-
-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible new ideas for challenges #37
Comments
I would like to help with the Google support |
To add: using hardcoded key to encrypt embedded secret |
Password can be stored wrongly in web service testing applications like IntelliJ's HTTP Client, JMeter, Soap UI, Postman, etc. configuration files. It can be also caught during OWASP ZAP or WireShark sessions. Then that file is committed into the repository. JMeter e.g.:
|
I would like to help with Hardcoding it in a binary written in Golang and C to obfuscate it. |
Nexus deployment credentials in |
Idea from @nbaars : have a secret hidden in the .git history :) |
Simple one that is a mix of 1 & 13: docker container is run with password as parameter, but the whole command is placed in a .sh file and stored in the git repo (aka: use .gitignore to block local helper scripts) |
Sops misconfig |
Have passwordless challenges based on impersonation such as https://github.com/OWASP/wrongsecrets/blob/master/src/main/resources/explanations/challenge11_hint-azure.adoc |
Use a secret as part of shell script and make it do command injection ;-) |
This ticket is for creating/listing possible ideas. If an Idea is picked up by a developer, then it gets its own tickets.
The text was updated successfully, but these errors were encountered: