OWASP WrongSecrets

HashiCorp Vault Template Injection Part 2

Secrets can be retrieved from Vault using the Vault Agent sidecar container, which runs alongside your main application container. This sidecar can inject the secrets into your applications environment. A developer tried to debug why his vault injection did not work. So, he hardcoded the secrets "temporarily" in the Vault template itself. Can you find the secret hardcoded in the Vault Template?

This challenge has been disabled.This challenge has been disabled. Click "next" to go to the next challenge.

🔑 Enter the secret you found: 💡 Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

💡 Show Hints 🔍 What's Wrong?

This challenge can be solved using the following ways:

Get the data of the sidecar by looking at the files created by Vault Agent sidecar:
1. Run kubectl get pods -A and find secret-challenge-xxx pod name
2. Run kubectl exec secret-challenge-xxx -c secret-challenge -n default — cat /vault/secrets/challenge47 where xxx is the rest of the randomly generated pod name to print the hardcoded value used by the developer.
Get the data by checking the logs of the Wrongsecrets pod as the export is being sourced:
1. Run kubectl get pods -A and find secret-challenge-xxx pod name
2. Run kubectl logs secret-challenge-xxx -c vault-agent where xxx is the rest of the randomly generated pod name to print the logs from the Vault AGent sidecar, which will include logging the export statement.

Note: if you are running this on a hosted environment, where you do not have access to the Kubernetes cluster, ask the organizer of the hosted solution to execute the commands for you and return the results.

Why Vault Template Injection is not always a good idea?

While Vault agent injection via templates can be a convenient way to manage secrets in certain scenarios, there are situations where it might not be the best approach.

Templates might accidentally expose sensitive information in logs or temporary files. If not properly configured, secrets could end up in places where they are accessible by unauthorized users or processes.

Let’s consider an example involving a template injection attack in a scripted language like PHP:

Imagine a scenario where PHP application uses a template with sensitive information
- where template can look like this: $password = "'; system('rm -rf /'); //"
When the template is processed it can become:
- $connection = "password='; system('rm -rf /'); //"

To prevent such issues it is crucial to ensure that the values retrieved from Vault are properly validated.

🔍 Your Task

HashiCorp Vault Template Injection Part 2

Congratulations!