Spring Boot Actuator challenge hiding an api key in the audit events

[commjoen]

This challenge is about how to not use the spring boot actuator, by hiding an API key in the audit events:

• Add an AuditEventRepository
• Add an APIkey received event at AuditEventRepository which is randomly generated
• enable management.endpoints.web.exposure.include=auditevents in application.properties
• Create a challenge using the secret at this endpoint and explain why you need to be careful with Actuator configurations

[PavanButke]

I would like to work. Request to assign to me.

[commjoen]

Hi @PavanButke ! It’s all yours! Feel free to contact us on slack when you have any questions.

[PavanButke]

Thanks joen! Connecting on slack. Just wanted a link of doc for contributors.

[commjoen]

That would be https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md

[PavanButke]

I'm facing few errors while set up of code on local..because of which I'm unable to contribute.
Request if anyone can help me in Set Up.
Thanks!

[commjoen]

Hi @PavanButke, what issue are you facing?

[PavanButke]

Hi,
While setting up in STS.

I can see
===> this tag was giving error

exec

generate-resources

getting these error at Multiple markers at this line

• Failed to execute mojo org.codehaus.mojo:tidy-maven-plugin:1.2.0:check {execution: validate} (org.codehaus.mojo:tidy-maven-plugin:1.2.0:check:validate:validate
• was giving following error... I tried commentong it then, in that case application was unable to run

Log:
Description Resource Path Location Type
Failed to execute mojo org.codehaus.mojo:exec-maven-plugin:3.1.0:exec {execution: default} (org.codehaus.mojo:exec-maven-plugin:3.1.0:exec:default:generate-resources)

org.eclipse.core.runtime.CoreException: Failed to execute mojo org.codehaus.mojo:exec-maven-plugin:3.1.0:exec {execution: default}
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeMojo(MavenExecutionContext.java:340)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.lambda$0(MavenExecutionContext.java:291)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.executeBare(MavenExecutionContext.java:394)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:275)
at org.eclipse.m2e.core.internal.embedder.MavenExecutionContext.execute(MavenExecutionContext.java:290)
at org.eclipse.m2e.core.project.configurator.MojoExecutionBuildParticipant.build(MojoExecutionBuildParticipant.java:57)
at org.eclipse.m2e.core.internal.builder.MavenBuilderImpl.lambda$1(MavenBuilderImpl.java:139)
at java.base/java.util.LinkedHashMap

[commjoen]

ah yes, we do officially not support VScode STS at this point in time.
I was able to run the master branch of the project in vscode Version: 1.78.2 with the following plugins:

[commjoen]

Maybe you can reach out to #project-wrongsecrets at slack ? There might be other VSCode users there that can help you using the right config.

[PavanButke]

Thanks for your reply. I'll definitely check it out. Thanks, Pavan

…

On Fri, 26 May, 2023, 3:31 am Jeroen Willemsen, ***@***.***> wrote: Maybe you can reach out to #project-wrongsecrets at slack <https://owasp.slack.com/archives/C02KQ7D9XHR> ? There might be other VSCode users there that can help you using the right config. — Reply to this email directly, view it on GitHub <#815 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AR5LNTVK2WKRTX5GB422ASDXH7JCDANCNFSM6AAAAAAX2GCSDQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[nwolniak]

Hi @commjoen, I would like to contribute to this issue and I noticed that it's probably inactive. Could you assign it to me?

[commjoen]

@PavanButke do you still want to work on this issue? or are you ok if we assign it to @nwolniak ?

[nwolniak]

@commjoen If no one has replied, could you please assign me to the task?

[commjoen]

@nwolniak it is yours :-)

[nwolniak]

Oki