Open commjoen opened 2 years ago
I would like to help with the Google support
@fchyla Awesome! will put you in the issue :D https://github.com/commjoen/wrongsecrets/issues/39. For this i will sent an invite to be a collaborator, so i can actually assign you to issues :D .
To add: using hardcoded key to encrypt embedded secret
Password can be stored wrongly in web service testing applications like IntelliJ's HTTP Client, JMeter, Soap UI, Postman, etc. configuration files. It can be also caught during OWASP ZAP or WireShark sessions. Then that file is committed into the repository.
JMeter e.g.:
<elementProp name="" elementType="Header">
<stringProp name="Header.name">Authorization</stringProp>
<stringProp name="Header.value">Basic Y2xpZW50OnNlY3JldA==</stringProp>
</elementProp>
I would like to help with Hardcoding it in a binary written in Golang and C to obfuscate it.
Nexus deployment credentials in settings.xml
Idea from @nbaars : have a secret hidden in the .git history :)
Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)
Sops misconfig
Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc
Use a secret as part of shell script and make it do command injection ;-)
This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.