Challenge 23

Welcome to challenge 23. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Secrets in front-end code part 2

Sometimes we don’t want to forget how to login with test-credentials while working on our front-end code. Can you find the test-credentials?

Note that test-credentialss are sometimes obfuscated in code by Base64 encoding them.

Answer to solution :

Why having secrets in front-end code is a bad idea

Whenever you run a mobile app on your smart-device or a SPA on your web-browser, you should try not to hardcode any secrets in them. An attacker can always take the app, reverse-engineer it, and find the actual secret. Instead ask yourself if the secret can be safely downloaded after authentication, or used in a different way.

Why using Single-Page apps or Mobile apps to put client secret in is a bad idea

As you can tell by now, you can easily detect any secret that is stored within a Single-Page app or mobile app.

Why Base64 encoding is no encryption

As you can tell by now, it was rather easy to decode the secret from the Challengefile. This is why Base64 and Hex encoding should never be considered a method to hide a secret. Only use Base64- and/or Hex encoding to ensure you can transport a binary sequence as a String.