wrongsecrets Possible new ideas for challenges

This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.

[x] #44
[x] #43
[x] Google support (https://github.com/commjoen/wrongsecrets/issues/40, https://github.com/commjoen/wrongsecrets/issues/39),
[x] #93
[x] Alibaba cloud support (will not do this, maybe have a write up later?)
[x] #299
[x] Heroku support
[x] #144
[x] Secret in logs (= challenge 8)
[x] #187
[x] #188
[x] #189
[x] #199
[x] #200
[x] #201
[x] #148
[x] Hardcoded in testcode (https://github.com/commjoen/wrongsecrets/issues/37#issuecomment-1011482070)
[x] #296
[ ] #810
[x] #815
[ ] #297
[ ] #811
[ ] #812
[x] have a too long living OIDC token which can be used to extract and apply (wont'do)
[x] Jenkins or other github secondary ci/cd secret (won't do, as it requiers another container next to it & needs maintenance. Our current ci/cd action shows the issue already.
[ ] #345
[ ] Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)
[x] #344
[x] SOPS/sealed secrets misconfig : a bogus sealed secret with misconfigured retrieval setup? (pending)
[ ] #615
[x] #614
[ ] #613
[x] #377
[x] #616
[x] #809
[x] #813
[x] Based on @robvanderveer his suggestion: https://github.com/OWASP/wrongsecrets/issues/616
[ ] Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc - agreed to not create a new challenge, but extend GCP/AWS with a similar solution for cahllenge 11.
[x] #814
[ ] Bad RSA private key redaction; https://www.hezmatt.org/~mpalmer/blog/2020/05/17/private-key-redaction-ur-doin-it-rong.html (tip from @nbaars )
[ ] A kotlin binary

Nov 01 '21 06:11 commjoen

I would like to help with the Google support

Nov 15 '21 10:11 fchyla

@fchyla Awesome! will put you in the issue :D https://github.com/commjoen/wrongsecrets/issues/39. For this i will sent an invite to be a collaborator, so i can actually assign you to issues :D .

Nov 15 '21 10:11 commjoen

To add: using hardcoded key to encrypt embedded secret

Jan 07 '22 20:01 commjoen

Password can be stored wrongly in web service testing applications like IntelliJ's HTTP Client, JMeter, Soap UI, Postman, etc. configuration files. It can be also caught during OWASP ZAP or WireShark sessions. Then that file is committed into the repository.

JMeter e.g.:

 <elementProp name="" elementType="Header">
                <stringProp name="Header.name">Authorization</stringProp>
                <stringProp name="Header.value">Basic Y2xpZW50OnNlY3JldA==</stringProp>
 </elementProp>

Jan 12 '22 21:01 drnow4u

I would like to help with Hardcoding it in a binary written in Golang and C to obfuscate it.

Jan 13 '22 09:01 AkshayJainG

Nexus deployment credentials in settings.xml

Feb 06 '22 21:02 drnow4u

Idea from @nbaars : have a secret hidden in the .git history :)

Feb 10 '22 08:02 commjoen

Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)

Feb 17 '22 20:02 davevs

Sops misconfig

Jun 27 '22 08:06 commjoen

New idea by @robvanderveer: https://www.wired.co.uk/article/microsoft-handed-the-keys-to-almost-every-windows-10-installation-over-to-hackers

Nov 26 '22 06:11 commjoen

Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc

Dec 03 '22 09:12 commjoen

Use a secret as part of shell script and make it do command injection ;-)

Feb 13 '23 11:02 commjoen

wrongsecrets wrongsecrets copied to clipboard

Possible new ideas for challenges

wrongsecrets
wrongsecrets copied to clipboard