OWASP · commjoen · Oct 2, 2023 · Aug 20, 2023 · Aug 20, 2023 · Aug 21, 2023
@@ -25,9 +25,12 @@ jobs:
         run: nohup ./mvnw spring-boot:run -Dspring-boot.run.profiles=without-vault &
       - name: ZAP Scan
         uses: zaproxy/[email protected]
+        env:
+          ZAP_AUTH_HEADER_VALUE: "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
         with:
           allow_issue_writing: false
           docker_name: "owasp/zap2docker-stable"
           target: "http://localhost:8080"
           rules_file_name: config/zap/rule-config.tsv
           fail_action: true
+          cmd_options: '-z "-configFile /zap/wrk/config/zap/options.prop"'
@@ -0,0 +1,6 @@
+replacer.full_list(0).description=auth1
+replacer.full_list(0).enabled=true
+replacer.full_list(0).matchtype=REQ_HEADER
+replacer.full_list(0).matchstr=Authorization
+replacer.full_list(0).regex=false
+replacer.full_list(0).replacement=Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
@@ -11,3 +11,4 @@
 90033	IGNORE	(Loosely Scoped Cookie)
 10096	IGNORE	(Timestamp Disclosure - Unix)
 10112	IGNORE	Session Management Response Identified
+10105	IGNORE	Authentication Credentials Captured
diff --git a/src/main/java/org/owasp/wrongsecrets/WrongSecretsApplication.java b/src/main/java/org/owasp/wrongsecrets/WrongSecretsApplication.java
@@ -10,10 +10,12 @@
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Scope;
 import org.springframework.context.annotation.ScopedProxyMode;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 
 @SpringBootApplication
 @EnableConfigurationProperties(Vaultpassword.class)
 @Slf4j
+@EnableWebSecurity(debug = false)
 public class WrongSecretsApplication {
 
   public static void main(String[] args) {

@@ -20,14 +20,12 @@ public class TokenCallbackSecurityConfiguration {
           "There is no need for the token & canaries endpoints to have CSRF as it is only used for"
               + " callbacks by canarytokens.org")
   @Bean
-  @Order(0)
+  @Order(2)
   public SecurityFilterChain configureTokenCallbackSecurity(HttpSecurity http) throws Exception {
-    http.securityMatcher(
-            r ->
-                r.getRequestURL().toString().contains("canaries")
-                    || r.getRequestURL().toString().contains("token"))
-        .csrf()
-        .disable();
-    return http.build();
+    return http.csrf(
+            csrf ->
+                csrf.ignoringRequestMatchers(
+                    "/canaries/tokencallback", "/canaries/tokencallbackdebug"))
+        .build();
   }
 }
@@ -14,6 +14,7 @@
 import org.owasp.wrongsecrets.ScoreCard;
 import org.owasp.wrongsecrets.challenges.docker.Challenge0;
 import org.owasp.wrongsecrets.challenges.docker.Challenge30;
+import org.owasp.wrongsecrets.challenges.docker.Challenge37;
 import org.owasp.wrongsecrets.challenges.docker.Challenge8;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpStatus;
@@ -54,6 +55,9 @@ public class ChallengesController {
   @Value("${challenge_thirty_ctf_to_provide_to_host_value}")
   private String keyToProvideToHostForChallenge30;
 
+  @Value("${challenge_rando_key_ctf_to_provide_to_host_value}")
+  private String getKeyToProvideToHostChallenge37;
+
   @Value("${CTF_SERVER_ADDRESS}")
   private String ctfServerAddress;
 
@@ -189,6 +193,19 @@ public String postController(
                         + "for which you get your code: "
                         + keyToProvideToHostForChallenge30);
               }
+            } else if (challenge.getChallenge() instanceof Challenge37) {
+              if (!Strings.isNullOrEmpty(getKeyToProvideToHostChallenge37)
+                  && !keyToProvideToHostForChallenge30.equals(
+                      "not_set")) { // this means that it was overriden with a code that needs to be
+                // returned to the ctf key exchange hos
+                model.addAttribute(
+                    "answerCorrect",
+                    "Your answer is correct! "
+                        + "fill in the following answer in the CTF instance at "
+                        + ctfServerAddress
+                        + "for which you get your code: "
+                        + getKeyToProvideToHostChallenge37);
+              }
             } else {
               model.addAttribute(
                   "answerCorrect",

@@ -0,0 +1,75 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import java.nio.charset.StandardCharsets;
+import java.util.List;
+import java.util.UUID;
+import lombok.extern.slf4j.Slf4j;
+import org.bouncycastle.util.encoders.Base64;
+import org.owasp.wrongsecrets.RuntimeEnvironment;
+import org.owasp.wrongsecrets.ScoreCard;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.ChallengeTechnology;
+import org.owasp.wrongsecrets.challenges.Difficulty;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+/**
+ * This is a challenge based on the idea of leaking a secret for an authenticated endpoint through a
+ * ZAP configuration file.
+ */
+@Slf4j
+@Component
+@Order(37)
+public class Challenge37 extends Challenge {
+
+  private String secret;
+  private String password = "WWpOQ2JHSnBRbnBhV0U1b1lsZFZTd289Cg==";
+
+  public Challenge37(ScoreCard scoreCard) {
+    super(scoreCard);
+    secret = UUID.randomUUID().toString();
+  }
+
+  @Override
+  public boolean canRunInCTFMode() {
+    return true;
+  }
+
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(secret);
+  }
+
+  @Override
+  public boolean answerCorrect(String answer) {
+    return secret.equals(answer);
+  }
+
+  @Override
+  public int difficulty() {
+    return Difficulty.NORMAL;
+  }
+
+  /** {@inheritDoc} This is a CICD type of challenge */
+  @Override
+  public String getTech() {
+    return ChallengeTechnology.Tech.CICD.id;
+  }
+
+  @Override
+  public boolean isLimitedWhenOnlineHosted() {
+    return false;
+  }
+
+  @Override
+  public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {
+    return List.of(RuntimeEnvironment.Environment.DOCKER);
+  }
+
+  public String getPassword() {
+
+    return new String(Base64.decode(Base64.decode(Base64.decode(password))), StandardCharsets.UTF_8)
+        .replaceAll("\\r|\\n", "");
+  }
+}
@@ -0,0 +1,24 @@
+package org.owasp.wrongsecrets.challenges.docker.authchallenge;
+
+import io.swagger.v3.oas.annotations.Operation;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.challenges.docker.Challenge37;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@Slf4j
+@RestController
+public class AuthenticatedRestControllerChallenge37 {
+
+  private final Challenge37 challenge37;
+
+  public AuthenticatedRestControllerChallenge37(Challenge37 challenge37) {
+    this.challenge37 = challenge37;
+  }
+
+  @Operation(summary = "Endpoint for interaction at challenge 37")
+  @GetMapping("/authenticated/challenge37")
+  public String getAuthSecret() {
+    return challenge37.spoiler().solution();
+  }
+}
diff --git a/...p/wrongsecrets/challenges/docker/authchallenge/AuthenticationChallengeSecurityConfig.java b/...p/wrongsecrets/challenges/docker/authchallenge/AuthenticationChallengeSecurityConfig.java
@@ -0,0 +1,50 @@
+package org.owasp.wrongsecrets.challenges.docker.authchallenge;
+
+import org.owasp.wrongsecrets.challenges.docker.Challenge37;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+/**
+ * Ensures the need for basic auth for the endpoint having the actual Secret
+ *
+ * <p>Be careful with the order of the SecurityFilterChain beans. The first one that matches the
+ * request will be used. You can see it in action if you put a breakpoint at {@link
+ * org.springframework.security.web.FilterChainProxy#getFilters(javax.servlet.http.HttpServletRequest)}.
+ */
+@Configuration
+public class AuthenticationChallengeSecurityConfig {
+
+  private final Challenge37 challenge37;
+
+  public AuthenticationChallengeSecurityConfig(Challenge37 challenge37) {
+    this.challenge37 = challenge37;
+  }
+
+  @Bean
+  @Order(3)
+  public SecurityFilterChain configureBasicAuthForChallenge(HttpSecurity http) throws Exception {
+    return http.authorizeHttpRequests(
+            r -> r.requestMatchers("/authenticated/**").authenticated().anyRequest().permitAll())
+        .httpBasic(Customizer.withDefaults())
+        .build();
+  }
+
+  @Bean
+  public UserDetailsService userDetailsService() {
+    UserDetails admin =
+        User.builder()
+            .username("Aladdin")
+            .password("{noop}" + challenge37.getPassword())
+            .roles("ADMIN")
+            .build();
+    return new InMemoryUserDetailsManager(admin);
+  }
+}
@@ -1,25 +1,32 @@
 package org.owasp.wrongsecrets.securityconfig;
 
+import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.PortMapper;
 import org.springframework.security.web.SecurityFilterChain;
 
 /** Used to implement https redirect for our Heroku-hosted workload. */
 @Configuration
+@EnableWebSecurity
 public class HerokuWebSecurityConfig {
 
   @Bean
   @Order(1)
-  public SecurityFilterChain configureHerokuWebSecurity(HttpSecurity http) throws Exception {
-    http.requiresChannel()
-        .requestMatchers(
+  public SecurityFilterChain configureHerokuWebSecurity(
+      HttpSecurity http, ObjectProvider<PortMapper> portMapperProvider) throws Exception {
+    var portMapper = portMapperProvider.getIfAvailable();
+    if (portMapper != null) {
+      http.portMapper(configurer -> configurer.portMapper(portMapper));
+    }
+    http.securityMatcher(
             r ->
                 r.getRequestURL().toString().contains("heroku")
-                    && (r.getHeader("x-forwarded-proto") != null
-                        || r.getHeader("X-Forwarded-Proto") != null))
-        .requiresSecure();
+                    && r.getHeader("x-forwarded-proto") != null)
+        .requiresChannel((requiresChannel) -> requiresChannel.anyRequest().requiresSecure());
     return http.build();
   }
 }
@@ -44,6 +44,7 @@ hints_enabled=true
 ctf_enabled=false
 spoiling_enabled=true
 ctf_key=TRwzkRJnHOTckssAeyJbysWgP!Qc2T
+challenge_rando_key_ctf_to_provide_to_host_value=not_set
 challenge_thirty_ctf_to_provide_to_host_value=not_set
 challenge_acht_ctf_to_provide_to_host_value=not_set
 challenge_acht_ctf_host_value=not_set

@@ -0,0 +1,5 @@
+=== Giving your security tests access
+
+Given all the daft findings we already have with this project, we decided to implement automated scanning using ZAP. But for that we do need to be able to fuzz the endpoint of this challenge: `authenticated/challenge37` and thus configure basic auth for ZAP. Can you find the actual secret returned at the endpoint?
+
+Tip: we have a Github Action for ZAP which has its basic auth pre-configured.
@@ -0,0 +1,12 @@
+This is a CI/CD configuration challenge. You can find the answer by authenticating to the protected endpoint with basic auth and get the actual value:
+
+1. Use a browser to get the secret:
+- First go to the https://github.com/OWASP/wrongsecrets/blob/master/.github/workflows/dast-zap-test.yml[Github Workflow]
+- Find the environment variable with which we configure basic auth for ZAP (`ZAP_AUTH_HEADER_VALUE`)
+- Decode the base64 encoded value of the header
+- Navigate to `/authenticated/challenge37` and fill in the username and password as you retrieved from the previous step.
+
+2. Use CURL to get the secret
+- First go to the https://github.com/OWASP/wrongsecrets/blob/master/.github/workflows/dast-zap-test.yml[Github Workflow]
+- Find the environment variable with which we configure basic auth for ZAP (`ZAP_AUTH_HEADER_VALUE`)
+- In your terminal, do `curl <domain where this is run>/authenticated/challenge37 -H "<basic_auth header of previous step>"` where `<basic_auth header of previous step>` is the value of the `ZAP_AUTH_HEADER_VALUE` you found.
@@ -0,0 +1,5 @@
+*Why we need to be careful with security credentials in CI/CD*
+
+People who can access the configuration of your security checks in your CI/CD environment, can easily get access to the credentials. These credentials can then be used for anything and not just for security checks.
+
+This is why security should be very careful in managing their own secrets: just because the credential is used by (a) security (tool), does not mean it should be secured less ;-).
@@ -13,7 +13,7 @@
 import org.springframework.web.client.ResourceAccessException;
 
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-@Import({ConventionPortMapper.class, PortConfiguration.class})
+@Import(ConventionPortMapper.class)
 class HerokuWebSecurityConfigTest {
 
   @LocalServerPort private int port;

@@ -0,0 +1,23 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.owasp.wrongsecrets.ScoreCard;
+
+public class Challenge37Test {
+  @Mock private ScoreCard scoreCard;
+
+  @Test
+  void spoilerShouldGiveAnswer() {
+    var challenge = new Challenge37(scoreCard);
+    Assertions.assertThat(challenge.spoiler().solution()).isNotEmpty();
+    Assertions.assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge37(scoreCard);
+    Assertions.assertThat(challenge.solved("wrong answer")).isFalse();
+  }
+}