Challenge 2

Welcome to challenge Challenge 2. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Hardcoded password part 2

Instead of hardcoding the password directly, the developer tried to hide it in the application.properties of Spring Boot.

This way, it can no longer be found directly in .java or compiled .class files. So how can you detect it?

You can easily detect this by SAST solutions, like truffleHog and git-secrets, and by manual inspection of your application.properties.

Answer to solution :

As the text of the challenges is saying: we are looking for a secret in the configuration of the Spring Boot application, with the name Application.properties. You can solve this challenge by the following steps:

  1. Use Trufflehog:

    • Read up on the instructions of the tool at Trufflehog and install it using pip install truffleHog or use its docker container.

    • Now run Trufflehog at our repository: trufflehog https://github.com/OWASP/wrongsecrets. Can you find the value of password in the output?

  2. Inspect the Application.properties in the src/resources folder:

    • Just open the Application.properties file in the src/resources folder at the target repo and take a look. Can you find the secret?

  3. When you do not have the sourcecode available:

    • Follow the instructions of the Docker documentation to copy the Jar file from the root of the container to your local filesystem.

    • Open the JAR file in JD-GUI or jadx-gui, find the application.properties in Resources/BOOT-INF now look for a password!

Why using code to put secrets in is a bad idea.

As you can tell, we got a little more flexibility than with challenge1. However: we still have the password in code!

Though we can now easily overload the variables in a later stage - as you can see in the next challenges, we often see that secrets are stored as part of the Spring Config or Spring Cloud config, without overriding it in a later stage. This means that everybody with the access to the Spring Cloud config can now learn what the secret is.

Using a distributed solution like Spring Cloud Config where you manage your application properties externally can have the same problem if you are not careful. Take a close look at the security section before using Spring Cloud Config.