Possible new ideas for challenges

[commjoen]

This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.

• [x] #44
• [x] #43
• [x] Google support (https://github.com/commjoen/wrongsecrets/issues/40, https://github.com/commjoen/wrongsecrets/issues/39),
• [x] #93
• [x] Alibaba cloud support (will not do this, maybe have a write up later?)
• [x] #299
• [x] Heroku support
• [x] #144
• [x] Secret in logs (= challenge 8)
• [x] #187
• [x] #188
• [x] #189
• [x] #199
• [x] #200
• [x] #201
• [x] #148
• [x] Hardcoded in testcode (https://github.com/commjoen/wrongsecrets/issues/37#issuecomment-1011482070)
• [x] #296
• [ ] #810
• [x] #815
• [ ] #297
• [ ] #811
• [ ] #812
• [x] have a too long living OIDC token which can be used to extract and apply (wont'do)
• [x] Jenkins or other github secondary ci/cd secret (won't do, as it requiers another container next to it & needs maintenance. Our current ci/cd action shows the issue already.
• [ ] #345
• [ ] Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)
• [x] #344
• [x] SOPS/sealed secrets misconfig : a bogus sealed secret with misconfigured retrieval setup? (pending)
• [ ] #615
• [x] #614
• [ ] #613
• [x] #377
• [x] #616
• [x] #809
• [x] #813
• [x] Based on @robvanderveer his suggestion: https://github.com/OWASP/wrongsecrets/issues/616
• [ ] Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc - agreed to not create a new challenge, but extend GCP/AWS with a similar solution for cahllenge 11.
• [x] #814
• [ ] Bad RSA private key redaction; https://www.hezmatt.org/~mpalmer/blog/2020/05/17/private-key-redaction-ur-doin-it-rong.html (tip from @nbaars )
• [ ] A kotlin binary

[fchyla]

I would like to help with the Google support

[commjoen]

@fchyla Awesome! will put you in the issue :D https://github.com/commjoen/wrongsecrets/issues/39. For this i will sent an invite to be a collaborator, so i can actually assign you to issues :D .

[commjoen]

To add: using hardcoded key to encrypt embedded secret

[drnow4u]

Password can be stored wrongly in web service testing applications like IntelliJ's HTTP Client, JMeter, Soap UI, Postman, etc. configuration files. It can be also caught during OWASP ZAP or WireShark sessions. Then that file is committed into the repository.

JMeter e.g.:

 <elementProp name="" elementType="Header">
                <stringProp name="Header.name">Authorization</stringProp>
                <stringProp name="Header.value">Basic Y2xpZW50OnNlY3JldA==</stringProp>
 </elementProp>

[AkshayJainG]

I would like to help with Hardcoding it in a binary written in Golang and C to obfuscate it.

[drnow4u]

Nexus deployment credentials in settings.xml

[commjoen]

Idea from @nbaars : have a secret hidden in the .git history :)

[davevs]

Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)

[commjoen]

Sops misconfig

[commjoen]

New idea by @robvanderveer: https://www.wired.co.uk/article/microsoft-handed-the-keys-to-almost-every-windows-10-installation-over-to-hackers

[commjoen]

Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc

[commjoen]

Use a secret as part of shell script and make it do command injection ;-)