OWASP · commjoen · Oct 31, 2024 · Oct 7, 2024 · Oct 8, 2024 · Oct 13, 2024
@@ -0,0 +1,22 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.wrongsecrets.challenges.FixedAnswerChallenge;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+/** challenge about docker compose secrets */
+@Slf4j
+@Component
+public class Challenge51 extends FixedAnswerChallenge {
+  private final String dockerSecret;
+
+  public Challenge51(@Value("${DOCKER_SECRET_CHALLENGE51}") String dockerSecret) {
+    this.dockerSecret = dockerSecret;
+  }
+
+  @Override
+  public String getAnswer() {
+    return this.dockerSecret;
+  }
+}
@@ -74,6 +74,7 @@ challenge27ciphertext=gYPQPfb0TUgWK630tHCWGwwME6IWtPWA51eU0Qpb9H7/lMlZPdLGZWmYE8
 challenge41password=UEBzc3dvcmQxMjM=
 challenge49pin=NDQ0NDQ=
 challenge49ciphertext=k800mdwu8vlQoqeAgRMHDQ==
+DOCKER_SECRET_CHALLENGE51=Fald';alksAjhdna'/
 management.endpoint.health.probes.enabled=true
 management.health.livenessState.enabled=true
 management.health.readinessState.enabled=true

@@ -0,0 +1,10 @@
+# syntax=docker/dockerfile:1.4
+FROM debian:stable-slim
+
+RUN --mount=type=secret,id=db_user \
+    --mount=type=secret,id=db_password \
+    --mount=type=secret,id=db_name \
+    echo "$(cat /run/secrets/db_user) | $(cat /run/secrets/db_password) | $(cat /run/secrets/db_name)" \
+    > /tmp/db_secrets_output
+
+CMD ["cat", "/tmp/db_secrets_output"]
@@ -0,0 +1,19 @@
+version: '3.8'
+
+services:
+  myservice:
+    build:
+      context: "../../../../.."
+      dockerfile: ../Dockerfile_challenge51
+      secrets:
+        - db_user
+        - db_password
+        - db_name
+
+secrets:
+  db_user:
+    file: secretfiles/db_user.txt
+  db_password:
+    file: secretfiles/db_password.txt
+  db_name:
+    file: secretfiles/db_name.txt
@@ -0,0 +1 @@
+wrongsecrets
@@ -0,0 +1 @@
+Fald';alksAjhdna'/
@@ -0,0 +1 @@
+mydbuser
@@ -0,0 +1,7 @@
+=== Exposed Docker Secrets Challenge
+
+In this challenge, you will explore the importance of securely managing sensitive information using Docker secrets in a https://github.com/OWASP/wrongsecrets/blob/775648678a60e57faa8c3fc0799ce1526f4b0f42/src/main/resources/challenges/challenge-51/Dockerfile_challenge51[Docker Compose file]. Docker secrets are intended to safely transmit and store sensitive data like passwords, API keys, and certificates within Docker services. However, improper handling or misconfigurations can inadvertently expose these secrets, leading to potential security risks.
+
+*Acme Inc.*, a rapidly growing e-commerce platform, has recently experienced suspicious activities suggesting that sensitive customer data might have been compromised. An internal audit reveals that a developer inadvertently exposed database credentials by keeping secretfiles in repository and pushing it to a public Git repository. Additionally, the application was not utilizing Docker secrets effectively, leading to plaintext exposure of sensitive information within running containers.
+
+You have been hired as Technical Security Consultant, your job is to secure the exposed secrets to protect the sensitive information? For now identify the misconfigurations and report the database password in the box below to show the issue.
@@ -0,0 +1,17 @@
+This challenge can be solved using the following ways:
+
+- *Acme Inc*. has a misconfigured `challenge51docker-compose.yml` file where sensitive information is exposed. Your task is to find these vulnerabilities.
+  1. Clone the repository containing the challenge files.
+  2. Locate the `challenge51docker-compose.yml` file in the repository.
+  3. Identify credentials:
+    Within the environmentsd section in challenge49docker-compose.yml, check for variables like:
+     * `db_user`
+     * `db_password`
+     * `db_name`
+  4. Now you can run the Docker Compose commands to build and run your service:
+     - ```
+        export DOCKER_BUILDKIT=1
+        docker compose -f src/main/resources/challenges/challenge-51/challenge51docker-compose.yml build
+        docker compose -f src/main/resources/challenges/challenge-51/challenge51docker-compose.yml run myservice
+        ```.
+  5. The answer is in the output
@@ -0,0 +1,28 @@
+= Docker Compose Secrets Misconfiguration Challenge
+
+*Why Improper Secret Management in Docker Compose Can Lead to Vulnerabilities*
+
+In containerized environments, secret management is critical to maintaining the confidentiality and integrity of sensitive information such as database credentials, API keys, and other secrets. Docker Compose offers a convenient way to define and manage secrets, but improper handling of these secrets can expose your system to attacks.
+
+A common mistake is to pass secrets directly via environment variables or commit secret files into version control. This approach is flawed because:
+
+1. **Secrets are visible in the environment**: Environment variables are easy to inspect using basic system commands or logging, which may lead to unintentional exposure.
+2. **Hardcoding secrets in Dockerfiles**: When secrets are embedded in the Dockerfile or `docker-compose.yml`, they become part of the build process and are included in the image layers. Anyone with access to the image can inspect these layers and retrieve the secret.
+3. **Committing secret files to version control**: Storing secrets in files and committing them to Git or other version control systems introduces significant risks, as anyone with access to the repository can obtain the secrets.
+
+*Why This Challenge?*
+
+The purpose of this challenge is to highlight the risks associated with improper secret management in Docker Compose. Specifically, it demonstrates the dangers of using environment variables and file-based secrets incorrectly. Although Docker Compose provides mechanisms to handle secrets securely, such as Docker secrets and external secret management solutions, developers may often overlook these features for convenience.
+
+This challenge simulates a scenario where:
+
+- Database credentials (`db_user`, `db_password`, and `db_name`) are stored in a secret file and referenced in the `docker-compose`.
+- These secrets are improperly managed and can be easily exposed by anyone with access to the environment or the repository.
+
+*Key Learning Points:*
+
+- **Avoid using environment variables for secrets**: While convenient, environment variables are not secure for managing sensitive information. Use Docker secrets or external tools like Vault or AWS Secrets Manager instead.
+- **Do not commit secrets to version control**: Always keep secret files out of your repository by using `.gitignore` or secure secret management solutions.
+- **Ensure secrets are not baked into images**: Secrets should not be embedded in the Docker image itself; they should be injected at runtime or securely retrieved via an external service.
+
+By completing this challenge, you will learn how easy it is for attackers to gain access to improperly managed secrets and the best practices for securing secrets in Docker Compose environments.
@@ -801,3 +801,16 @@ configurations:
       category: *bin
       ctf:
         enabled: true
+
+    - name: Challenge 51
+      short-name: "challenge-51"
+      sources:
+        - class-name: "org.owasp.wrongsecrets.challenges.docker.Challenge51"
+          explanation: "explanations/challenge51.adoc"
+          hint: "explanations/challenge51_hint.adoc"
+          reason: "explanations/challenge51_reason.adoc"
+          environments: *all_envs
+      difficulty: *normal
+      category: *secrets
+      ctf:
+        enabled: true
@@ -0,0 +1,21 @@
+package org.owasp.wrongsecrets.challenges.docker;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.api.Test;
+
+public class Challenge51Test {
+
+  @Test
+  void rightAnswerShouldSolveChallenge() {
+    var challenge = new Challenge51("initsecret");
+    assertThat(challenge.answerCorrect(challenge.spoiler().solution())).isTrue();
+  }
+
+  @Test
+  void incorrectAnswerShouldNotSolveChallenge() {
+    var challenge = new Challenge51("initsecret");
+
+    assertThat(challenge.answerCorrect("wrong answer")).isFalse();
+  }
+}