Merge pull request #938 from OWASP/feature-reporting-challenge

commjoen · web-flow · commit 96ce218686e0 · 2023-08-18T10:42:40.000+02:00
Add experimental key
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge35.java
@@ -0,0 +1,104 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import lombok.extern.slf4j.Slf4j;
+import org.bouncycastle.util.encoders.Base64;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+/** This is a challenge based on the idea of leaking a secret trough a vulnerability report. */
+@Slf4j
+@Component
+@Order(36)
+public class Challenge35 extends Challenge {
+
+  public Challenge35(ScoreCard scoreCard) {
+    super(scoreCard);
+  }
+
+  @Override
+  public boolean canRunInCTFMode() {
+    return true;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(getKey());
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return getKey().equals(answer);
+  }
+
+  /** {@inheritDoc} */
+  @Override
+  public int difficulty() {
+    return Difficulty.EASY;
+  }
+
+  /** {@inheritDoc} This is a Documentation type of challenge */
+  @Override
+  public String getTech() {
+    return ChallengeTechnology.Tech.DOCUMENTATION.id;
+  }
+
+  @Override
+  public boolean isLimitedWhenOnlineHosted() {
+    return false;
+  }
+
+  @Override
+  public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+    return List.of(RuntimeEnvironment.Environment.DOCKER);
+  }
+
+  private String getKey() {
+    String ciphertext = "zRR77ETjg5GsXv3az1TZU73xiFWYHbVceJBvBbjChxLyMjHkF6kFdwIXIduVBHAT";
+    try {
+      return decrypt(ciphertext);
+    } catch (Exception e) {
+      log.warn("there was an exception with decrypting content in challenge35", e);
+      return "error_decryption";
+    }
+  }
+
+  @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
+      value = "CIPHER_INTEGRITY",
+      justification =
+          "The scheme is bad without hmac, but we wanted to make it a bit more fun for you")
+  private String decrypt(String ciphertext)
+      throws InvalidAlgorithmParameterException,
+          InvalidKeyException,
+          NoSuchPaddingException,
+          NoSuchAlgorithmException,
+          IllegalBlockSizeException,
+          BadPaddingException {
+    IvParameterSpec iv = new IvParameterSpec("1234567890123456".getBytes(StandardCharsets.UTF_8));
+    SecretKeySpec skeySpec =
+        new SecretKeySpec(
+            "12345678901234561234567890123456".getBytes(StandardCharsets.UTF_8), "AES");
+
+    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
+    cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv);
+    return new String(
+        cipher.doFinal(Base64.decode(ciphertext.getBytes(StandardCharsets.UTF_8))),
+        StandardCharsets.UTF_8);
+  }
+}
diff --git a/src/main/resources/explanations/challenge35.adoc b/src/main/resources/explanations/challenge35.adoc
@@ -0,0 +1,3 @@
+=== Reporting on Vulnerabilities
+
+A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a GitHub security advisory. The only thing @commjoen did wrong was publish the API key as part of the advisory. Can you spot the key?
diff --git a/src/main/resources/explanations/challenge35_hint.adoc b/src/main/resources/explanations/challenge35_hint.adoc
@@ -0,0 +1,13 @@
+This is a documentation challenge, which can be solved by going to the Github Advisory.
+
+1. Get to the key using the Github security advisory
+- Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory].
+- Find the Google API key.
+- Copy it into the answer box.
+
+2. Follow the Github security advisory information
+- Go to https://github.com/OWASP/wrongsecrets/security/advisories/GHSA-vv4g-7gjw-fvqw[the advisory].
+- Find the version that is impacted (1.6.8RC1).
+- Open the tag at https://github.com/OWASP/wrongsecrets/tree/1.6.8RC1[Github].
+- Find the Google API key in challenge 35.
+- Copy it into the answer box.
diff --git a/src/main/resources/explanations/challenge35_reason.adoc b/src/main/resources/explanations/challenge35_reason.adoc
@@ -0,0 +1,3 @@
+*Why we need to be careful with vulnerability reports*
+
+When you report a vulnerability or publish a security advisory, always be careful with the information you spread with them. Exact values of found hardcoded secrets, especially those harder to rotate, should not be put into your security report and/or the publication.
diff --git a/src/main/resources/templates/about.html b/src/main/resources/templates/about.html
@@ -343,32 +343,32 @@
                         <li>(The Apache Software License, Version 2.0) thymeleaf-extras-springsecurity6 (org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.2.RELEASE - http://www.thymeleaf.org/thymeleaf-lib/thymeleaf-extras-springsecurity6)</li>
                         <li>(Public Domain) XZ for Java (org.tukaani:xz:1.9 - https://tukaani.org/xz/java.html)</li>
                         <li>(The Apache Software License, Version 2.0) unbescape (org.unbescape:unbescape:1.1.6.RELEASE - http://www.unbescape.org)</li>
-                        <li>(Apache License, Version 2.0) Bootstrap (org.webjars:bootstrap:5.3.0 - http://webjars.org)</li>
+                        <li>(Apache License, Version 2.0) Bootstrap (org.webjars:bootstrap:5.3.1 - http://webjars.org)</li>
                         <li>(MIT) DataTables (org.webjars:datatables:1.13.5 - http://webjars.org)</li>
                         <li>(MIT License) jquery (org.webjars:jquery:3.7.0 - http://webjars.org)</li>
                         <li>(Apache 2.0) Swagger UI (org.webjars:swagger-ui:4.18.2 - http://webjars.org)</li>
                         <li>(BSD 2-Clause) github-buttons (org.webjars.npm:github-buttons:2.14.1 - https://www.webjars.org)</li>
                         <li>(Common Public 1.0) pecoff4j (org.whitesource:pecoff4j:0.0.2.1 - https://github.com/whitesource/pecoff4j-maven)</li>
                         <li>(Apache License, Version 2.0) SnakeYAML (org.yaml:snakeyaml:1.33 - https://bitbucket.org/snakeyaml/snakeyaml)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Annotations (software.amazon.awssdk:annotations:2.20.115 - https://aws.amazon.com/sdkforjava/core/annotations)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Apache (software.amazon.awssdk:apache-client:2.20.115 - https://aws.amazon.com/sdkforjava/http-clients/apache-client)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Auth (software.amazon.awssdk:auth:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: AWS Core (software.amazon.awssdk:aws-core:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Json Protocol (software.amazon.awssdk:aws-json-protocol:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Query Protocol (software.amazon.awssdk:aws-query-protocol:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Endpoints SPI (software.amazon.awssdk:endpoints-spi:2.20.115 - https://aws.amazon.com/sdkforjava/core/endpoints-spi)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: HTTP Client Interface (software.amazon.awssdk:http-client-spi:2.20.115 - https://aws.amazon.com/sdkforjava/http-client-spi)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Json Utils (software.amazon.awssdk:json-utils:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Metrics SPI (software.amazon.awssdk:metrics-spi:2.20.115 - https://aws.amazon.com/sdkforjava/core/metrics-spi)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Netty Non-Blocking I/O (software.amazon.awssdk:netty-nio-client:2.20.115 - https://aws.amazon.com/sdkforjava/http-clients/netty-nio-client)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Profiles (software.amazon.awssdk:profiles:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Protocol Core (software.amazon.awssdk:protocol-core:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Regions (software.amazon.awssdk:regions:2.20.115 - https://aws.amazon.com/sdkforjava/core/regions)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: SDK Core (software.amazon.awssdk:sdk-core:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Services :: AWS Simple Systems Management (SSM) (software.amazon.awssdk:ssm:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Services :: AWS STS (software.amazon.awssdk:sts:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Third Party :: Jackson-core (software.amazon.awssdk:third-party-jackson-core:2.20.115 - https://aws.amazon.com/sdkforjava)</li>
-                        <li>(Apache License, Version 2.0) AWS Java SDK :: Utilities (software.amazon.awssdk:utils:2.20.115 - https://aws.amazon.com/sdkforjava/utils)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Annotations (software.amazon.awssdk:annotations:2.20.116 - https://aws.amazon.com/sdkforjava/core/annotations)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Apache (software.amazon.awssdk:apache-client:2.20.116 - https://aws.amazon.com/sdkforjava/http-clients/apache-client)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Auth (software.amazon.awssdk:auth:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: AWS Core (software.amazon.awssdk:aws-core:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Json Protocol (software.amazon.awssdk:aws-json-protocol:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: AWS Query Protocol (software.amazon.awssdk:aws-query-protocol:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Endpoints SPI (software.amazon.awssdk:endpoints-spi:2.20.116 - https://aws.amazon.com/sdkforjava/core/endpoints-spi)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: HTTP Client Interface (software.amazon.awssdk:http-client-spi:2.20.116 - https://aws.amazon.com/sdkforjava/http-client-spi)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Json Utils (software.amazon.awssdk:json-utils:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Metrics SPI (software.amazon.awssdk:metrics-spi:2.20.116 - https://aws.amazon.com/sdkforjava/core/metrics-spi)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: HTTP Clients :: Netty Non-Blocking I/O (software.amazon.awssdk:netty-nio-client:2.20.116 - https://aws.amazon.com/sdkforjava/http-clients/netty-nio-client)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Profiles (software.amazon.awssdk:profiles:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Core :: Protocols :: Protocol Core (software.amazon.awssdk:protocol-core:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Regions (software.amazon.awssdk:regions:2.20.116 - https://aws.amazon.com/sdkforjava/core/regions)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: SDK Core (software.amazon.awssdk:sdk-core:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Services :: AWS Simple Systems Management (SSM) (software.amazon.awssdk:ssm:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Services :: AWS STS (software.amazon.awssdk:sts:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Third Party :: Jackson-core (software.amazon.awssdk:third-party-jackson-core:2.20.116 - https://aws.amazon.com/sdkforjava)</li>
+                        <li>(Apache License, Version 2.0) AWS Java SDK :: Utilities (software.amazon.awssdk:utils:2.20.116 - https://aws.amazon.com/sdkforjava/utils)</li>
                         <li>(Apache License, Version 2.0) AWS Event Stream (software.amazon.eventstream:eventstream:1.0.1 - https://github.com/awslabs/aws-eventstream-java)</li>
                         <li>(Unknown license) StAX (stax:stax:1.2.0 - http://stax.codehaus.org/)</li>
                         <li>(The Apache Software License, Version 2.0) StAX API (stax:stax-api:1.0.1 - http://stax.codehaus.org/)</li>
diff --git a/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java b/src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge35Test.java
@@ -0,0 +1,23 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.owasp.wrongsecrets.ScoreCard;
+
+public class Challenge35Test {
+  @Mock private ScoreCard scoreCard;
+
+  @Test
+  void spoilerShouldGiveAnswer() {
+    var challenge = new Challenge35(scoreCard);
+    Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty();
+    Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge35(scoreCard);
+    Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+=== Reporting on Vulnerabilities`
	`2`	`+`
	`3`	`+A security researcher found a Google API key and together with the project leader https://github.com/commjoen[@commjoen] made a GitHub security advisory. The only thing @commjoen did wrong was publish the API key as part of the advisory. Can you spot the key?`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Why we need to be careful with vulnerability reports`
	`2`	`+`
	`3`	`+When you report a vulnerability or publish a security advisory, always be careful with the information you spread with them. Exact values of found hardcoded secrets, especially those harder to rotate, should not be put into your security report and/or the publication.`