profile
viewpoint
Nanne Baars nbaars Xebia Netherlands https://nbaars.github.io/ Project leader of WebGoat

commjoen/wrongsecrets 57

Examples with how to not use secrets

nbaars/NodeGoat 3

The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

nbaars/java-magazine-article 1

Code examples for Java Magazine article

nbaars/john-the-ripper 1

Docker file for John the Ripper password cracker

nbaars/alfred-gitlab 0

A GitLab workflow for Alfred 3

nbaars/automatic-api-attack-tool 0

Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.

nbaars/awesome-web-hacking 0

A list of web application security

nbaars/bdd-security 0

BDD Automated Security Tests for Web Applications

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha 028ffdf6e04b59b47472d712ec66e1763d6b475f

Fix error page

view details

push time in 2 hours

PullRequestReviewEvent

Pull request review commentcommjoen/wrongsecrets

Make UI more dynamic

+<html xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" xmlns:th="http://www.thymeleaf.org"+      layout:decorate="~{index.html}">+<body>++<div class="container-fluid text-sm p-5 bg-light" layout:fragment="content">+    <div class="display-5">Welcome</div>+    <p class="lead">Welcome to OWASP WrongSecrets. With this app, we hope you will re-evaluate your secrets+        management+        strategy</p>+    <hr class="my-4">+    <p>For each of the challenges below: try to find the secret! Enter it in the `Answer to solution` box and+        score+        points!+        Note that some challenges require this app to run on additional infrastructure (see in the links+        below).</p>++    <div class="row">

fixed

nbaars

comment created time in 2 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha 9ea0c4e8cbe212525d8a626a9bd5d2509207aed2

Fix layout: gray only on top

view details

push time in 2 hours

Pull request review commentcommjoen/wrongsecrets

Make UI more dynamic

-<!DOCTYPE HTML>-<html xmlns:th="https://www.thymeleaf.org">-<head>-    <title>OWASP WrongSecrets Challenge</title>-    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">-    <link th:rel="stylesheet" th:href="@{/webjars/bootstrap/5.1.2/css/bootstrap.min.css} "/>-    <link rel="stylesheet" type="text/css" th:href="@{/css/style.css}"/>-</head>+<html xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"+      layout:decorate="~{index.html}"> <body>-<nav class="navbar navbar-expand-lg navbar-dark bg-dark">-    <div class="container-fluid">-        <a class="navbar-brand" href="/">WrongSecrets </a>-        <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent"-                aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">-            <span class="navbar-toggler-icon"></span>-        </button>-        <div class="collapse navbar-collapse" id="navbarSupportedContent">-            <ul class="navbar-nav me-auto mb-2 mb-lg-0">-                <li class="nav-item">-                    <a class="nav-link" aria-current="page" href="/">Home</a>-                </li>-                <li class="nav-item dropdown">-                    <a class="nav-link dropdown-toggle active" href="#" id="navbarDropdown" role="button"-                       data-bs-toggle="dropdown" aria-expanded="false">-                        Challenges-                    </a>-                    <ul class="dropdown-menu" aria-labelledby="navbarDropdown">-                        <a class="dropdown-item" href="/challenge/1">Challenge 1</a>-                        <a class="dropdown-item" href="/challenge/2">Challenge 2</a>-                        <a class="dropdown-item" href="/challenge/3">Challenge 3</a>-                        <a class="dropdown-item" href="/challenge/4">Challenge 4</a>-                        <a class="dropdown-item" href="/challenge/5">Challenge 5</a>-                        <a class="dropdown-item" href="/challenge/6">Challenge 6</a>-                        <a class="dropdown-item" href="/challenge/7">Challenge 7</a>-                        <a class="dropdown-item" href="/challenge/8">Challenge 8</a>-                        <a class="dropdown-item" href="/challenge/9">Challenge 9</a>-                        <a class="dropdown-item" href="/challenge/10">Challenge 10</a>-                        <a class="dropdown-item" href="/challenge/11">Challenge 11</a>-                        <a class="dropdown-item" href="/challenge/12">Challenge 12</a>-                    </ul>-                </li>-                <li class="nav-item">-                    <a class="nav-link" href="https://github.com/commjoen/wrongsecrets" target="_blank">Github</a>-                </li>-                <li class="nav-item">-                    <a class="nav-link disabled" href="#" tabindex="-1" aria-disabled="true"-                       th:text="'Version:'+${version}"></a>-                </li>-            </ul>-        </div>--    </div>-</nav>-<div class="container">-    <h1 class="mt-3" th:text="'Challenge '+${challengeNumber}"/>-    <p th:text="'Welcome to challenge ' + ${challengeNumber} + '. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.'"></p>-    <div class="explanation">-        <div th:replace="doc:challenge__${explanationfile}__.adoc"></div>-    </div>+<div class="container" layout:fragment="content">+    <!--/*@thymesVar id="challenge" type="org.owasp.wrongsecrets.challenges.ChallengeUI"*/-->+    <h1 class="mt-3" th:text="${challenge.name}"/>+    <p th:text="'Welcome to challenge ' + ${challenge.challengeNumber} + '. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.'"></p>+    <div th:replace="doc:__${challenge.explanation}__.adoc"></div>     <div th:text="${challengeCompletedAlready}"></div>     <div class="feedback alert alert-success" role="alert" th:if="${answerCorrect!=null}"          th:text="${answerCorrect}"></div>     <div class="feedback alert alert-danger" role="alert" th:if="${answerIncorrect!=null}"          th:text="${answerIncorrect}"></div>-    <form action="#" th:action="'/challenge/'+${challengeNumber}" th:object="${challengeForm}" method="post">+    <form action="#" th:action="'/challenge/'+${challenge.link}" th:object="${challengeForm}" method="post">         <p>Answer to solution : <input type="text" th:field="*{solution}"/></p>-        <p><input class="btn btn-primary" type="submit" value="Submit"/> <input class="btn btn-secondary" type="reset"-                                                                                value="Reset"/></p>+        <p>+            <button class="btn btn-primary" type="submit" name="action" value="submit">Submit</button>+            <button class="btn btn-secondary" type="submit" name="action" value="reset">Reset</button>+        </p>     </form> -    There are 12 challenges (/challenge/1-12), can you solve them all? <br/>-    <div class="row">-        <div th:if="${previouschallenge!=null}" class="col-4">-            <a th:href="'/challenge/'+${previouschallenge}">Previous</a>-        </div>-        <div class="col-4">-            <a href="/">Go the main page</a>-        </div>-        <div th:if="${nextchallenge!=null}" class="col-4">-            <a th:href="'/challenge/'+${nextchallenge}">Next</a>-        </div>-    </div>--     <div class="progress">         <div class="progress-bar" role="progressbar" th:style="'width:'+${progress}+'%;'"              th:attr="aria-valuenow=${progress}" aria-valuemin="0" aria-valuemax="100"              th:text="${totalPoints}"></div>     </div> -    <div class="alert alert-danger" role="alert" th:if="${runtimeWarning!=null}" th:text="${runtimeWarning}"></div>+    <div th:if="${missingEnvWarning} eq 'DOCKER'" class="alert alert-danger" role="alert">+        We are running outside a docker container. Please run this in a container as explained in the README.md.+    </div>+    <div th:if="${missingEnvWarning} eq 'VAULT'" class="alert alert-danger" role="alert">+        We are running outside a K8s cluster with Vault. Please run this in the K8s cluster as explained in the README.md.+    </div>+    <div th:if="${missingEnvWarning} eq 'K8S'" class="alert alert-danger" role="alert">+        We are running outside a K8s cluster. Please run this in the K8s cluster as explained in the README.md.+    </div>+    <div th:if="${missingEnvWarning} eq 'AWS' or ${missingEnvWarning} eq 'GCP'" class="alert alert-danger" role="alert">+        We are running outside a properly configured AWS environment. Please run this in an AWS environment as explained in the README.md.

you want a different text?

nbaars

comment created time in 2 hours

PullRequestReviewEvent

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha 85a515021481063ffdcb39e8591d56b3f17d484b

Code review fixes

view details

push time in 2 hours

Pull request review commentcommjoen/wrongsecrets

Make UI more dynamic

+<html>+<body>++<div class="container-fluid text-sm p-5 bg-light" th:fragment="welcome">+    <div class="display-5">Welcome</div>+    <p class="lead">Welcome to OWASP WrongSecrets. With this app, we hope you will re-evaluate your secrets+        management+        strategy</p>+    <hr class="my-4">+    <p>For each of the challenges below: try to find the secret! Enter it in the `Answer to solution` box and+        score+        points!+        Note that some challenges require this app to run on additional infrastructure (see in the links+        below).</p>++    <div class="row">+        <div class="col-12 col-md-9 mt-3">+            <p>+                <!-- TODO:               th:classappend="${isAdmin} ? 'adminclass' : userclass'"-->+                <a href="challenge/1">Challenge 1 (requires Docker)</a><br/>+                <a href="challenge/2">Challenge 2 (requires Docker)</a><br/>+                <a href="challenge/3">Challenge 3 (requires Docker)</a><br/>+                <a href="challenge/4">Challenge 4 (requires Docker)</a><br/>+                <a href="challenge/5" th:class="${k8s == null}  ? 'disabled' : ''">Challenge 5 (requires+                    K8s/Minikube)</a><br/>+                <a href="challenge/6" th:class="${k8s == null}  ? 'disabled' : ''">Challenge 6 (requires+                    K8s/minikube)</a><br/>+                <a href="challenge/7" th:class="${vault == null}  ? 'disabled' : ''">Challenge 7 (requires+                    k8s/minikube+                    with Vault)</a><br/>+                <a href="challenge/8">Challenge 8 (requires Docker)</a><br/>+                <a href="challenge/9" th:class="${cloud == null}  ? 'disabled' : ''">Challenge+                    9 (requires AWS or GCP)</a><br/>+                <a href="challenge/10" th:class="${cloud == null}  ? 'disabled' : ''">Challenge+                    10 (requires AWS or GCP)</a><br/>+                <a href="challenge/11" th:class="${cloud == null}  ? 'disabled' : ''">Challenge

done

nbaars

comment created time in 2 hours

PullRequestReviewEvent

Pull request review commentcommjoen/wrongsecrets

Make UI more dynamic

 public boolean answerCorrect(String answer) {         return challengeAnswer.equals(answer);     } -    @Override-    public boolean environmentSupported() {-        return k8sEnvironment.equals("gcp") || k8sEnvironment.contains("aws");+    public List<RuntimeEnvironment.Environment> supportedRuntimeEnvironments() {+        return List.of(AWS);

done

nbaars

comment created time in 2 hours

PullRequestReviewEvent

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha b031f72f40f8f58fa1655a7139eee33ac414ea06

Add GCP

view details

push time in 2 hours

push eventcommjoen/wrongsecrets

Ben de Haan

commit sha 8bdad979d08abb1d3efaac5787978151bef60680

Add support for challenge 11

view details

Ben de Haan

commit sha 7a1c43ecdc06badd3cac69ba53207a8eb608d355

remove log statement

view details

Jeroen Willemsen

commit sha 506dee0b900980b439806bd22e0330432e3dd15a

small fix for k8senv

view details

Jeroen Willemsen

commit sha ad8576dc667a17b4c003da6fac23666db5e4c789

simple fix for after scoring

view details

Jeroen Willemsen

commit sha e20dd60b16c9e2518bf2936b0ae70a13434a67bb

temp disable git tagging

view details

Jeroen Willemsen

commit sha b7b3a41c0c00e5897618ef28b18c6b7d34f3012b

update

view details

Jeroen Willemsen

commit sha a310b4704c04a380facb3af793b6cafab204ce80

added explanation

view details

Jeroen Willemsen

commit sha 992f8cc1c7762f4911f1d779db4936961c65f587

added more javadoc

view details

Jeroen Willemsen

commit sha 2229caf9b34149350920699816c8464044ea522b

Updated tests and refactored index controller for link tainting

view details

Jeroen Willemsen

commit sha af7c68599a3726d4d7343323ba7c3eb035407b6b

First fix for #75

view details

Jeroen Willemsen

commit sha 1c652354c179020584c3333a409e2c29b5a2597a

Actual fix for #75

view details

Jeroen Willemsen

commit sha 88f3159230fc325daee6df50a3dd21128d6c4a6b

wip

view details

Jeroen Willemsen

commit sha 538d7fff1dc23824180972526cc156a814e22ac5

Processed most of the feedback for #75

view details

Jeroen Willemsen

commit sha c1fa3175ae8ad67c788eb715357aa2472f2c0071

clean up code

view details

Ben de Haan

commit sha c8a900ca0e8cd73aad0a95271ce527f0b5d34c7b

Fix gcp challenge 11

view details

Ben de Haan

commit sha dca45306bb809d6b162166f4e765f422bc27a94b

Add GCP project ID in template

view details

Jeroen Willemsen

commit sha 7a79863866f9a7ea6134c5f4e626903ef3523919

Merge pull request #87 from commjoen/feature/gcp-challenge-11 Add GCP challenge 11

view details

Jeroen Willemsen

commit sha 07edc68990d56c60d5f79c70f40095c6afe00d07

Merge branch 'master' into challenge-explanation

view details

Jeroen Willemsen

commit sha 0c73407669e604bc3361c04f966e225463430844

Merge pull request #84 from commjoen/challenge-explanation Fix for #75 (small ui updates as well)

view details

Jeroen Willemsen

commit sha 9864d87f8bd5851d77fe0b9b586c5bb8995eed64

Release 1.1.0

view details

push time in 3 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha edf8b63348f25d9927296b551bbd48984326cd72

Refactoring

view details

push time in 4 hours

PullRequestReviewEvent

Pull request review commentcommjoen/wrongsecrets

Make UI more dynamic

 <!DOCTYPE html> <html lang="en">-<head>-    <meta charset="UTF-8">-    <title>OWASP WrongSecrets-ERROR!</title>-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">-    <link th:rel="stylesheet" th:href="@{/webjars/bootstrap/5.1.2/css/bootstrap.min.css} "/>-    <link rel="stylesheet" type="text/css" th:href="@{/css/style.css}"/>-</head> <body>-<nav class="navbar navbar-expand-lg navbar-dark bg-dark">-    <div class="container-fluid">-        <a class="navbar-brand" href="/">WrongSecrets</a>-        <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent"-                aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">-            <span class="navbar-toggler-icon"></span>-        </button>-        <div class="collapse navbar-collapse" id="navbarSupportedContent">-            <ul class="navbar-nav me-auto mb-2 mb-lg-0">-                <li class="nav-item">-                    <a class="nav-link active" aria-current="page" href="#">Home</a>-                </li>-                <li class="nav-item dropdown">-                    <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button"-                       data-bs-toggle="dropdown" aria-expanded="false">-                        Challenges-                    </a>-                    <ul class="dropdown-menu" aria-labelledby="navbarDropdown">-                        <a class="dropdown-item" href="/challenge/1">Challenge 1</a>-                        <a class="dropdown-item" href="/challenge/2">Challenge 2</a>-                        <a class="dropdown-item" href="/challenge/3">Challenge 3</a>-                        <a class="dropdown-item" href="/challenge/4">Challenge 4</a>-                        <a class="dropdown-item" href="/challenge/5">Challenge 5</a>-                        <a class="dropdown-item" href="/challenge/6">Challenge 6</a>-                        <a class="dropdown-item" href="/challenge/7">Challenge 7</a>-                        <a class="dropdown-item" href="/challenge/8">Challenge 8</a>-                        <a class="dropdown-item" href="/challenge/9">Challenge 9</a>-                        <a class="dropdown-item" href="/challenge/10">Challenge 10</a>-                        <a class="dropdown-item" href="/challenge/11">Challenge 11</a>-                    </ul>-                </li>-                <li class="nav-item">-                    <a class="nav-link" href="https://github.com/commjoen/wrongsecrets" target="_blank">Github</a>-                </li>-            </ul>-        </div>-    </div>-</nav>

The page is now based around: header, content, (no footer yet). So every page now uses the fragment/header.html so you only change the content page, the header is always there and you only have it once (it was copied around multiple times)

nbaars

comment created time in 4 hours

PullRequestReviewEvent

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha e6012916078127f56e8a75e89dd43b28493c2911

Fix code review remarks

view details

push time in 4 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha b289cdfc26cef3c92a79b167159c98323a262167

Fix failing tests

view details

push time in 5 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha e17c2da77f9c3edee99a65cb6bc6800660d86e58

Move text to UI Model should only contain the env and the UI can display the text

view details

push time in 14 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha 9d0d1f5631984bd95a91436fa2f5063a05ca9c29

Remove challenge environment Replaced by runtime environment

view details

push time in 14 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha c0cba82fc380756b616dc541674b6429b0095aa6

Implement reset button

view details

push time in 15 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha 62bad33cf6890e7377365a2a431a27e0447f7581

Welcome page now builds challenges dynamically

view details

push time in 15 hours

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha a3c9797b8fad012cea18abe3a523bf0e851d305f

- Use Thymeleaf layout lib to use header and content pages - Introduce runtime environment to move it away from html

view details

push time in 18 hours

PullRequestReviewEvent

PR opened commjoen/wrongsecrets

Make UI more dynamic

Thank you for submitting a pull request to the WrongSecrets app!

+365 -335

0 comment

25 changed files

pr created time in a day

push eventcommjoen/wrongsecrets

Nanne Baars

commit sha 47e3ed85e43206757a3db0f2d6e3cae5d2fb48cb

Make the UI more dynamic Stop hardcoding the challenges in the UI, the UI now loops over the challenges and build the menu etc. dynamically.

view details

push time in a day

CommitCommentEvent
CommitCommentEvent

create barnchcommjoen/wrongsecrets

branch : more-tests

created branch time in 2 days

more