Challenge 16 ☆☆☆

Welcome to challenge Challenge 16. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Secrets in front-end code

When we start a new project usually we are focused on new feature implementation than on the security aspect. Sometimes Single-Page apps or mobile apps need to access information for themselves rather than on behalf of a user. For this purpose, OAuth provides the client_credentials flow to get access token. In such a situation, it’s easy to store client secrets in front-end or mobile application code. And though you can obfuscate the secret in the code, you will still need to use it eventually.

This challenge will try to contact a server using the client credentials flow. Can you find its secret?

What about looking for it in the Development Tools in the browser?

Answer to solution :

You can solve this challenge by the following steps:

  1. Find the secret when it is used by the app

    • open the browser its development tools:

    • select Network tab

    • find request with path /token

    • find in the request body key client_secret

Why having secrets in front-end code is a bad idea

Whenever you run a mobile app on your smart-device or a SPA on your web-browser, you should try not to hardcode any secrets in them. An attacker can always take the app, reverse-engineer it, and find the actual secret. Instead ask yourself if the secret can be safely downloaded after authentication, or used in a different way.

Why using Single-Page apps or Mobile apps to put client secret in is a bad idea

As you can tell by now, you can easily detect any secret that is stored within a Single-Page app or mobile app. To prevent such a situation Authorization Code Flow with Proof Key for Code Exchange (PKCE) is used.