#44 front end JavaScript library with key obfuscated

.github/scripts/docker-create-and-push.sh

@@ -41,6 +41,14 @@ echo "Start building assets required for container"
 
 echo "generating challenge 12-data"
 openssl rand -base64 32 | tr -d '\n' > yourkey.txt
+echo "generating challenge 16-data"
+SECENDKEYPART1=$(openssl rand -base64 5 | tr -d '\n')
+SECENDKEYPART2=$(openssl rand -base64 3 | tr -d '\n')
+SECENDKEYPART3=$(openssl rand -base64 2 | tr -d '\n')
+SECENDKEYPART4=$(openssl rand -base64 3 | tr -d '\n')
+echo -n "${SECENDKEYPART1}9${SECENDKEYPART2}6${SECENDKEYPART3}2${SECENDKEYPART4}7" > secondkey.txt
+printf "function secret() { \n var password = \"$SECENDKEYPART1\" + 9 + \"$SECENDKEYPART2\" + 6 + \"$SECENDKEYPART3\" + 2 + \"$SECENDKEYPART4\" + 7;\n return password;\n }\n" > ../../js/index.js
+
 # preps for #178:
 #echo "Building and publishing to maven central, did you set: a settings.xml file with:"
 #echo "<settings>"
@@ -69,6 +77,9 @@ docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongs
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-local-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=local-vault" --push ./../../.
 docker buildx build --platform linux/amd64,linux/arm64 -t jeroenwillemsen/wrongsecrets:$tag-k8s-vault --build-arg "$buildarg" --build-arg "PORT=8081" --build-arg "argBasedVersion=$tag" --build-arg "spring_profile=kubernetes-vault" --push ./../../.
 
+echo "restoring temporal change"
+git restore js/index.js
+
 echo "tagging version"
 git tag -a $tag -m "${message}"
 git push --tags

.gitignore

@@ -59,3 +59,7 @@ azure/k8s/pod-id.yml
 
 # Challenge 12 ;-)
 .github/scripts/yourkey.txt
+
+# Node JS
+js/node/
+js/node_modules/

README.md

@@ -6,7 +6,7 @@
 
 Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
 
-Can you solve all the 15 challenges?
+Can you solve all the 16 challenges?
 ![screenshot.png](screenshot.png)
 
 ## Support
@@ -39,6 +39,7 @@ Now you can try to find the secrets by means of solving the challenge offered at
 - [localhost:8080/challenge/13](http://localhost:8080/challenge/13)
 - [localhost:8080/challenge/14](http://localhost:8080/challenge/14)
 - [localhost:8080/challenge/15](http://localhost:8080/challenge/15)
+- [localhost:8080/challenge/16](http://localhost:8080/challenge/16)
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
 

js/index.js

@@ -0,0 +1,4 @@
+function secret() { 
+ var password = "if you see this please fix the JavaScript setup";
+ return password;
+ }