Merge pull request #2067 from OWASP/updatechallengetexts

commjoen · web-flow · commit f1b6f5a2c1a6 · 2025-06-22T08:51:50.000+02:00
Update challenge texts of 52, 39 and Railway
diff --git a/.github/scripts/.bash_history b/.github/scripts/.bash_history
@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="IOfAFScOnhRPkLgA89tVOnOvZKrJx87Vz5YjTnsk4Ts="
+export tempPassword="a7qAL+lYCgK0+NIEnoMDSxEBV+FUZHRTS1KH4YHCqY0="
 mvn run tempPassword
 k6
 npx k6
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:23.0.2-9-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.11.2D"
+ARG argBasedVersion="1.12.0"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
diff --git a/Dockerfile.web b/Dockerfile.web
@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.11.3A3-no-vault
-ARG argBasedVersion="1.11.3A3-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.12.0-no-vault
+ARG argBasedVersion="1.12.0-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
diff --git a/README.md b/README.md
@@ -156,9 +156,9 @@ Want to deploy yourself with Render? Click the button below:
 ### Running these on Railway
 *status: maintained by [alphasec.io](https://github.com/alphasecio)*
 
-If you want to host WrongSecrets on Railway, you can do so by deploying [this one-click template](https://railway.app/new/template/7pnwRj). Railway does not offer an always-free plan anymore, but the free trial is good enough to test-drive this before you decide to upgrade. If you need a step-by-step companion guide, see [this blog post](https://alphasec.io/test-your-secret-management-skills-with-owasp-wrongsecrets/).
+If you want to host WrongSecrets on Railway, you can do so by deploying [this one-click template](https://railway.com/deploy/McqJ_j?referralCode=I07F1). Railway does not offer an always-free plan anymore, but the free trial is good enough to test-drive this before you decide to upgrade. If you need a step-by-step companion guide, see [this blog post](https://alphasec.io/test-your-secret-management-skills-with-owasp-wrongsecrets/).
 
-[![Deploy on Railway](https://railway.app/button.svg)](https://railway.app/new/template/7pnwRj)
+[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/McqJ_j?referralCode=I07F1j)
 
 ## Basic K8s exercise
 
diff --git a/aws/k8s/secret-challenge-vault-deployment.yml b/aws/k8s/secret-challenge-vault-deployment.yml
@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.11.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.12.0-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]
diff --git a/azure/k8s/secret-challenge-vault-deployment.yml.tpl b/azure/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -61,7 +61,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.11.2-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.12.0-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]
diff --git a/config/zap/rule-config.tsv b/config/zap/rule-config.tsv
@@ -17,3 +17,4 @@
 90005	IGNORE	Sec-Fetch-Dest Header is Missing
 10003	IGNORE	Vulnerable JS Library
 90004	IGNORE	Insufficient Site Isolation Against Spectre Vulnerability
+2	IGNORE	Private IP Disclosure
diff --git a/fly.toml b/fly.toml
@@ -8,7 +8,7 @@ app = "wrongsecrets"
 primary_region = "ams"
 
 [build]
-  image = "docker.io/jeroenwillemsen/wrongsecrets:1.11.2-no-vault"
+  image = "docker.io/jeroenwillemsen/wrongsecrets:1.12.0-no-vault"
 
 [env]
   K8S_ENV = "Fly(Docker)"
diff --git a/gcp/k8s/secret-challenge-vault-deployment.yml.tpl b/gcp/k8s/secret-challenge-vault-deployment.yml.tpl
@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.11.3A3-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.12.0-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]
diff --git a/js/index.js b/js/index.js
@@ -1,5 +1,5 @@
 
  function secret() {
- var password = "fMEUrtc=" + 9 + "GUzh" + 6 + "Sxg=" + 2 + "KhuK" + 7;
+ var password = "Yisaz88=" + 9 + "l1+2" + 6 + "5cc=" + 2 + "F9qt" + 7;
  return password;
  }
diff --git a/k8s/challenge53/secret-challenge53-sidecar.yml b/k8s/challenge53/secret-challenge53-sidecar.yml
@@ -21,7 +21,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-      - image: jeroenwillemsen/wrongsecrets-challenge53:1.11.2
+      - image: jeroenwillemsen/wrongsecrets-challenge53:1.12.0
         name: secret-challenge-53
         imagePullPolicy: IfNotPresent
         resources:
@@ -45,7 +45,7 @@ spec:
         command: ["/bin/sh", "-c"]
         args:
           - cp /home/wrongsecrets/* /shared-data/ && exec /home/wrongsecrets/start-on-arch.sh
-      - image: jeroenwillemsen/wrongsecrets-challenge53-debug:1.11.2
+      - image: jeroenwillemsen/wrongsecrets-challenge53-debug:1.12.0
         name: sidecar
         imagePullPolicy: IfNotPresent
         command: ["/bin/sh", "-c", "while true; do ls /shared-data; sleep 10; done"]
diff --git a/k8s/challenge53/secret-challenge53.yml b/k8s/challenge53/secret-challenge53.yml
@@ -21,7 +21,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-      - image: jeroenwillemsen/wrongsecrets-challenge53:1.11.2
+      - image: jeroenwillemsen/wrongsecrets-challenge53:1.12.0
         name: secret-challenge-53
         imagePullPolicy: IfNotPresent
         resources:
diff --git a/okteto/k8s/secret-challenge-ctf-deployment.yml b/okteto/k8s/secret-challenge-ctf-deployment.yml
@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.11.2-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.12.0-no-vault
           name: secret-challenge-ctf
           imagePullPolicy: IfNotPresent
           securityContext:
diff --git a/okteto/k8s/secret-challenge-deployment.yml b/okteto/k8s/secret-challenge-deployment.yml
@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.11.2-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.12.0-no-vault
           name: secret-challenge
           imagePullPolicy: IfNotPresent
           securityContext:
diff --git a/pom.xml b/pom.xml
@@ -11,7 +11,7 @@
 
   <groupId>org.owasp</groupId>
   <artifactId>wrongsecrets</artifactId>
-  <version>1.11.1-SNAPSHOT</version>
+  <version>1.12.0-SNAPSHOT</version>
 
   <name>OWASP WrongSecrets</name>
   <description>Examples with how to not use secrets</description>
diff --git a/src/main/resources/explanations/challenge39.adoc b/src/main/resources/explanations/challenge39.adoc
@@ -2,4 +2,4 @@
 
 A developer encrypted a secret using https://en.wikipedia.org/wiki/Advanced_Encryption_Standard[AES] and stored its base64 encoded value in a file. But where to leave the key? What about just using the filename as the encryption key instead? That way, every secret can have its own key easily! Can you find the secret?
 
-The challenge file is called https://github.com/OWASP/wrongsecrets/tree/master/src/main/resources/executables/secrchallenge.md[secrchallenge.md] and can be found in the https://github.com/OWASP/wrongsecrets/tree/master/src/main/resources/executables[executables folder].
+The challenge file is called https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/executables/secrchallenge.md[secrchallenge.md] and can be found in the https://github.com/OWASP/wrongsecrets/tree/master/src/main/resources/executables[executables folder].
diff --git a/src/main/resources/explanations/challenge52.adoc b/src/main/resources/explanations/challenge52.adoc
@@ -2,6 +2,6 @@
 
 Acme Inc., a fast-growing SaaS company, is expanding its containerized deployments using Docker Buildx to streamline multi-platform builds. However, a serious security misconfiguration has occurred during the build process.
 
-During their Docker Buildx process, a sensitive secret, meant to remain temporary and secure during the build phase of the container, was accidentally embedded into the container's filesystem due to a misconfiguration. This secret, now accessible within the running container and visible in its build scripts, poses a significant security risk if exploited.
+During their [Docker Buildx process](https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh#L365), a sensitive secret, meant to remain temporary and secure during the build phase of the container, was accidentally embedded into the container's filesystem due to a misconfiguration. This secret, now accessible within the running container and visible in its build scripts, poses a significant security risk if exploited.
 
 As Acme Inc.'s newly hired Security Consultant, your task is clear: investigate the container, identify the exposed secret, and report it to the team. By uncovering this vulnerability, you will help Acme Inc. understand the risks and implement better practices to secure their deployment pipeline.
diff --git a/src/main/resources/explanations/challenge52_hint.adoc b/src/main/resources/explanations/challenge52_hint.adoc
@@ -1,6 +1,6 @@
-This challenge can be solved using the following steps:
+This challenge can be solved using the following ways:
 
-- *Acme Inc.* has misconfigured their Docker Buildx process, leading to sensitive secrets being embedded in the container's filesystem. Your task is to uncover these vulnerabilities.
+- Use the container itself:
 
   1. Clone the repository containing the challenge files:
      ```
@@ -27,9 +27,7 @@ This challenge can be solved using the following steps:
 
   6. The content of the `secret.txt` file is your answer.
 
-== OR
-
-- You can directly access the hardcoded secret by accessing the `docker-create` script
+- Find the secret in the buildx script:
 
 1. Clone the repository containing the challenge files:
      ```
diff --git a/src/main/resources/templates/about.html b/src/main/resources/templates/about.html

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`
`2`	`2`	`function secret() {`
`3`		`- var password = "fMEUrtc=" + 9 + "GUzh" + 6 + "Sxg=" + 2 + "KhuK" + 7;`
	`3`	`+ var password = "Yisaz88=" + 9 + "l1+2" + 6 + "5cc=" + 2 + "F9qt" + 7;`
`4`	`4`	`return password;`
`5`	`5`	`}`