Fix for challenge 16 FE/BE alignment and fix for showing the minimal needed tech.

.github/scripts/.bash_history

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="ayZXl0wxDxF1lsDzNOq5brjLG7R20LxRidT5+98ZtdU="
+export tempPassword="Nd6JExdkvwPYNVAQsm/zmvjOZDmZ07A5mAoVr2sPP/U="
 mvn run tempPassword
 k6
 npx k6

.github/scripts/docker-create.sh

@@ -7,7 +7,7 @@ Help() {
     # Display Help
     echo "A versatile script to create a docker image for testing. Call this script with no arguments to simply create a local image that you can use to test your changes. For more complex use see the below help section"
     echo
-    echo "Syntax: docker-create.sh [-h (help)|-t (test)|-p (publish)|-e (herokud)|-f (herokup)|-o (okteto)|-n (notag)| -r (Render)|tag={tag}|message={message}|buildarg={buildarg}|springProfile={springProfile}]"
+    echo "Syntax: docker-create.sh [-h (help)|-t (test)|-p (publish)|-e (herokud)|-f (herokup)|-n (notag)| -r (Render)|tag={tag}|message={message}|buildarg={buildarg}|springProfile={springProfile}]"
     echo "options: (All optional)"
     echo "tag=             Write a custom tag that will be added to the container when it is build locally."
     echo "message=         Write a message used for the actual tag-message in git"
@@ -29,25 +29,25 @@ break_on_tag(){
       fi
 }
 
-Okteto_redeploy(){
-  break_on_tag
-  echo "Rebuilding the Okteto environment: https://wrongsecrets-commjoen.cloud.okteto.net/"
-  echo "Check if all required binaries are installed"
-  source ../../scripts/check-available-commands.sh
-  checkCommandsAvailable okteto
-  echo "validating okteto k8 deployment to contain the right container with tag "${tag}" (should be part of '$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)')"
-  if [[ "$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)" != *"${tag}"* ]]; then
-    echo "tag ${tag} in  ../../okteto/k8s/secret-challenge-deployment.yml not properly set, aborting"
-    exit
-  fi
-  cd ../../okteto
-  okteto destroy
-  okteto deploy
-}
+# Okteto_redeploy(){ //okteto is only available commercially. hence commenting this out. feel free to use it if you can.
+#   break_on_tag
+#   echo "Rebuilding the Okteto environment: https://wrongsecrets-commjoen.cloud.okteto.net/"
+#   echo "Check if all required binaries are installed"
+#   source ../../scripts/check-available-commands.sh
+#   checkCommandsAvailable okteto
+#   echo "validating okteto k8 deployment to contain the right container with tag "${tag}" (should be part of '$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)')"
+#   if [[ "$(cat ../../okteto/k8s/secret-challenge-deployment.yml | grep image)" != *"${tag}"* ]]; then
+#     echo "tag ${tag} in  ../../okteto/k8s/secret-challenge-deployment.yml not properly set, aborting"
+#     exit
+#   fi
+#   cd ../../okteto
+#   okteto destroy
+#   okteto deploy
+# }
 
 heroku_check_container() {
     break_on_tag
-    echo "validating dockerfile to contain tag "${tag}" (should be part of '$(head -n 1 ../../Dockerfile.web)')"
+    echo "validating dockerfile to contain tag ""${tag}"" (should be part of '$(head -n 1 ../../Dockerfile.web)')"
     if [[ "$(head -n 1 ../../Dockerfile.web)" != *"${tag}"* ]]; then
       echo "tag ${tag} in dockerfile FROM was not set properly, aborting"
       exit
@@ -67,6 +67,12 @@ Heroku_publish_demo() {
     heroku container:release web --app arcane-scrubland-42646
     heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
     heroku container:release web --app wrongsecrets-ctf
+    echo "testing challenge 16"
+    cd .github/scripts
+    export RAW_TEST=$(< secondkey.txt)
+    export TEST_DATA=$(echo -n $RAW_TEST)
+    curl --fail 'https://arcane-scrubland-42646.herokuapp.com/token'  --data-raw "grant_type=client_credentials&client_id=WRONGSECRET_CLIENT_ID&client_secret=$TEST_DATA"
+    echo $?
     exit
 }
 
@@ -78,6 +84,12 @@ Heroku_publish_prod(){
     cd ../..
     heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CANARY_URLS=http://canarytokens.com/feedback/images/traffic/tgy3epux7jm59n0ejb4xv4zg3/submit.aspx,http://canarytokens.com/traffic/cjldn0fsgkz97ufsr92qelimv/post.jsp --app=wrongsecrets
     heroku container:release web --app=wrongsecrets
+    echo "testing challenge 16"
+    cd .github/scripts
+    export RAW_TEST=$(< secondkey.txt)
+    export TEST_DATA=$(echo -n $RAW_TEST)
+    curl --fail 'https://wrongsecrets.herokuapp.com/token'  --data-raw "grant_type=client_credentials&client_id=WRONGSECRET_CLIENT_ID&client_secret=$TEST_DATA"
+    echo $?
     exit
 }
 
@@ -98,7 +110,7 @@ render_publish(){
 # Set option to local if no option provided
 script_mode="local"
 # Parse provided options
-while getopts ":htperfgon*" option; do
+while getopts ":htperfn*" option; do
     case $option in
     h) # display Help
         Help
@@ -119,9 +131,6 @@ while getopts ":htperfgon*" option; do
     r) #Helper
         script_mode="render"
         ;;
-    o) #okteto
-        script_mode="okteto"
-        ;;
     n) #notags
         disable_tagging_in_git="true"
         ;;
@@ -138,7 +147,7 @@ done
 ################################################
 for ARGUMENT in "$@";
 do
-    if [[ $ARGUMENT != "-h" && $ARGUMENT != "-t" && $ARGUMENT != "-p" && $ARGUMENT != "-e" && $ARGUMENT != "-f" && $ARGUMENT != "-g" && $ARGUMENT != "-o" ]]
+    if [[ $ARGUMENT != "-h" && $ARGUMENT != "-t" && $ARGUMENT != "-p" && $ARGUMENT != "-e" && $ARGUMENT != "-f" ]]
     then
         KEY=$(echo "$ARGUMENT" | cut -f1 -d=)
         KEY_LENGTH=${#KEY}
@@ -150,15 +159,15 @@ done
 if test -n "${tag+x}"; then
     echo "tag is set"
 else
-    SCRIPT_PATH=$(dirname $(dirname $(dirname $(readlink -f "$0"))))
+    SCRIPT_PATH="$(dirname $(dirname $(dirname $(readlink -f "$0"))))"
     tag="local-test"
     echo "Setting default tag: ${tag}"
 fi
 
 if test -n "${message+x}"; then
     echo "message is set"
 else
-    SCRIPT_PATH=$(dirname $(dirname $(dirname $(readlink -f "$0"))))
+    SCRIPT_PATH="$(dirname $(dirname $(dirname $(readlink -f "$0"))))"
     message="local testcontainer build"
     echo "Setting default message: ${message}"
 fi
@@ -195,12 +204,13 @@ fi
 
 if [[ $script_mode == "heroku_d" ]] ; then
   Heroku_publish_demo
+  exit
 elif [[ $script_mode == "heroku_p" ]]; then
   Heroku_publish_prod
+  exit
 elif [[ $script_mode == "render" ]]; then
   render_publish
-elif [[ $script_mode == "okteto" ]]; then
-  Okteto_redeploy
+  exit
 fi
 
 
@@ -258,22 +268,28 @@ check_correct_launch_location() {
 }
 
 generate_test_data() {
+  if [[ $script_mode != "heroku"* ]];then
+    echo "cleanup all data"
+    rm yourkey.txt
+    rm secondkey.txt
+    rm thirdkey.txt
     echo "Generating challenge 12-data"
     openssl rand -base64 32 | tr -d '\n' > yourkey.txt
     echo "Generating challenge 16-data"
-    SECENDKEYPART1=$(openssl rand -base64 5 | tr -d '\n')
-    SECENDKEYPART2=$(openssl rand -base64 3 | tr -d '\n')
-    SECENDKEYPART3=$(openssl rand -base64 2 | tr -d '\n')
-    SECENDKEYPART4=$(openssl rand -base64 3 | tr -d '\n')
-    echo -n "${SECENDKEYPART1}9${SECENDKEYPART2}6${SECENDKEYPART3}2${SECENDKEYPART4}7" > secondkey.txt
-    printf "function secret() { \n var password = \"$SECENDKEYPART1\" + 9 + \"$SECENDKEYPART2\" + 6 + \"$SECENDKEYPART3\" + 2 + \"$SECENDKEYPART4\" + 7;\n return password;\n }\n" > ../../js/index.js
+    SECONDKEYPART1=$(openssl rand -base64 5 | tr -d '\n')
+    SECONDKEYPART2=$(openssl rand -base64 3 | tr -d '\n')
+    SECONDKEYPART3=$(openssl rand -base64 2 | tr -d '\n')
+    SECONDKEYPART4=$(openssl rand -base64 3 | tr -d '\n')
+    echo -n "${SECONDKEYPART1}9${SECONDKEYPART2}6${SECONDKEYPART3}2${SECONDKEYPART4}7" > secondkey.txt
+    rm ../../js/index.js
+    printf "// eslint-disable-next-line no-unused-vars\n function secret() { \n var password = \"$SECONDKEYPART1\" + 9 + \"$SECONDKEYPART2\" + 6 + \"$SECONDKEYPART3\" + 2 + \"$SECONDKEYPART4\" + 7;\n return password;\n }\n" > ../../js/index.js
     echo "Generating challenge 17"
-    rm thirdkey.txt
     openssl rand -base64 32 | tr -d '\n' > thirdkey.txt
     answer=$(<thirdkey.txt)
     answerRegexSafe="$(printf '%s' "$answer" | $findAndReplace -e 's/[]\/$*.^|[]/\\&/g' | $findAndReplace ':a;N;$!ba;s,\n,\\n,g')"
     cp ../../src/main/resources/.bash_history .
     $findAndReplace -i "s/Placeholder Password, find the real one in the history of the container/$answerRegexSafe/g" .bash_history
+  fi
 }
 
 build_update_pom() {
@@ -332,7 +348,7 @@ create_containers() {
 
 restore_temp_change() {
     echo "Restoring temporal change"
-    git restore ../../js/index.js
+#    git restore ../../js/index.js
     git restore ../../pom.xml
     git restore ../../src/main/resources/.bash_history
     # rm .bash_history

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.8.3-no-vault
-ARG argBasedVersion="1.8.3-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.8.4i-no-vault
+ARG argBasedVersion="1.8.4i-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true

js/index.js

@@ -1,4 +1,5 @@
-function secret () { // eslint-disable-line no-unused-vars
-  const password = 'tJbQjCM=' + 9 + 'SnCq' + 6 + 'LBU=' + 2 + 'h5GD' + 7
+// eslint-disable-next-line no-unused-vars
+function secret () {
+  const password = '1P4S6Lk=' + 9 + 'N3pQ' + 6 + 'NDs=' + 2 + '+R7z' + 7
   return password
 }

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.8.3-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.4i-no-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           ports:

k8s/secret-challenge-vault-deployment.yml

@@ -46,7 +46,7 @@ spec:
           type: RuntimeDefault
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:vaultinjection-2-test-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.8.4i-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           securityContext:

pom.xml

@@ -401,7 +401,7 @@
             </goals>
             <phase>compile</phase>
             <configuration>
-              <headerFooter>false</headerFooter>
+              <standalone>false</standalone>
               <attributes>
                 <docType>null</docType>
               </attributes>
@@ -439,6 +439,9 @@
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-maven</artifactId>
         <version>${dependency-check-maven.version}</version>
+        <configuration>
+          <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+        </configuration>
         <executions>
           <execution>
             <goals>

src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge16.java

@@ -30,7 +30,8 @@ public String getAnswer() {
       justification = "The location of the dockerMountPath is based on an Env Var")
   public String getActualData() {
     try {
-      return Files.readString(Paths.get(dockerMountPath, "secondkey.txt"), StandardCharsets.UTF_8);
+      return Files.readString(Paths.get(dockerMountPath, "secondkey.txt"), StandardCharsets.UTF_8)
+          .strip();
     } catch (Exception e) {
       log.warn("Exception during file reading, defaulting to default without cloud environment", e);
       return "if_you_see_this_please_use_docker_instead";

src/main/resources/challenges/challenge-16/challenge-16.snippet

@@ -1,11 +1,14 @@
-<script src="/js/index.js"></script>
-   <!-- Like this sort of challenges? Try https://juice-shop.herokuapp.com/#/score-board for many more of them! -->
 <script>
-    const password = secret();
-    const httpRequest = new XMLHttpRequest();
-    httpRequest.open("POST", "/token", true);
-    httpRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
-    httpRequest.send("grant_type=client_credentials"
-    + "&client_id=" + encodeURIComponent("WRONGSECRET_CLIENT_ID")
-    + "&client_secret=" + encodeURIComponent(password));
+    <!-- <script src="/js/index.js?test=123"></script> -->
+    <!-- Like this sort of challenges? Try https://juice-shop.herokuapp.com/#/score-board for many more of them! -->
+    const uncacharg=Math.random()*100;
+    $.getScript("/js/index.js?id="+uncacharg, function(data, textStatus, jqxhr) {
+        const password = secret();
+        const httpRequest = new XMLHttpRequest();
+        httpRequest.open("POST", "/token", true);
+        httpRequest.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+        httpRequest.send("grant_type=client_credentials"
+        + "&client_id=" + encodeURIComponent("WRONGSECRET_CLIENT_ID")
+        + "&client_secret=" + encodeURIComponent(password));
+    });
 </script>

src/main/resources/static/css/style.css

@@ -100,5 +100,5 @@ tr.solved {
 }
 
 .sect2, .thank-you, .toggle-button {
-    border-color: #ffffff; /* Or any color that contrasts well with your light mode background */
+    border-color: black; /* Or any color that contrasts well with your light mode background */
 }