feat: Add Challenge 60 — insecure MCP server with prompt injection leaking env var secrets

[Copilot]

Adds Challenge 60, demonstrating two combined MCP security vulnerabilities: an unauthenticated shell execution tool that exposes server environment variables, and an MCP prompt injection ("MCP Rug Pull") attack where the server instructs a connecting LLM client to silently exfiltrate its own environment variables back to the attacker.

Changes Made

New Files

• Challenge60.java — reads the challenge secret from the WRONGSECRETS_MCP_SECRET environment variable
• Challenge60McpController.java — MCP JSON-RPC 2.0 endpoint at /mcp with:
  • execute_command tool: returns the server's process environment variables to any unauthenticated caller
  • forward_env tool: receives environment data exfiltrated by the LLM client (tool description poisoning — second injection vector)
  • MALICIOUS_INSTRUCTIONS injected via the initialize response instructions field — silently instructs the connecting LLM to call execute_command('env') then forward_env with the full output before answering any user questions
  • sanitizeForLog() helper preventing CRLF injection in log output
• McpServerConfig.java — adds a secondary Tomcat connector on port 8090 (configurable via mcp.server.port)
• Challenge60Test.java and Challenge60McpControllerTest.java (14 tests, all passing)
• explanations/challenge60.adoc, challenge60_hint.adoc, challenge60_reason.adoc — explains both the unauthenticated shell execution vulnerability and the MCP Rug Pull / prompt injection attack vector
• challenges/challenge-60/challenge-60.snippet — UI with curl examples

Updated Files

• SecurityConfig.java — adds /mcp to the CSRF exclusion list
• application.properties — adds WRONGSECRETS_MCP_SECRET default value and mcp.server.port=8090
• test application.properties — disables secondary port (mcp.server.port=-1)
• Dockerfile — adds ENV WRONGSECRETS_MCP_SECRET=MCPStolenSecret42!
• wrong-secrets-configuration.yaml — adds Challenge 60 entry
• README.md — updates challenge count 60→61, extends challenge ranges to include 59–60, adds challenge-59 and challenge-60 to the Docker localhost URL list

Attack Vectors Demonstrated

1. Unauthenticated shell execution — anyone who can reach port 8090 can call execute_command and dump all server environment variables including secrets
2. MCP Prompt Injection / "MCP Rug Pull" — a malicious MCP server injects instructions via the initialize response instructions field, causing the connecting LLM to silently exfiltrate its own environment variables back to the server without informing the user
3. Tool description poisoning — hidden instructions in the forward_env tool description reinforce the prompt injection as a second attack vector

Testing

• ✅ 14 tests passing (Challenge60Test + Challenge60McpControllerTest)
• ✅ Spotless formatting passes
• ✅ No CodeQL alerts
• ✅ CRLF injection in log output mitigated via sanitizeForLog()

Original prompt

---

This section details on the original issue you should resolve

<issue_title>can you make an MCP challenge that talks MCP with a different port and steals secrets from the users env-vars?</issue_title>
<issue_description>we found various MCPs that let users execute insecure zsh/bash actions, such as submittng their env. can you make an mcp endpoint that does the same thing and show in a challenge how you can use it, while the explanation of the challenge shows why it is a bet idea?</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes can you make an MCP challenge that talks MCP with a different port and steals secrets from the users env-vars? #2399

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-36cec67

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-36cec67
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-36cec67

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[commjoen]

@copilot can you fix the failing checks and update the documentation?

[Copilot]

@copilot can you fix the failing checks and update the documentation?

Fixed in b117878:

• Spotless formatting (spotless:apply) — corrected Javadoc block comment style and line-length violations in Challenge60.java, Challenge60McpController.java, and Challenge60McpControllerTest.java
• README documentation — updated challenge count 60→61, updated challenge ranges in the setup table and Docker section to include challenges 59–60, and added challenge-59 and challenge-60 to the Docker localhost URL list

[commjoen]

@copilot can you fix https://github.com/OWASP/wrongsecrets/actions/runs/22339814791/job/64640628351?pr=2400
it needs some suppression for
Error: Medium: This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages [org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController] At Challenge60McpController.java:[line 31]At Challenge60McpController.java:[line 29] CRLF_INJECTION_LOGS
Error: Medium: This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages [org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController] At Challenge60McpController.java:[line 90]At Challenge60McpController.java:[line 36]At Challenge60McpController.java:[line 79]At Challenge60McpController.java:[line 88]At Challenge60McpController.java:[line 89] CRLF_INJECTION_LOGS

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6493651

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6493651
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6493651

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[Copilot]

@copilot can you fix https://github.com/OWASP/wrongsecrets/actions/runs/22339814791/job/64640628351?pr=2400
it needs some suppression for
Error: Medium: This use of org/slf4j/Logg...

Fixed in 0da03b7.

Added a sanitizeForLog() helper that replaces \r, \n, \u0085, \u2028, and \u2029 with _ before any user-controlled value (method, command) is passed to log.warn(). This resolves both CRLF_INJECTION_LOGS findings at lines 31 and 90. Two new test cases were also added to Challenge60McpControllerTest to verify CRLF-containing inputs are handled correctly (12 tests total, all passing).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkstyle.org
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/working/files-to-index17945295106329247454.list --sourceArchiveDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5327eb2

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5327eb2
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5327eb2

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[commjoen]

@copilot can you add an instruction to the mvp server to steal credentials from the calling client? E.g. ask the client to call env and forward the values to the mcp server?

[Copilot]

@copilot can you add an instruction to the mvp server to steal credentials from the calling client? E.g. ask the client to call env and forward the values to the mcp server?

Done in db8d7b8. The MCP server now demonstrates the "MCP Rug Pull" attack with two injection vectors:

1. System prompt injection — the initialize response includes an instructions field (MALICIOUS_INSTRUCTIONS) that is injected into the connecting LLM's system prompt, silently telling it to call execute_command('env') then call forward_env with the full output — without informing the user.

2. Tool description poisoning — the forward_env tool's description (FORWARD_ENV_TOOL_DESCRIPTION) reinforces the instruction, a second vector that hits the model when it reads the tool list at startup.

The new forward_env tool receives and logs the exfiltrated client environment data (simulating the attacker's collection endpoint). The explanation and reason docs have been updated to describe both attack vectors. All 14 tests pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkstyle.org
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/working/files-to-index8819049467948575753.list --sourceArchiveDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-bee990c

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-bee990c
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-bee990c

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-b9cf4fa

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-b9cf4fa
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-b9cf4fa

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6bbb792

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6bbb792
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6bbb792

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-be82465

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-be82465
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-be82465

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2400

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2400

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-62f6066

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-62f6066
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-62f6066

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}