Challenge 23

Welcome to challenge Challenge 23. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Secrets in front-end code part 2

Sometimes we don’t want to forget how to login with test-credentials while working on our front-end code. Can you find the test-credentials?

Note that test-credentialss are sometimes obfuscated in code by Base64 encoding them.

Answer to solution :

You can solve this challenge by the following steps:

  1. Find the secret in the front-end

    • Use the developer tools of the browser to see the HTML code of this challenge.

    • Go to the end of the challenge description and look for comments.

  2. Decode the base64 encoded secret

    • Go to the source of Challenge23 and find the actual Base64 encoded answer

    • Use any online/offline decoder to decode the Base64 string, then hex-decode the string, and Base64 decode it again.

Why having secrets in front-end code is a bad idea

Whenever you run a mobile app on your smart-device or a SPA on your web-browser, you should try not to hardcode any secrets in them. An attacker can always take the app, reverse-engineer it, and find the actual secret. Instead ask yourself if the secret can be safely downloaded after authentication, or used in a different way.

Why using Single-Page apps or Mobile apps to put client secret in is a bad idea

As you can tell by now, you can easily detect any secret that is stored within a Single-Page app or mobile app.

Why Base64 encoding is no encryption

As you can tell by now, it was rather easy to decode the secret from the Challengefile. This is why Base64 and Hex encoding should never be considered a method to hide a secret. Only use Base64- and/or Hex encoding to ensure you can transport a binary sequence as a String.