OWASP · commjoen · Dec 19, 2023 · Dec 14, 2023 · Dec 14, 2023 · Dec 14, 2023
@@ -0,0 +1,31 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+import org.bouncycastle.util.encoders.Base32;
+import org.bouncycastle.util.encoders.Base64;
+import org.owasp.wrongsecrets.challenges.Challenge;
+import org.owasp.wrongsecrets.challenges.Spoiler;
+import org.springframework.stereotype.Component;
+
+/** This challenge is about finding a secret in a Reddit post. */
+@Component
+public class Challenge43 implements Challenge {
+
+  /** {@inheritDoc} */
+  @Override
+  public Spoiler spoiler() {
+    return new Spoiler(getSecretKey());
+  }
+
+  /** {@inheritDoc} */
+  @Override
+  public boolean answerCorrect(String answer) {
+    return getSecretKey().equals(answer);
+  }
+
+  private String getSecretKey() {
+    return new String(
+        Base32.decode(new String(Base64.decode("SU5FRkVTS1RLUkdVQ1VaU0pNWkRHPT09"), UTF_8)), UTF_8);
+  }
+}
@@ -0,0 +1,8 @@
+=== Reddit Blunder
+
+People easily make mistakes. They can, for instance, share an "innocent" piece of data over social media which later turns out to be a secret.
+Or they can post something on the "wrong screen" and submit it. Additionally, some password managers will happily auto-fill or paste something on any page or screen.
+
+Similarly, a developer in the OWASP community who also happened to be an active redditor, left a secret on the platform 'by mistake'.
+
+Can you find the secret?
@@ -0,0 +1,4 @@
+This challenge can be solved as follows:
+
+1. Search for the keyword 'developer' in r/owasp subreddit.
+2. The secret will be in plain sight in a comment on one of the posts found in the posts from step 1.
@@ -0,0 +1,7 @@
+*Why should we not share a secret on social media?*
+
+Sharing a secret from your application on social media is a really bad practice because it becomes publicly available for anyone to abuse if they learn about the context in which the secret is used.
+
+Although the user or platform can often delete comments/posts, the secret almost always ends up in some database that could get leaked.
+
+Never share any secrets, personal or work-related, on social media!
@@ -697,3 +697,16 @@ configurations:
       category: *logging
       ctf:
         enabled: true
+
+    - name: Challenge 43
+      short-name: "challenge-43"
+      sources:
+        - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge43"
+          explanation: "explanations/challenge43.adoc"
+          hint: "explanations/challenge43_hint.adoc"
+          reason: "explanations/challenge43_reason.adoc"
+          environments: *all_envs
+      difficulty: *easy
+      category: *doc
+      ctf:
+        enabled: true
@@ -0,0 +1,21 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+
+class Challenge43Test {
+
+  @Test
+  void rightAnswerShouldSolveChallenge() {
+    var challenge = new Challenge43();
+    assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge43();
+
+    assertThat(challenge.answerCorrect("wrong answer")).isFalse();
+  }
+}