Challenge 2

Welcome to challenge Challenge 2. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Hardcoded password part 2

Instead of hardcoding the password directly, the developer tried to hide it in the application.properties of Spring Boot.

This way, it can no longer be found directly in .java or compiled .class files. So how can you detect it?

You can easily detect this by SAST solutions, like truffleHog and git-secrets, and by manual inspection of your application.properties.

Answer to solution :

Why using code to put secrets in is a bad idea.

As you can tell, we got a little more flexibility than with challenge1. However: we still have the password in code!

Though we can now easily overload the variables in a later stage - as you can see in the next challenges, we often see that secrets are stored as part of the Spring Config or Spring Cloud config, without overriding it in a later stage. This means that everybody with the access to the Spring Cloud config can now learn what the secret is.

Using a distributed solution like Spring Cloud Config where you manage your application properties externally can have the same problem if you are not careful. Take a close look at the security section before using Spring Cloud Config.


Previous
Go the main page
Next
0