Challenge 42 ☆☆

Welcome to challenge Challenge 42. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Spring Boot Actuator Audit Event

The developers decided to leverage the power of Spring Boot Actuator to monitor and audit their application. The project involved interfacing with various external APIs, each requiring a unique key for authentication. The audit events, detailed and informative, seemed like the perfect solution for monitoring the inner workings of their system.

The team implemented a logging mechanism that included detailed audit events. Unbeknownst to them, these logs contained traces of the sacred API key hidden within the audit events.

Can you find this API key?

Answer to solution :

This challenge can be solved using the following steps:

  1. Check available Actuator endpoints at "/actuator"

  2. Check audit events exposed at the "/actuator/auditevents" endpoint

  3. Find API_KEY_RECEIVED event with exposed secret

Why hiding API key in the audit events is not a good idea?

In a secure and well-architected system, protecting sensitive information such as API keys is crucial. Audit events are significant in tracking and monitoring activities within an application.

Ensure that API keys are not visible in plain text in the (audit) logs or any other output.