OWASP WrongSecrets

Welcome to challenge Challenge 33. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Kubernetes StringData or Data?

Kubernetes has 2 types of fields for data in a secret. The StringData contains the plaintext data, while the Data contains the base64 encoded value. So what if you want to swap the StringData value to a Data value in order to secure it further? You don’t have to, as long as you have set up RBAC correctly. After all: both values should not be visible when a secret is listed or described. But what if you move from standard to sealed secrets but don’t migrate all of them? Then it might be good to know that the metadata might contain the actual value of the StringData. Can you find the secret?

This challenge has been disabled.This challenge has been disabled. Click "next" to go to the next challenge.

Answer to solution :

What's wrong?

Why you should be careful with migrating secrets

When you update a Kubernetes secret and migrate to another format, the original data is part of the metadata captured in the original configuration. Migration of secrets to "something else" should also include a rotation step to ensure the older (less well-protected) value is now useless.

Go the main page

We are running outside a K8s cluster. Please run this in the K8s cluster as explained in the README.md

There are still supported challenges after this one. Please try another challenge instead!

Kubernetes StringData or Data?

Congratulations!