Challenge 1

Welcome to challenge Challenge 1. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Centralized hardcoded password

When people write a Proof of Concept, they often start with hardcoded secrets, such as a password in code. What if we forget to remove these hardcoded secrets?

Can you spot the secret we are looking for in the Java code? What about looking for it in the container?

Sometimes the simpler tools are the most effective. Try cloning the repo and use grep to see what you find. It is also possible to find with Git-secrets or Trufflehog. Just dive into the code!

Answer to solution :

As the text of the challenge says, we are looking for a secret called password in the Java code. But how do we find it?

You can solve this challenge by the following alternative solutions:

  1. When you have the source code available you can find hardcoded string simply by searching through the code. Grep can be used to help this process as it searches for patterns in large blocks of text. Use the below steps to find the answer:

    • Access a terminal with grep and git installed.

    • Clone the repo with git clone https://github.com/OWASP/wrongsecrets.

    • Navigate to the Java code where the check for the right answer happens cd src/main/java/org/owasp/wrongsecrets/.

    • Use grep recursively to look for the password string grep -r password.

  2. An automated tool like Git-secrets can often help out. In this case it needs setting up with a specific rule:

    • Clone the repo with git clone https://github.com/OWASP/wrongsecrets.

    • Follow the instructions here to install Git secrets.

    • Add a new scan to look for the string git secrets --add 'password\s*=\s*.+'.

    • Now execute that scan git secrets --scan.

  3. When you do not have the source code available, try to obtain the actual application to reverse engineer it. The application, in this case, is a Jar file, which is a set of java class files together with a few resources.

    • Follow the instructions of the Docker documentation to copy the Jar file from the container’s root to your local filesystem.

    • open the JAR file in JD-GUI or jadx-gui, now look for the String password!

  4. You can scan the repository with Trufflehog.

  5. Alternative, you can use the older Trufflehog 2:

Why using code to put secrets in is a bad idea.

You can tell by now that you can easily detect many secrets stored within code. Even when the code is compiled, you can still reverse-engineer it to find the secret. That’s why hardcoded secrets are never a good idea. We often fall for the misconception that if I cannot reverse-engineer it, so can’t an attacker, which is why many people believe that hardcoding in C/C++/Golang is safer than in Java. For those that think this: please decompile an app with tools like Ghidra.

Secrecy of a secret in code is one thing. Another challenge is openness: anyone with access to the code and/or compiled assets can learn the secret. To make it worse: if the developer who hardcoded the secret leaves the organization, he might know the secret as it is still in code! Similarly, when code leaks or the asset leaks, the secret will be compromised, and rotating will be hard. Besides: do you still know where this password is after a few years?