assertTrue(challenge.answerCorrect(originalKey));
+    assertTrue(challenge.answerCorrect(originalUrl));
   }
 
   @Test
-  void answerIncorrectWithWrongKey() {
-    String originalKey = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
-    String firstEncode = Base64.getEncoder().encodeToString(originalKey.getBytes());
+  void answerIncorrectWithWrongUrl() {
+    String originalUrl = "https://hooks.slack.com/services/T123456789/B123456789/1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p";
+    String firstEncode = Base64.getEncoder().encodeToString(originalUrl.getBytes());
     String doubleEncoded = Base64.getEncoder().encodeToString(firstEncode.getBytes());
 
     Challenge59 challenge = new Challenge59(doubleEncoded);
-    assertFalse(challenge.answerCorrect("wrong-slack-key"));
+    assertFalse(challenge.answerCorrect("https://wrong-webhook-url.com"));
   }
 
   @Test
   void answerIncorrectWithEmptyString() {
-    String originalKey = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
-    String firstEncode = Base64.getEncoder().encodeToString(originalKey.getBytes());
+    String originalUrl = "https://hooks.slack.com/services/T123456789/B123456789/1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p";
+    String firstEncode = Base64.getEncoder().encodeToString(originalUrl.getBytes());
     String doubleEncoded = Base64.getEncoder().encodeToString(firstEncode.getBytes());
 
     Challenge59 challenge = new Challenge59(doubleEncoded);
     assertFalse(challenge.answerCorrect(""));
   }
 
   @Test
-  void getSlackKeyReturnsDeobfuscatedKey() {
-    String originalKey = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
-    String firstEncode = Base64.getEncoder().encodeToString(originalKey.getBytes());
+  void getSlackWebhookUrlReturnsDeobfuscatedUrl() {
+    String originalUrl = "https://hooks.slack.com/services/T123456789/B123456789/1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p";
+    String firstEncode = Base64.getEncoder().encodeToString(originalUrl.getBytes());
     String doubleEncoded = Base64.getEncoder().encodeToString(firstEncode.getBytes());
 
     Challenge59 challenge = new Challenge59(doubleEncoded);
-    assertEquals(originalKey, challenge.getSlackKey());
+    assertEquals(originalUrl, challenge.getSlackWebhookUrl());
   }
 
   @Test
-  void handlesInvalidObfuscatedKey() {
+  void handlesInvalidObfuscatedUrl() {
     // Test with invalid base64 input
-    Challenge59 challenge = new Challenge59("invalid-base64-key");
+    Challenge59 challenge = new Challenge59("invalid-base64-url");
 
-    // Should return the default key when deobfuscation fails
-    String defaultKey = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
-    assertEquals(defaultKey, challenge.getAnswer());
+    // Should return the default URL when deobfuscation fails
+    String defaultUrl = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX";
+    assertEquals(defaultUrl, challenge.getAnswer());
   }
 
   @Test
-  void answerCorrectWithDefaultKey() {
+  void answerCorrectWithDefaultUrl() {
     // Test with invalid input that falls back to default
     Challenge59 challenge = new Challenge59("invalid-input");
-    String defaultKey = "xoxb-1234567890-1234567890-abcdefghijklmnopqrstuvwx";
-    assertTrue(challenge.answerCorrect(defaultKey));
+    String defaultUrl = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX";
+    assertTrue(challenge.answerCorrect(defaultUrl));
   }
 }