wrongsecrets
wrongsecrets copied to clipboard
OWASP
Have a challenge with a backup bucket containing the secret
Context
- What should the challenge scenario be like? Have a backup s3/storage bucket with a private ed25519 key publicly exposed
- What should the participant learn from completing the challenge? Secure your backup at all cost
- For what category would the challenge be? (e.g. Docker, K8s, binary) Docker/cloud depending on how we implement the backup solution
Actions:
- [ ] create separate Terraform folder to have an S3 bucket (in our AWS folder) under the name "backupchallenge"
- [ ] have the key copying logic in a shell script using AWS CLI as part of the backupchallenge folder
- [ ] implement the challenge according to contributing.md and make sure you hide the key in your classfile.
Hi @commjoen I would like to work on this challenge can you assign this to my name
Thank you for volunteering @PalaniappanC ! I have assigned the issue to you.
Hi @commjoen I have setup the project and started with implementing the basic challenge as per the contributing.md file. I have doubts around the terraform and s3 bucket part.
I have created a seperate terraform folder under the AWS folder. I have performed the terraform initialisation to have an s3 bucket called backupchallenge.
I have doubts in the remaining two tasks. Can you explain them in a little detailed manner
So the idea is that the secret itself is kept in a file. The file should be:
- present with a placeholder value in src/test/resources/secret_placeholder.txt for junit tests and end2end tests
- Generated when calling https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh and embedded as a file in a container
- copied to S3 to the folder as part of calling the script at https://github.com/OWASP/wrongsecrets/blob/master/.github/scripts/docker-create.sh . Make sure the S3 bucket and its contents are public, but not publicly writable ;-).
The challenge then needs to be loaded with the location of the secret (E.g. either in test resources or in a hidden location within the docker container, similar to other file-based challenges. Please have a look at https://github.com/OWASP/wrongsecrets/blob/master/src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge12.java on how to load this from a pre-set path.
Hi @commjoen
We should have the copy logic in this docker right? https://github.com/OWASP/wrongsecrets/blob/master/Dockerfile
Hi @commjoen Have got stuck up with regular routine this week. Will draft a PR this weekend.
Hi @commjoen we should have the logic to create secret file in docker-create.sh and we should have the file copy logic in Dockerfile right
Hi @commjoen we should have the logic to create secret file in docker-create.sh and we should have the file copy logic in Dockerfile right
Yes :-)
Hi @PalaniappanC ! How are you doing? Do you have any updates on this good sir :) ?
Hi Jeroen, sorry for the late reply. I was not able to proceed. Please assign this issue to someone else. Thanks
Thanks and Regards, Palaniappan Chellathambi
On Mon, 12 Feb, 2024, 2:25 am Jeroen Willemsen, @.***> wrote:
Hi @PalaniappanC https://github.com/PalaniappanC do you have any updates on this :) ?
— Reply to this email directly, view it on GitHub https://github.com/OWASP/wrongsecrets/issues/982#issuecomment-1937866840, or unsubscribe https://github.com/notifications/unsubscribe-auth/AK6I62MNMRRZIRNHGA5CTRTYTEV2RAVCNFSM6AAAAAA4RPWXXKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZXHA3DMOBUGA . You are receiving this because you were mentioned.Message ID: @.***>