Merge pull request #175 from commjoen/#44-JavaScript_library_with_key…

…_obfuscated #44 front end JavaScript library with key obfuscated
OWASP · Apr 8, 2022 · 03cef1c · 03cef1c
2 parents 9849f7a + 2b3cc09
commit 03cef1c
Show file tree

Hide file tree

Showing 20 changed files with 2,504 additions and 6 deletions.
diff --git a/.github/scripts/docker-create-and-push.sh b/.github/scripts/docker-create-and-push.sh
@@ -41,6 +41,14 @@ echo "Start building assets required for container"
 
 echo "generating challenge 12-data"
 openssl rand -base64 32 | tr -d '\n' > yourkey.txt
+echo "generating challenge 16-data"
+SECENDKEYPART1=$(openssl rand -base64 5 | tr -d '\n')
+SECENDKEYPART2=$(openssl rand -base64 3 | tr -d '\n')
+SECENDKEYPART3=$(openssl rand -base64 2 | tr -d '\n')
+SECENDKEYPART4=$(openssl rand -base64 3 | tr -d '\n')
+echo -n "${SECENDKEYPART1}9${SECENDKEYPART2}6${SECENDKEYPART3}2${SECENDKEYPART4}7" > secondkey.txt
+printf "function secret() { \n var password = \"$SECENDKEYPART1\" + 9 + \"$SECENDKEYPART2\" + 6 + \"$SECENDKEYPART3\" + 2 + \"$SECENDKEYPART4\" + 7;\n return password;\n }\n" > ../../js/index.js
+
 # preps for #178:
 #echo "Building and publishing to maven central, did you set: a settings.xml file with:"
 #echo "<settings>"
@@ -69,6 +77,9 @@ docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongs
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
 
+echo "restoring temporal change"
+git restore js/index.js
+
 echo "tagging version"
 git tag -a $tag -m "${message}"
 git push --tags

diff --git a/.gitignore b/.gitignore
@@ -59,3 +59,7 @@ azure/k8s/pod-id.yml
 
 # Challenge 12 ;-)
 .github/scripts/yourkey.txt
+
+# Node JS
+js/node/
+js/node_modules/
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
 
-Can you solve all the 15 challenges?
+Can you solve all the 16 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -39,6 +39,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/13](http://localhost:8080/challenge/13)
 - [localhost:8080/challenge/14](http://localhost:8080/challenge/14)
 - [localhost:8080/challenge/15](http://localhost:8080/challenge/15)
+- [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 

diff --git a/js/index.js b/js/index.js
@@ -0,0 +1,4 @@
+function secret() { 
+ var password = "this is second test secret";
+ return password;
+ }