Possible new ideas for challenges

[commjoen]

This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.

• front end JavaScript library with key obfuscated #44
• File in container Fs #43
• Google support (Add GCP challenges #40, Add GCP support #39),
• Azure support #93
• Alibaba cloud support (will not do this, maybe have a write up later?)
• Nomad support #299
• Heroku support
• Github action (Forkable) #144
• Secret in logs (= challenge 8)
• Kees-challenge Add bad keepass file (e.g. 5 char password :D ) #187
• Add secret to bash history inside the container ;-) #188
• Embed a canary token as a trap #189
• Secret hidden in git history #199
• Add bad hashing and/or encryption so you can guess the secret #200
• create a secrets detection testbed branch with revoked credentials #201
• Hardcoding it in a binary writtenin C/C++/Golang/Rust to obfuscate it. #148
• Hardcoded in testcode (Possible new ideas for challenges #37 (comment))
• Keybase support #296
• Nexus deployment credentials in settings.xml #810
• Spring Boot Actuator challenge hiding an api key in the audit events #815
• Add hardcoded encryption key on top of a secret. #297
• Add misconfiguration of docker secret in code (See for docker compose: https://docs.docker.com/engine/swarm/secrets/) #811
• Add misconfiguration for mounting in secret in during build: https://docs.docker.com/engine/reference/commandline/buildx_build/ #812
• have a too long living OIDC token which can be used to extract and apply (wont'do)
• Jenkins or other github secondary ci/cd secret (won't do, as it requiers another container next to it & needs maintenance. Our current ci/cd action shows the issue already.
• Log secret encoded from your cloud app towards the logging solution of your cloudprovider. #345
• Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)
• Leave 1 secret in the HTML comments as a "this is how you connect" thing. #344
• SOPS/sealed secrets misconfig : a bogus sealed secret with misconfigured retrieval setup? (pending)
• Native languages round 2: SWift!  #615
• Leave a secret in git notes #614
• Have a secret in .gitignore /.ssh #613
• Use an example key from the HMAC SPEC to create a secret (and hint where to find it). #377
• New Challenge: Leave a secret somewhere in Reddit by “mistake” #616
• Have a misconfigured vault template where someone left a secret in besides some values actually being injected #809
• have a Zap auth config for a given challenge hardcoded #813
• Based on @robvanderveer his suggestion: New Challenge: Leave a secret somewhere in Reddit by “mistake” #616
• Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc - agreed to not create a new challenge, but extend GCP/AWS with a similar solution for cahllenge 11.
• Do a command injection via vault template #814
• Bad RSA private key redaction; https://www.hezmatt.org/~mpalmer/blog/2020/05/17/private-key-redaction-ur-doin-it-rong.html (tip from @nbaars )
• A kotlin binary

[fchyla]

I would like to help with the Google support

[commjoen]

@fchyla Awesome! will put you in the issue :D #39. For this i will sent an invite to be a collaborator, so i can actually assign you to issues :D .

[commjoen]

To add: using hardcoded key to encrypt embedded secret

[drnow4u]

Password can be stored wrongly in web service testing applications like IntelliJ's HTTP Client, JMeter, Soap UI, Postman, etc. configuration files. It can be also caught during OWASP ZAP or WireShark sessions. Then that file is committed into the repository.

JMeter e.g.:

 <elementProp name="" elementType="Header">
                <stringProp name="Header.name">Authorization</stringProp>
                <stringProp name="Header.value">Basic Y2xpZW50OnNlY3JldA==</stringProp>
 </elementProp>

[AkshayJainG]

I would like to help with Hardcoding it in a binary written in Golang and C to obfuscate it.

[drnow4u]

Nexus deployment credentials in settings.xml

[commjoen]

Idea from @nbaars : have a secret hidden in the .git history :)

[davevs]

Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)

[commjoen]

Sops misconfig

[commjoen]

New idea by @robvanderveer: https://www.wired.co.uk/article/microsoft-handed-the-keys-to-almost-every-windows-10-installation-over-to-hackers

[commjoen]

Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc

[commjoen]

Use a secret as part of shell script and make it do command injection ;-)