Have a challenge with a backup bucket containing the secret

[commjoen]

Context

• What should the challenge scenario be like?
  Have a backup s3/storage bucket with a private ed25519 key publicly exposed
• What should the participant learn from completing the challenge?
  Secure your backup at all cost
• For what category would the challenge be? (e.g. Docker, K8s, binary)
  Docker/cloud depending on how we implement the backup solution

Actions:

• create separate Terraform folder to have an S3 bucket (in our AWS folder) under the name "backupchallenge"
• have the key copying logic in a shell script using AWS CLI as part of the backupchallenge folder
• implement the challenge according to contributing.md and make sure you hide the key in your classfile.

[PalaniappanC]

Hi @commjoen I would like to work on this challenge can you assign this to my name

[commjoen]

Thank you for volunteering @PalaniappanC ! I have assigned the issue to you.

[PalaniappanC]

Hi @commjoen I have setup the project and started with implementing the basic challenge as per the contributing.md file. I have doubts around the terraform and s3 bucket part.

I have created a seperate terraform folder under the AWS folder. I have performed the terraform initialisation to have an s3 bucket called backupchallenge.

I have doubts in the remaining two tasks. Can you explain them in a little detailed manner

[commjoen]

So the idea is that the secret itself is kept in a file. The file should be:

• present with a placeholder value in src/test/resources/secret_placeholder.txt for junit tests and end2end tests
• Generated when calling https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh and embedded as a file in a container
• copied to S3 to the folder as part of calling the script at https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh . Make sure the S3 bucket and its contents are public, but not publicly writable ;-).

The challenge then needs to be loaded with the location of the secret (E.g. either in test resources or in a hidden location within the docker container, similar to other file-based challenges. Please have a look at https://github.com/OWASP/wrongsecrets/blob/master/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java on how to load this from a pre-set path.

[PalaniappanC]

Hi @commjoen

We should have the copy logic in this docker right?
https://github.com/OWASP/wrongsecrets/blob/master/Dockerfile

[commjoen]

Yes sir :-)

[commjoen]

Feel free to draft a PR or contact us on Slack if you need anything :).

[PalaniappanC]

Hi @commjoen Have got stuck up with regular routine this week. Will draft a PR this weekend.

[PalaniappanC]

Hi @commjoen we should have the logic to create secret file in docker-create.sh and we should have the file copy logic in Dockerfile right

[commjoen]

Hi @commjoen we should have the logic to create secret file in docker-create.sh and we should have the file copy logic in Dockerfile right

Yes :-)

[commjoen]

Hi @PalaniappanC ! How are you doing? Do you have any updates on this good sir :) ?

[PalaniappanC]

Hi Jeroen, sorry for the late reply. I was not able to proceed. Please assign this issue to someone else. Thanks Thanks and Regards, Palaniappan Chellathambi

…

On Mon, 12 Feb, 2024, 2:25 am Jeroen Willemsen, ***@***.***> wrote: Hi @PalaniappanC <https://github.com/PalaniappanC> do you have any updates on this :) ? — Reply to this email directly, view it on GitHub <#982 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AK6I62MNMRRZIRNHGA5CTRTYTEV2RAVCNFSM6AAAAAA4RPWXXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZXHA3DMOBUGA> . You are receiving this because you were mentioned.Message ID: ***@***.***>