Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible new ideas for challenges #37

Open
31 of 41 tasks
commjoen opened this issue Nov 1, 2021 · 12 comments
Open
31 of 41 tasks

Possible new ideas for challenges #37

commjoen opened this issue Nov 1, 2021 · 12 comments
Labels
help wanted Extra attention is needed

Comments

@commjoen
Copy link
Collaborator

commjoen commented Nov 1, 2021

This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.

@commjoen commjoen added the help wanted Extra attention is needed label Nov 5, 2021
@fchyla
Copy link
Contributor

fchyla commented Nov 15, 2021

I would like to help with the Google support

@commjoen
Copy link
Collaborator Author

commjoen commented Nov 15, 2021

@fchyla Awesome! will put you in the issue :D #39. For this i will sent an invite to be a collaborator, so i can actually assign you to issues :D .

commjoen added a commit that referenced this issue Nov 30, 2021
commjoen added a commit that referenced this issue Nov 30, 2021
Added challenge 12 for #43 and reverted challenge 8 for #37
@commjoen
Copy link
Collaborator Author

commjoen commented Jan 7, 2022

To add: using hardcoded key to encrypt embedded secret

@drnow4u
Copy link
Collaborator

drnow4u commented Jan 12, 2022

Password can be stored wrongly in web service testing applications like IntelliJ's HTTP Client, JMeter, Soap UI, Postman, etc. configuration files. It can be also caught during OWASP ZAP or WireShark sessions. Then that file is committed into the repository.

JMeter e.g.:

 <elementProp name="" elementType="Header">
                <stringProp name="Header.name">Authorization</stringProp>
                <stringProp name="Header.value">Basic Y2xpZW50OnNlY3JldA==</stringProp>
 </elementProp>

@AkshayJainG
Copy link

I would like to help with Hardcoding it in a binary written in Golang and C to obfuscate it.

@drnow4u
Copy link
Collaborator

drnow4u commented Feb 6, 2022

Nexus deployment credentials in settings.xml

@commjoen
Copy link
Collaborator Author

Idea from @nbaars : have a secret hidden in the .git history :)

@davevs
Copy link

davevs commented Feb 17, 2022

Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)

@commjoen
Copy link
Collaborator Author

Sops misconfig

@commjoen
Copy link
Collaborator Author

@commjoen
Copy link
Collaborator Author

commjoen commented Dec 3, 2022

Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc

@commjoen
Copy link
Collaborator Author

Use a secret as part of shell script and make it do command injection ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
Status: To do
Development

No branches or pull requests

5 participants