Possible new ideas for challenges #37
Description
This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.
- front end JavaScript library with key obfuscated #44
- File in container Fs #43
- Google support (Add GCP challenges #40, Add GCP support #39),
- Azure support #93
- Alibaba cloud support (will not do this, maybe have a write up later?)
- Nomad support #299
- Heroku support
- Github action (Forkable) #144
- Secret in logs (= challenge 8)
- Kees-challenge Add bad keepass file (e.g. 5 char password :D ) #187
- Add secret to bash history inside the container ;-) #188
- Embed a canary token as a trap #189
- Secret hidden in git history #199
- Add bad hashing and/or encryption so you can guess the secret #200
- create a secrets detection testbed branch with revoked credentials #201
- Hardcoding it in a binary writtenin C/C++/Golang/Rust to obfuscate it. #148
- Hardcoded in testcode (Possible new ideas for challenges #37 (comment))
- Keybase support #296
- Nexus deployment credentials in settings.xml #810
- Spring Boot Actuator challenge hiding an api key in the audit events #815
- Add hardcoded encryption key on top of a secret. #297
- Add misconfiguration of docker secret in code (See for docker compose: https://docs.docker.com/engine/swarm/secrets/) #811
- Add misconfiguration for mounting in secret in during build: https://docs.docker.com/engine/reference/commandline/buildx_build/ #812
- have a too long living OIDC token which can be used to extract and apply (wont'do)
- Jenkins or other github secondary ci/cd secret (won't do, as it requiers another container next to it & needs maintenance. Our current ci/cd action shows the issue already.
- Log secret encoded from your cloud app towards the logging solution of your cloudprovider. #345
- Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts)
- Leave 1 secret in the HTML comments as a "this is how you connect" thing. #344
- SOPS/sealed secrets misconfig : a bogus sealed secret with misconfigured retrieval setup? (pending)
- Native languages round 2: SWift! #615
- Leave a secret in git notes #614
- Have a secret in .gitignore /.ssh #613
- Use an example key from the HMAC SPEC to create a secret (and hint where to find it). #377
- New Challenge: Leave a secret somewhere in Reddit by “mistake” #616
- Have a misconfigured vault template where someone left a secret in besides some values actually being injected #809
- have a Zap auth config for a given challenge hardcoded #813
- Based on @robvanderveer his suggestion: New Challenge: Leave a secret somewhere in Reddit by “mistake” #616
- Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc - agreed to not create a new challenge, but extend GCP/AWS with a similar solution for cahllenge 11.
- Do a command injection via vault template #814
- Bad RSA private key redaction; https://www.hezmatt.org/~mpalmer/blog/2020/05/17/private-key-redaction-ur-doin-it-rong.html (tip from @nbaars )
- A kotlin binary