Add misconfiguration of docker secret in code (See for docker compose: https://docs.docker.com/engine/swarm/secrets/)

OWASP / wrongsecrets

Vulnerable app with examples showing how to not use secrets

https://owasp.org/www-project-wrongsecrets/

GNU Affero General Public License v3.0

1.22k stars 347 forks source link

Add misconfiguration of docker secret in code (See for docker compose: https://docs.docker.com/engine/swarm/secrets/) #811

Open commjoen opened 1 year ago

commjoen commented 1 year ago

Create a challenge for docker compose setup, where the compose secret is hardcoded inside teh docker compose yml

TODO:

[ ] Implement a docker-compose setup for wrongsecrets with the secret as an env var, add the compose file to the repo
[ ] implement the challenge according to contributing.md, but make sure we read the challenge from the file so we can play the challenge without the need to actually use teh docker-compose setup.

Shubham-Patel07 commented 3 months ago

HI @commjoen, I want to work on this issue Please assign this one to me 😁

commjoen commented 3 months ago

it;s all yours :D .

commjoen commented 3 months ago

note: the docker-compose file and its env should only be used to showcase that the problem is real ;-), we should just make it work from a docker perspective. The .env file will have to be copied into the container to "Fake" it i guess. (And we need to explain in the code as a doc why we do it)