Update POM file with new version: 1.4.5

.github/scripts/docker-create-and-push.sh

@@ -87,9 +87,9 @@ git restore src/main/resources/.bash_history
 echo "committing changes and new pom file with version ${tag}"
 git commit -am "Update POM file with new version: ${tag}"
 git push
-#echo "tagging version"
-#git tag -a $tag -m "${message}"
-#git push --tags
+echo "tagging version"
+git tag -a $tag -m "${message}"
+git push --tags
 
 echo "Don't forget to update experiment-bed"
 echo "git checkout experiment-bed && git merge master --no-edit"

Dockerfile.web

@@ -1,6 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:challenge20test2-no-vault
+FROM jeroenwillemsen/wrongsecrets:1.4.5-no-vault
 
-ARG argBasedVersion="1.4.4"
+ARG argBasedVersion="1.4.5"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ENV APP_VERSION=$argBasedVersion
 ENV K8S_ENV=Heroku(Docker)

README.md

@@ -25,7 +25,7 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.4-no-vault
+docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.5-no-vault
 ```
 
 Now you can try to find the secrets by means of solving the challenge offered at:

aws/k8s/secret-challenge-vault-deployment.yml

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -35,7 +35,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

gcp/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -37,7 +37,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-deployment.yml

@@ -28,7 +28,7 @@ spec:
         runAsGroup: 2000
         fsGroup: 2000
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-no-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-no-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

k8s/secret-challenge-vault-deployment.yml

@@ -30,7 +30,7 @@ spec:
         runAsNonRoot: true
       serviceAccountName: vault
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.4.4-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.4.5-k8s-vault
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080

pom.xml

@@ -9,7 +9,7 @@
     </parent>
     <groupId>org.owasp</groupId>
     <artifactId>wrongsecrets</artifactId>
-    <version>challenge20test2-SNAPSHOT</version>
+    <version>1.4.5-SNAPSHOT</version>
     <name>OWASP WrongSecrets</name>
     <description>Examples with how to not use secrets</description>
     <url>https://owasp.org/www-project-wrongsecrets/</url>

src/main/resources/explanations/challenge19.adoc

@@ -1,4 +1,4 @@
-=== Obfuscating part 1 the C binary
+=== Obfuscating in binaries part 1: the C binary
 
 We need to put a secret in a mobile app! Nobody will notice the secret in our compiled code!
 This is a misbelief we have often encountered when presenting on mobile security topics.

src/main/resources/explanations/challenge20.adoc

@@ -1,4 +1,4 @@
-=== Obfuscating part 2: the C++ binary
+=== Obfuscating in binaries part 2: the C++ binary
 
 Similar like hiding secrets in an application written in C, you end up in a similar situation with C++. Can you find the secret in our binary?
 

src/main/resources/explanations/challenge20_hint.adoc

@@ -9,7 +9,7 @@ You can solve this challenge using the following steps:
 - Allow the Ghidra to analyze the application.
 - Search for the secret: Go to `Functions` on the left-hand side, select `__Z6secretv()` . Now on the screen on the right-hand side you can see the secret. This is a string in C++, wrapped in another class (`SecretContainer`).
 - Search for the same secret, which is "hidden" as a char array: Go to `Functions` on the left-hand side, select `__Z7secret2v()`. On the right hand side, you see the function: now click on the return result of the function at `__ZZ7secret2vE6harder` . Now you can see the result in the Listing view.
-
+- Alternatively: when you have analyzed the application with Ghirda: do a search for strings in all blocks and see if you can spot the secret ;-).
 
 2. Find the secrets with https://www.radare.org[radare2].
 - Install https://www.radare.org[radare2] with either `brew install radare2` on Mac or follow these steps: `git clone https://github.com/radareorg/radare2; cd radare2 ; sys/install.sh`