Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add misconfiguration for mounting in secret in during build #1790

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Add misconfiguration for mounting in secret in during build #1790

wants to merge 11 commits into from

Conversation

Shubham-Patel07
Copy link
Contributor

What kind of changes does this PR include?

  • Fixes or refactors
  • A new challenge
  • Additional documentation
  • Something else

To Do

Relations

Closes #812

Checklist:

  • All the contributions made are solely the work of me and my co-authors
  • I tested the changes in this PR (if applicable)
  • I added unit tests to ensure my change works (when change in Java or on front-end code)
  • I added UI tests to ensure my UI changes work (when change in the overall UI, not needed if just adding a challenge)
  • The PR passes pre-commit hooks and automated tests

@Shubham-Patel07
Copy link
Contributor Author

Shubham-Patel07 commented Dec 13, 2024
edited
Loading

Hi @commjoen sir,
the env_var is not properly been injected to container for some reason
Please check the Dockerfile
https://github.com/OWASP/wrongsecrets/pull/1790/files#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557R20-R26

@commjoen
Copy link
Collaborator

Files have been shared over Slack ^^, looking forward to the challenge implementation good sir!

commjoen
commjoen reviewed Jan 3, 2025
View reviewed changes
src/main/resources/explanations/challenge52.adoc

Acme Inc., a rising star in the SaaS industry, prides itself on delivering cutting-edge AI analytics to its global clientele. However, amidst their rapid deployment cycles and growing customer base, a critical security oversight has come to light.

During their Docker Buildx process, a sensitive secret, meant to remain temporary and secure during the build phase, was accidentally embedded into the container's filesystem due to a misconfiguration. This secret, now accessible within the running container, poses a significant security risk if exploited.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bendehaan and @Shubham-Patel07 : should we be more explicit that it is about the WrongSecrets container? Instead of acme.inc we might want to make it more explicit so people know what to look for?

commjoen
commjoen reviewed Jan 3, 2025
View reviewed changes
src/main/resources/explanations/challenge52_hint.adoc
@@ -0,0 +1,30 @@
This challenge can be solved using the following steps:

- *Acme Inc.* has misconfigured their Docker Buildx process, leading to sensitive secrets being embedded in the container's filesystem. Your task is to uncover these vulnerabilities.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we maybe show 2 different paths for solutions:

  1. Show the secret from the docker-create script
  2. Show how to get the secret by an exec into the container (using source code and env var to find the location)

@commjoen
Copy link
Collaborator

commjoen commented Jan 3, 2025

Great progress @Shubham-Patel07 ! Can you please extend the set with the unit and integration tests please?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@commjoen commjoen commjoen left review comments

@bendehaan bendehaan Awaiting requested review from bendehaan bendehaan is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@Shubham-Patel07 @commjoen