Challenge 37 ☆☆

Welcome to challenge 37. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Giving your security tests access

Given all the daft findings we already have in this project, we decided to implement automated scanning using ZAP. To do that, we need to be able to fuzz the endpoint of this challenge: authenticated/challenge37 and thus configure basic auth for ZAP. Can you find the secret returned at the endpoint?

Hint: We use GitHub actions.

Answer to solution :

Why we need to be careful with security credentials in CI/CD

People who can access the configuration of your security checks in your CI/CD environment can easily access any credentials configured there. These credentials can then be used for anything.

This is why security should be very careful in managing their secrets: just because the credential is used by (a) security (tool) does not mean we can tolerate less security ;-).