Merge branch 'master' into issue-2357-upgrade-k8s-1.35

Author: commjoen

.github/scripts/.bash_history

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="mVskm4vj9tBf4BqqQEyPaFtTAFJ+K9csVbQkwF3Kj04="
+export tempPassword="8S2PzZ7da3Jx9geda6JOqqfYlSDYzM7QbpUGyxM9umw="
 mvn run tempPassword
 k6
 npx k6

.github/scripts/docker-create.sh

@@ -64,8 +64,11 @@ Heroku_publish_demo() {
     heroku container:login
     echo "heroku deployment to demo"
     cd ../..
-    heroku container:push web --arg argBasedVersion=${tag} --app arcane-scrubland-42646
-    heroku container:release web --app arcane-scrubland-42646
+    git add Dockerfile.web
+    git commit --no-verify -m "Fix Heroku deploy"
+    git push heroku HEAD:master
+    # heroku container:push web --arg argBasedVersion=${tag} --app arcane-scrubland-42646
+    # heroku container:release web --app arcane-scrubland-42646
     # heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
     # heroku container:release web --app wrongsecrets-ctf
     echo "wait for contianer to come up"

Dockerfile

@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:25-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.13.1-alpha6"
+ARG argBasedVersion="1.13.1-alpha11"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted

Dockerfile.web

@@ -1,5 +1,6 @@
-FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault
-ARG argBasedVersion="1.13.1-alpha6-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha11-no-vault
+ARG argBasedVersion="1.13.1-alpha11-no-vault"
+ARG spring_profile="without-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
@@ -21,7 +22,7 @@ ENV K8S_ENV=Heroku(Docker)
 ENV canarytokenURLs=$CANARY_URLS
 ENV ctf_enabled=$CTF_ENABLED
 ENV ctf_key=$CTF_KEY
-ENV SPRING_PROFILES_ACTIVE=without-vault
+ENV SPRING_PROFILES_ACTIVE=$spring_profile
 ENV hints_enabled=$HINTS_ENABLED
 ENV challengedockermtpath="/var/helpers"
 ENV keepasspath="/var/helpers/alibabacreds.kdbx"
@@ -38,8 +39,12 @@ ENV default_aws_value_challenge_11=$CHALLENGE_11_VALUE
 ENV BASTIONHOSTPATH="/home/wrongsecrets/.ssh"
 ENV PROJECTSPECPATH="/var/helpers/project-specification.mdc"
 ENV funnybunny="This is a funny bunny"
+# Keep memory usage within Heroku dyno limits (512MB dyno).
+# Hard cap heap to 250M, metaspace to 60M, disable expensive GC, exit on OOM immediately.
+ENV JAVA_TOOL_OPTIONS="-Xmx250M -Xms128M -XX:MetaspaceSize=40M -XX:MaxMetaspaceSize=60M -XX:CompressedClassSpaceSize=32M -XX:+UseG1GC -XX:MaxGCPauseMillis=50 -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/heapdump.hprof"
+# Deploy WrongSecrets to Heroku
 COPY .github/scripts/ /var/helpers
 COPY src/test/resources/alibabacreds.kdbx /var/helpers
 COPY src/test/resources/RSAprivatekey.pem /var/helpers
 COPY .ssh/ /home/wrongsecrets/.ssh/
-CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=without-vault -Dserver.port=${PORT} -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
+CMD ["/bin/sh", "-c", "java ${JAVA_TOOL_OPTIONS} -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=${SPRING_PROFILES_ACTIVE} -Dserver.port=${PORT} -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -jar application.jar"]

Procfile

@@ -0,0 +1 @@
+web: java -Xmx200M -Xms100M -XX:MetaspaceSize=30M -XX:MaxMetaspaceSize=50M -XX:CompressedClassSpaceSize=24M -XX:+UseG1GC -XX:MaxGCPauseMillis=50 -XX:+ExitOnOutOfMemoryError -Dspring.profiles.active=${SPRING_PROFILES_ACTIVE} -Dserver.port=${PORT} -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -jar target/application.jar

aws/k8s/secret-challenge-vault-deployment.yml

@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha6-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha11-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]

azure/k8s/secret-challenge-vault-deployment.yml.tpl

@@ -61,7 +61,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha6-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha11-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]

docs/CHALLENGE61_MULTI_INSTANCE_SETUP.md

@@ -0,0 +1,141 @@
+# Challenge61 Multi-Instance Setup Guide
+
+This guide explains how to configure and run Challenge61, which demonstrates how hardcoded Telegram bot credentials can be discovered and exploited. The bot token is double-encoded in base64 to make it slightly more challenging but still discoverable through code inspection.
+
+## Overview
+
+This challenge supports running on multiple app instances (e.g., Arcane and WrongSecrets Heroku apps) using either polling (getUpdates) or webhooks.
+
+## Option 1: Polling with getUpdates (Default - Works Out of Box)
+
+The code uses update offsets to minimize conflicts between multiple app instances:
+- No configuration needed
+- Uses update offsets to minimize conflicts between instances
+- Multiple instances can run simultaneously
+- Less efficient but simpler setup
+- `timeout=0` - No long polling, quick responses
+- `limit=1` - Process one update at a time
+- Offset acknowledgment - Marks updates as processed
+
+**Status**: ✅ Code updated and tested
+
+## Option 2: Webhook Solution (Recommended for Production)
+
+### Step 1: Configure Each Heroku App
+
+For **WrongSecrets Heroku app**:
+```bash
+heroku config:set CHALLENGE61_WEBHOOK_ENABLED=true -a wrongsecrets-app
+heroku config:set CHALLENGE61_WEBHOOK_TOKEN=$(openssl rand -hex 32) -a wrongsecrets-app
+```
+
+For **Arcane Heroku app**:
+```bash
+heroku config:set CHALLENGE61_WEBHOOK_ENABLED=true -a arcane-app
+heroku config:set CHALLENGE61_WEBHOOK_TOKEN=$(openssl rand -hex 32) -a arcane-app
+```
+
+### Step 2: Choose ONE App for the Webhook
+
+You can only set ONE webhook URL per bot. Choose either WrongSecrets or Arcane:
+
+**Option A: Use WrongSecrets app**
+```bash
+# Get your webhook token
+WEBHOOK_TOKEN=$(heroku config:get CHALLENGE61_WEBHOOK_TOKEN -a wrongsecrets-app)
+
+# Set the webhook
+curl -X POST "https://api.telegram.org/bot8132866643:AAHJmvZqvvM9dI2rtBOu--WMZyMFTfHNo9I/setWebhook?url=https://your-wrongsecrets-app.herokuapp.com/telegram/webhook/challenge61&secret_token=$WEBHOOK_TOKEN"
+```
+
+**Option B: Use Arcane app**
+```bash
+# Get your webhook token
+WEBHOOK_TOKEN=$(heroku config:get CHALLENGE61_WEBHOOK_TOKEN -a arcane-app)
+
+# Set the webhook
+curl -X POST "https://api.telegram.org/bot8132866643:AAHJmvZqvvM9dI2rtBOu--WMZyMFTfHNo9I/setWebhook?url=https://your-arcane-app.herokuapp.com/telegram/webhook/challenge61&secret_token=$WEBHOOK_TOKEN"
+```
+
+### Step 3: Verify Webhook
+
+```bash
+curl "https://api.telegram.org/bot8132866643:AAHJmvZqvvM9dI2rtBOu--WMZyMFTfHNo9I/getWebhookInfo"
+```
+
+### Step 4: Test
+
+1. Open @WrongsecretsBot in Telegram
+2. Send `/start`
+3. Bot should respond: "Welcome! Your secret is: telegram_secret_found_in_channel"
+
+## Alternative: Use Both Apps with getUpdates (Current Setup)
+
+If you want both apps to be able to respond (not recommended but possible):
+
+1. **Keep webhook disabled** (default)
+2. **Accept that responses may be inconsistent** - whichever app polls first will respond
+3. **The improved getUpdates code** minimizes conflicts with offset handling
+
+## Troubleshooting
+
+### Check if webhook is active
+```bash
+curl "https://api.telegram.org/bot8132866643:AAHJmvZqvvM9dI2rtBOu--WMZyMFTfHNo9I/getWebhookInfo"
+```
+
+### Remove webhook (to go back to getUpdates)
+```bash
+curl -X POST "https://api.telegram.org/bot8132866643:AAHJmvZqvvM9dI2rtBOu--WMZyMFTfHNo9I/deleteWebhook"
+```
+
+### View Heroku logs
+```bash
+heroku logs --tail -a wrongsecrets-app | grep Challenge61
+heroku logs --tail -a arcane-app | grep Challenge61
+```
+
+## Recommendation
+
+For **production with multiple apps**: Use webhook on ONE primary app (WrongSecrets).
+
+For **development/testing**: The current getUpdates approach with offsets works fine.
+
+## BotFather Configuration (Optional but Recommended)
+
+### 1. Configure Commands
+
+- Send `/setcommands` to @BotFather
+- Select your bot
+- Add: `start - Get the secret message`
+
+### 2. Set Description
+
+- Send `/setdescription` to @BotFather
+- Select your bot
+- Add: "OWASP WrongSecrets Challenge 61 - Demonstrates hardcoded bot credentials. Send /start to receive the secret!"
+
+### 3. Set About Text
+
+- Send `/setabouttext` to @BotFather
+- Add: "Educational security challenge from OWASP WrongSecrets project"
+
+## Testing the Bot
+
+1. Find the bot: Search for @WrongsecretsBot in Telegram (or your bot username)
+2. Send: `/start`
+3. Receive: "Welcome! Your secret is: telegram_secret_found_in_channel"
+
+## Creating a New Bot
+
+If you need to create your own bot for testing:
+
+1. Message @BotFather in Telegram
+2. Send `/newbot`
+3. Follow prompts to choose name and username
+4. BotFather will provide a token like: `1234567890:ABCdefGHIjklMNOpqrsTUVwxyz`
+5. Double-encode the token for use in this challenge:
+   ```bash
+   echo -n "YOUR_TOKEN" | base64 | base64
+   ```
+6. Replace the `encodedToken` value in the `getBotToken()` method in Challenge61.java

docs/VERSION_MANAGEMENT.md

@@ -12,9 +12,9 @@ The project maintains version consistency between:
 ## Version Schema
 
 ```
-pom.xml version:        1.13.1-alpha6-SNAPSHOT
-Dockerfile version:     1.13.1-alpha6
-Dockerfile.web version: 1.13.1-alpha6-no-vault
+pom.xml version:        1.13.1-alpha11-SNAPSHOT
+Dockerfile version:     1.13.1-alpha11
+Dockerfile.web version: 1.13.1-alpha11-no-vault
 ```
 
 ## Automated Solutions

fly.toml

@@ -8,7 +8,7 @@ app = "wrongsecrets"
 primary_region = "ams"
 
 [build]
-  image = "docker.io/jeroenwillemsen/wrongsecrets:1.13.1-alpha6-no-vault"
+  image = "docker.io/jeroenwillemsen/wrongsecrets:1.13.1-alpha11-no-vault"
 
 [env]
   K8S_ENV = "Fly(Docker)"