-
-
Notifications
You must be signed in to change notification settings - Fork 396
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1144 from djvinnie/djvinnie/challenge43-reddit
Challenge 43: new challenge for secret shared on social media.
- Loading branch information
Showing
6 changed files
with
84 additions
and
0 deletions.
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge43.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| package org.owasp.wrongsecrets.challenges.docker; | ||
|
|
||
| import static java.nio.charset.StandardCharsets.UTF_8; | ||
|
|
||
| import org.bouncycastle.util.encoders.Base32; | ||
| import org.bouncycastle.util.encoders.Base64; | ||
| import org.owasp.wrongsecrets.challenges.Challenge; | ||
| import org.owasp.wrongsecrets.challenges.Spoiler; | ||
| import org.springframework.stereotype.Component; | ||
|
|
||
| /** This challenge is about finding a secret in a Reddit post. */ | ||
| @Component | ||
| public class Challenge43 implements Challenge { | ||
|
|
||
| /** {@inheritDoc} */ | ||
| @Override | ||
| public Spoiler spoiler() { | ||
| return new Spoiler(getSecretKey()); | ||
| } | ||
|
|
||
| /** {@inheritDoc} */ | ||
| @Override | ||
| public boolean answerCorrect(String answer) { | ||
| return getSecretKey().equals(answer); | ||
| } | ||
|
|
||
| private String getSecretKey() { | ||
| return new String( | ||
| Base32.decode(new String(Base64.decode("SU5FRkVTS1RLUkdVQ1VaU0pNWkRHPT09"), UTF_8)), UTF_8); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| === Reddit Blunder | ||
|
|
||
| People easily make mistakes. They can, for instance, share an "innocent" piece of data over social media which later turns out to be a secret. | ||
| Or they can post something on the "wrong screen" and submit it. Additionally, some password managers will happily auto-fill or paste something on any page or screen. | ||
|
|
||
| Similarly, a developer in the OWASP community who also happened to be an active redditor, left a secret on the platform 'by mistake'. | ||
|
|
||
| Can you find the secret? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| This challenge can be solved as follows: | ||
|
|
||
| 1. Search for the keyword 'developer' in r/owasp subreddit. | ||
| 2. The secret will be in plain sight in a comment on one of the posts found in the posts from step 1. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| *Why should we not share a secret on social media?* | ||
|
|
||
| Sharing a secret from your application on social media is a really bad practice because it becomes publicly available for anyone to abuse if they learn about the context in which the secret is used. | ||
|
|
||
| Although the user or platform can often delete comments/posts, the secret almost always ends up in some database that could get leaked. | ||
|
|
||
| Never share any secrets, personal or work-related, on social media! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
src/test/java/org/owasp/wrongsecrets/challenges/docker/Challenge43Test.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| package org.owasp.wrongsecrets.challenges.docker; | ||
|
|
||
| import static org.assertj.core.api.Assertions.assertThat; | ||
|
|
||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| class Challenge43Test { | ||
|
|
||
| @Test | ||
| void rightAnswerShouldSolveChallenge() { | ||
| var challenge = new Challenge43(); | ||
| assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue(); | ||
| } | ||
|
|
||
| @Test | ||
| void incorrectAnswerShouldNotSolveChallenge() { | ||
| var challenge = new Challenge43(); | ||
|
|
||
| assertThat(challenge.answerCorrect("wrong answer")).isFalse(); | ||
| } | ||
| } |