Add challenge 37 for ZAP configuration with authenticated endpoint #941

commjoen · 2023-08-20T07:26:49Z

What kind of changes does this PR include?

Fixes or refactors
A new challenge
Additional documentation
Something else

Description

Relations

Closes #813

References

Checklist:

All the contributions made are solely the work of me and my co-authors
I tested the changes in this PR (if applicable)
I added unit tests to ensure my change works (when change in Java or on front-end code)
I added UI tests to ensure my UI changes work (when change in the overall UI, not needed if just adding a challenge)
The PR passes pre-commit hooks and automated tests

TODO:

implement basic auth
Implement credential obfuscation/encryption so it is harder to find\
configure basic auth for ZAP and embed in CI/CD
finish 3 doc files (hints/why/challenge content
Make sure we have stable values for these random answer challenges for ctf setups
add unit tests (controller+auth, challenge tests)

src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java

Note the usage of `getHeader` is case-insensitive.

- Stop using deprecated APIs - Remove security configuration from test code - Add port mapper if available to the security configuration. - Add a valid CSRF token to the test cases.

src/main/resources/explanations/challenge37.adoc

src/main/resources/explanations/challenge37_hint.adoc

src/main/resources/explanations/challenge37_reason.adoc

Co-authored-by: Ben de Haan <[email protected]>

commjoen · 2023-09-30T06:36:28Z

ZAP configuration now works, challenges work. Cypress only fails because it is missing challenge36. Depends on #947

commjoen and others added 5 commits August 20, 2023 09:25

Fist setups

56c66d2

[pre-commit.ci lite] apply automatic fixes

b6ea0bd

Fist setups part 2

ce6a030

Fist setups part 2

3046160

[pre-commit.ci lite] apply automatic fixes

f49db81

commjoen changed the title ~~Challenge 37 for ZAP configuration with authenticated endpoint~~ Add challenge 37 for ZAP configuration with authenticated endpoint Aug 29, 2023

fix: add HTTP basic authentication for challenge 37

a5b8107

github-advanced-security bot found potential problems Aug 29, 2023

View reviewed changes

src/main/java/org/owasp/wrongsecrets/canaries/TokenCallbackSecurityConfiguration.java Fixed Show fixed Hide fixed

Nanne Baars and others added 11 commits August 29, 2023 14:24

fix: configure basic-auth username/password

1dcbbdb

[pre-commit.ci lite] apply automatic fixes

c7e9904

fix: update Canary token security configuration

8faec85

Adding basic docs

2968234

fix: update Heroku security config

03468e7

Note the usage of `getHeader` is case-insensitive.

Merge branch 'master' into feature-zap-scan-leak

12aeb83

Merge branch 'master' into feature-zap-scan-leak

35be7ca

silly setup for getting challenge to work

f62c9fd

additional fix: no deprecated api

6cabc87

additional fix: no deprecated api - permit the rest

61c3d2b

Update dast-zap-test.yml to no longer contain: authorization

e434ffb

commjoen force-pushed the feature-zap-scan-leak branch from a0ccbf0 to e434ffb Compare September 4, 2023 13:43

commjoen and others added 10 commits September 5, 2023 06:14

Test with an options file

57eeb6c

Merge branch 'master' into feature-zap-scan-leak

0eb276a

Test with an options file

d5c072c

migrate to checkout v4

8821631

Merge branch 'master' into feature-zap-scan-leak

0327b82

Merge branch 'master' into feature-zap-scan-leak

03d4dce

possible fix to ref config file

d3d6532

fix: security configuration

a098d51

- Stop using deprecated APIs - Remove security configuration from test code - Add port mapper if available to the security configuration. - Add a valid CSRF token to the test cases.

Fix merge conflicts

6576482

[pre-commit.ci lite] apply automatic fixes

fec4a36

[pre-commit.ci lite] apply automatic fixes

012b213

bendehaan reviewed Sep 12, 2023

View reviewed changes

src/main/resources/explanations/challenge37.adoc Outdated Show resolved Hide resolved

src/main/resources/explanations/challenge37_hint.adoc Outdated Show resolved Hide resolved

src/main/resources/explanations/challenge37_reason.adoc Outdated Show resolved Hide resolved

commjoen and others added 2 commits September 13, 2023 05:43

Apply suggestions from code review

25fb757

Co-authored-by: Ben de Haan <[email protected]>

Merge branch 'master' into feature-zap-scan-leak

2eb95f4

commjoen marked this pull request as ready for review September 13, 2023 03:44

commjoen marked this pull request as draft September 13, 2023 03:51

commjoen added 17 commits September 15, 2023 16:00

Merge branch 'master' into feature-zap-scan-leak

084f628

Merge branch 'master' into feature-zap-scan-leak

9bca2ec

Fixed ZAP auth issue

a35d014

Fixed ZAP auth issue

7faaa21

Fixed ZAP auth issue

e25cf0f

Fixed ZAP auth issue

7fcc093

Fixed ZAP auth issue

dd6e843

retry fix ZAP auth issue

03c6314

retry fix ZAP auth issue

4e0ca66

retry fix ZAP auth issue

b7aa351

retry fix ZAP auth issue

30dd292

retry fix ZAP auth issue

b2622ce

retry fix ZAP auth issue

c6ba1cf

retry fix ZAP auth issue

8501750

retry fix ZAP auth issue

9d5d1a6

retry fix ZAP auth issue

c2670e8

retry fix ZAP auth issue

84115c3

commjoen marked this pull request as ready for review September 30, 2023 06:35

commjoen added the hacktoberfest-accepted label Oct 1, 2023

bendehaan approved these changes Oct 2, 2023

View reviewed changes

Merge branch 'master' into feature-zap-scan-leak

e8546d8

commjoen merged commit 97aa645 into master Oct 2, 2023

commjoen deleted the feature-zap-scan-leak branch October 2, 2023 16:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add challenge 37 for ZAP configuration with authenticated endpoint #941

Add challenge 37 for ZAP configuration with authenticated endpoint #941

commjoen commented Aug 20, 2023 •

edited

Loading

commjoen commented Sep 30, 2023

Add challenge 37 for ZAP configuration with authenticated endpoint #941

Add challenge 37 for ZAP configuration with authenticated endpoint #941

Conversation

commjoen commented Aug 20, 2023 • edited Loading

What kind of changes does this PR include?

Description

Relations

References

Checklist:

commjoen commented Sep 30, 2023

commjoen commented Aug 20, 2023 •

edited

Loading