OWASP WrongSecrets

Welcome to challenge Challenge 7. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

A secret hidden in Vault

So now the secret is no longer in K8s or code… the developer hopes. If this challenge is enabled & you used the README.md instructions, then you should be able to have the challenge running on K8s/Minikube, and now you can search for the secret. What is the mistake made here? Trufflehog might have been able to help if the entropy was a little larger ;-).

This challenge has been disabled.This challenge has been disabled. Click "next" to go to the next challenge.

Answer to solution :

What's wrong?

Why you need to configure your secrets management solution well

Hashicorp Vault is designed to manage secrets. Vault safeguards secrets by having them encrypted and has a lot of security controls involved to secure (access to) the secrets.

Some of these controls can easily be misconfigured or misused. In this challenge we only have (root)tokens to use vault and leak them, even to Git by mistake. These tokens should actually never be the default way of authenticating yourself towards vault. Instead, it is better to enable LDAP or Azure authentication instead.

Next, the secret itself does not have any metadata where it is used for. Which makes it harder to maintain the secret over time.

When using a third party solution, like Hashicorp Vault or any other: make sure you read the documentation well and secure the system. Additionally, do a threatmodel exercise to understand what the risks are of it being used wrongly.

A secret hidden in Vault

Congratulations!