fix(challenge63): add explicit constructor and document intentional CBC usage

moeedrehman135 · moeedrehman135 · commit 0e4cf24a0bfb · 2026-04-12T08:44:39.000+05:00
diff --git a/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge63/Challenge63.java b/src/main/java/org/owasp/wrongsecrets/challenges/docker/challenge63/Challenge63.java
@@ -9,6 +9,12 @@
 import org.owasp.wrongsecrets.challenges.Spoiler;
 import org.springframework.stereotype.Component;
 
+/**
+ * Challenge demonstrating bad encryption practices: hardcoding both the encryption key and IV
+ * directly in source code. Even though the secret is encrypted, the key is right here in the code,
+ * making the encryption completely ineffective.
+ */
+@SuppressWarnings("java:S5542")
 @Slf4j
 @Component
 public class Challenge63 implements Challenge {
@@ -17,6 +23,10 @@ public class Challenge63 implements Challenge {
   private static final String HARDCODED_IV = "InitVector123456";
   private static final String CIPHERTEXT = "TDPwOvcLsbCWV5erlk6OHFnlFoXNtdQOt2JQeq+i4Ho=";
 
+  public Challenge63() {
+    // explicit constructor required
+  }
+
   @Override
   public Spoiler spoiler() {
     return new Spoiler(getAnswer());
@@ -34,6 +44,7 @@ private String getAnswer() {
       byte[] cipherBytes = Base64.getDecoder().decode(CIPHERTEXT);
       SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
       IvParameterSpec ivSpec = new IvParameterSpec(ivBytes);
+      // Intentionally using CBC mode to demonstrate padding oracle vulnerability
       Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
       cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
       byte[] decrypted = cipher.doFinal(cipherBytes);
@@ -43,4 +54,4 @@ private String getAnswer() {
       return "decryption-error";
     }
   }
-}
+}
diff --git a/src/main/resources/explanations/challenge63_reason.adoc b/src/main/resources/explanations/challenge63_reason.adoc
@@ -16,6 +16,9 @@ This challenge highlights a widespread mistake in software development: using en
 **Real world examples:**
 This exact pattern has been found in numerous data breaches where developers believed their secrets were "safe" because they were encrypted, not realizing the key was equally exposed.
 
+Additionally, this challenge uses AES in CBC mode which is vulnerable to 
+padding oracle attacks. Production code should use AES/GCM instead.
+
 **References:**
 - https://owasp.org/www-project-top-ten/[OWASP Top 10]
 - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html[OWASP Secrets Management Cheat Sheet]
