OWASP · commjoen · Oct 2, 2023 · Aug 20, 2023 · Aug 20, 2023 · Aug 21, 2023
@@ -25,9 +25,12 @@ jobs:
         run: nohup ./mvnw spring-boot:run -Dspring-boot.run.profiles=without-vault &
       - name: ZAP Scan
         uses: zaproxy/[email protected]
+        env:
+          ZAP_AUTH_HEADER_VALUE: "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
         with:
           allow_issue_writing: false
           docker_name: "owasp/zap2docker-stable"
           target: "http://localhost:8080"
           rules_file_name: config/zap/rule-config.tsv
           fail_action: true
+          cmd_options: '-z "-configFile /zap/wrk/config/zap/options.prop"'
@@ -4,6 +4,8 @@ ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/p
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
 ARG CHALLENGE_ACHT_CTF_HOST_VALUE="not_set"
+ARG CHALLENGE_THIRTY_HOST_VALUE="not_set"
+ARG $CHALLENGE_RANDO_KEY_CTF_TO_PROVIDE_TO_HOST="not_set"
 #ONLY OVERRIDE THE ARGS BELOW WHEN YOU ARE SETTING UP A CTF!
 ARG CTF_KEY=TRwzkRJnHOTckssAeyJbysWgP!Qc2T
 ARG CHALLENGE_5_VALUE=if_you_see_this_please_use_k8s
@@ -24,6 +26,8 @@ ENV SPECIAL_K8S_SECRET=$CHALLENGE_5_VALUE
 ENV SPECIAL_SPECIAL_K8S_SECRET=$CHALLENGE_6_VALUE
 ENV vaultpassword=$CHALLENGE_7_VALUE
 ENV challenge_acht_ctf_host_value=$CHALLENGE_ACHT_CTF_HOST_VALUE
+ENV challenge_thirty_ctf_to_provide_to_host_value=$CHALLENGE_THIRTY_HOST_VALUE
+ENV challenge_rando_key_ctf_to_provide_to_host_value=$CHALLENGE_RANDO_KEY_CTF_TO_PROVIDE_TO_HOST
 ENV default_aws_value_challenge_9=$CHALLENGE_9_VALUE
 ENV default_aws_value_challenge_10=$CHALLENGE_10_VALUE
 ENV default_aws_value_challenge_11=$CHALLENGE_11_VALUE

@@ -15,7 +15,7 @@
 
 Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
 
-Can you solve all the 35 challenges?
+Can you solve all the 37 challenges?
 
 Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/).
 
@@ -71,7 +71,7 @@ Copyright (c) 2020-2023 Jeroen Willemsen and WrongSecrets contributors.
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-32, 34, 35_
+_Can be used for challenges 1-4, 8, 12-32, 34, 35-37_
 
 For the basic docker exercises you currently require:
 
@@ -114,6 +114,8 @@ Now you can try to find the secrets by means of solving the challenge offered at
 -   [localhost:8080/challenge/32](http://localhost:8080/challenge/32)
 -   [localhost:8080/challenge/34](http://localhost:8080/challenge/34)
 -   [localhost:8080/challenge/35](http://localhost:8080/challenge/35)
+-   [localhost:8080/challenge/36](http://localhost:8080/challenge/36)
+-   [localhost:8080/challenge/37](http://localhost:8080/challenge/37)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
 better ;-).
@@ -130,7 +132,7 @@ You can test them out at [https://wrongsecrets.fly.dev](https://wrongsecrets.fly
 
 ## Basic K8s exercise
 
-_Can be used for challenges 1-6, 8, 12-35_
+_Can be used for challenges 1-6, 8, 12-37_
 
 ### Minikube based
 
@@ -187,7 +189,7 @@ Don't want to go over the hassle of setting up K8S yourself? visit [https://wron
 
 ## Vault exercises with minikube
 
-_Can be used for challenges 1-8, 12-35_
+_Can be used for challenges 1-8, 12-37_
 Make sure you have the following installed:
 
 -   minikube with docker (or comment out line 8 and work at your own k8s setup),
@@ -205,7 +207,7 @@ This is because if you run the start script again it will replace the secret in
 
 ## Cloud Challenges
 
-_Can be used for challenges 1-35_
+_Can be used for challenges 1-37_
 
 **READ THIS**: Given that the exercises below contain IAM privilege escalation exercises,
 never run this on an account which is related to your production environment or can influence your account-over-arching

@@ -0,0 +1,6 @@
+replacer.full_list(0).description=auth1
+replacer.full_list(0).enabled=true
+replacer.full_list(0).matchtype=REQ_HEADER
+replacer.full_list(0).matchstr=Authorization
+replacer.full_list(0).regex=false
+replacer.full_list(0).replacement=Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
@@ -11,3 +11,4 @@
 90033	IGNORE	(Loosely Scoped Cookie)
 10096	IGNORE	(Timestamp Disclosure - Unix)
 10112	IGNORE	Session Management Response Identified
+10105	IGNORE	Authentication Credentials Captured
@@ -24,7 +24,7 @@ Want to make sure you don't need to bug your users to copy paste values twice to
 
 Now users can directly use your Wrongsecrets setup together with the CTF-platform to play challenges without having to copy answers and flags twice!
 
-Note: make sure that you do set `CTF_SERVER_ADDRESS` to point to the address where you are running your CTF-platform (E.g. CTFD/Facebook CTF) and that you set `challenge_acht_ctf_to_provide_to_host_value` and `challenge_thirty_ctf_to_provide_to_host_value` to the flag you store in your CTF-platform.
+Note: make sure that you do set `CTF_SERVER_ADDRESS` to point to the address where you are running your CTF-platform (E.g. CTFD/Facebook CTF) and that you set `challenge_acht_ctf_to_provide_to_host_value`, `challenge_rando_key_ctf_to_provide_to_host_value`, and `challenge_thirty_ctf_to_provide_to_host_value` to the flag you store in your CTF-platform.
 
 ## Setting up CTFs
 

@@ -0,0 +1,4 @@
+package org.owasp.wrongsecrets;
+
+public record BasicAuthentication(
+    String username, String password, String role, String urlPattern) {}
@@ -1,6 +1,5 @@
 package org.owasp.wrongsecrets;
 
-import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -40,11 +39,7 @@ public int getTotalReceivedPoints() {
 
   @Override
   public List<String> getCompletedChallenges() {
-    List<String> completed = new ArrayList<>();
-    for (Challenge challenge : solvedChallenges) {
-      completed.add(challenge.getNumber());
-    }
-    return completed;
+    return solvedChallenges.stream().map(Challenge::getNumber).toList();
   }
 
   @Override

@@ -0,0 +1,82 @@
+package org.owasp.wrongsecrets;
+
+import jakarta.servlet.http.HttpServletRequest;
+import java.util.List;
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.PortMapper;
+import org.springframework.security.web.PortMapperImpl;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+  @Bean
+  public SecurityFilterChain security(
+      HttpSecurity http,
+      ObjectProvider<PortMapper> portMapperProvider,
+      List<BasicAuthentication> auths)
+      throws Exception {
+    configureHerokuHttps(http, portMapperProvider.getIfAvailable(PortMapperImpl::new));
+    configureBasicAuthentication(http, auths);
+    configureCsrf(http);
+    return http.build();
+  }
+
+  @Bean
+  public UserDetailsService userDetailsService(List<BasicAuthentication> auths) {
+    var users =
+        auths.stream()
+            .map(
+                auth ->
+                    User.builder()
+                        .username(auth.username())
+                        .password("{noop}" + auth.password())
+                        .roles(auth.role())
+                        .build())
+            .toList();
+    return new InMemoryUserDetailsManager(users);
+  }
+
+  private void configureCsrf(HttpSecurity http) throws Exception {
+    http.csrf(
+        csrf ->
+            csrf.ignoringRequestMatchers(
+                "/canaries/tokencallback", "/canaries/tokencallbackdebug"));
+  }
+
+  private void configureBasicAuthentication(HttpSecurity http, List<BasicAuthentication> auths)
+      throws Exception {
+    var patterns = auths.stream().map(auth -> auth.urlPattern()).toList();
+    http.authorizeHttpRequests(
+            authorize ->
+                authorize
+                    .requestMatchers(patterns.toArray(new String[patterns.size()]))
+                    .authenticated()
+                    .anyRequest()
+                    .permitAll())
+        .httpBasic(Customizer.withDefaults());
+  }
+
+  private void configureHerokuHttps(HttpSecurity http, PortMapper portMapper) throws Exception {
+    var requestMatcher =
+        new RequestMatcher() {
+          @Override
+          public boolean matches(HttpServletRequest request) {
+            return request.getRequestURL().toString().contains("heroku")
+                && request.getHeader("x-forwarded-proto") != null;
+          }
+        };
+    http.requiresChannel(channel -> channel.requestMatchers(requestMatcher).requiresSecure())
+        .portMapper(configurer -> configurer.portMapper(portMapper));
+  }
+}
@@ -2,15 +2,13 @@
 
 import io.swagger.v3.oas.annotations.Hidden;
 import org.owasp.wrongsecrets.challenges.docker.Challenge30;
-import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 /**
  * This is a controller used in challenge 30 to retrieve data that can be put into localstorage by
  * the frontend.
  */
-@Controller
 @RestController
 public class ChallengeRestController {
   private final Challenge30 challenge30;

@@ -14,6 +14,7 @@
 import org.owasp.wrongsecrets.ScoreCard;
 import org.owasp.wrongsecrets.challenges.docker.Challenge0;
 import org.owasp.wrongsecrets.challenges.docker.Challenge30;
+import org.owasp.wrongsecrets.challenges.docker.Challenge37;
 import org.owasp.wrongsecrets.challenges.docker.Challenge8;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
@@ -54,6 +55,9 @@ public class ChallengesController {
   @Value("${challenge_thirty_ctf_to_provide_to_host_value}")
   private String keyToProvideToHostForChallenge30;
 
+  @Value("${challenge_rando_key_ctf_to_provide_to_host_value}")
+  private String getKeyToProvideToHostChallenge37;
+
   @Value("${CTF_SERVER_ADDRESS}")
   private String ctfServerAddress;
 
@@ -189,6 +193,19 @@ public String postController(
                         + "for which you get your code: "
                         + keyToProvideToHostForChallenge30);
               }
+            } else if (challenge.getChallenge() instanceof Challenge37) {
+              if (!Strings.isNullOrEmpty(getKeyToProvideToHostChallenge37)
+                  && !keyToProvideToHostForChallenge30.equals(
+                      "not_set")) { // this means that it was overriden with a code that needs to be
+                // returned to the ctf key exchange hos
+                model.addAttribute(
+                    "answerCorrect",
+                    "Your answer is correct! "
+                        + "fill in the following answer in the CTF instance at "
+                        + ctfServerAddress
+                        + "for which you get your code: "
+                        + getKeyToProvideToHostChallenge37);
+              }
             } else {
               model.addAttribute(
                   "answerCorrect",

@@ -0,0 +1,82 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import java.util.UUID;
+import lombok.extern.slf4j.Slf4j;
+import org.bouncycastle.util.encoders.Base64;
+import org.owasp.wrongsecrets.BasicAuthentication;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.context.annotation.Bean;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+/**
+ * This is a challenge based on the idea of leaking a secret for an authenticated endpoint through a
+ * ZAP configuration file.
+ */
+@Slf4j
+@Component
+@Order(37)
+public class Challenge37 extends Challenge {
+
+  private String secret;
+  private static final String password = "WWpOQ2JHSnBRbnBhV0U1b1lsZFZTd289Cg==";
+
+  public Challenge37(ScoreCard scoreCard) {
+    super(scoreCard);
+    secret = UUID.randomUUID().toString();
+  }
+
+  @Bean
+  public BasicAuthentication challenge37BasicAuth() {
+    return new BasicAuthentication("Aladdin", password, "ADMIN", "authenticated/**");
+  }
+
+  @Override
+  public boolean canRunInCTFMode() {
+    return true;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(secret);
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return secret.equals(answer);
+  }
+
+  @Override
+  public int difficulty() {
+    return Difficulty.NORMAL;
+  }
+
+  /** {@inheritDoc} This is a CICD type of challenge */
+  @Override
+  public String getTech() {
+    return ChallengeTechnology.Tech.CICD.id;
+  }
+
+  @Override
+  public boolean isLimitedWhenOnlineHosted() {
+    return false;
+  }
+
+  @Override
+  public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+    return List.of(RuntimeEnvironment.Environment.DOCKER);
+  }
+
+  public String getPassword() {
+
+    return new String(Base64.decode(Base64.decode(Base64.decode(password))), StandardCharsets.UTF_8)
+        .replaceAll("\\r|\\n", "");
+  }
+}