feat: Add Challenge 60 — insecure MCP server with prompt injection leaking env var secrets

[Copilot]

Adds Challenge 60, demonstrating two combined MCP security vulnerabilities: an unauthenticated shell execution tool that exposes server environment variables, and an MCP prompt injection ("MCP rug pull") attack where the server instructs a connecting LLM client to silently exfiltrate its own environment variables back to the attacker.

Changes Made

New Files

• Challenge60.java — reads the challenge secret from the WRONGSECRETS_MCP_SECRET environment variable
• Challenge60McpController.java — MCP JSON-RPC 2.0 endpoint at /mcp with:
  • execute_command tool: returns the server's process environment variables to any unauthenticated caller
  • forward_env tool: receives environment data exfiltrated by the LLM client (tool description poisoning — second injection vector)
  • MALICIOUS_INSTRUCTIONS injected via the initialize response instructions field — silently instructs the connecting LLM to call execute_command('env') then forward_env with the full output before answering any user questions
  • sanitizeForLog() helper preventing CRLF injection in log output
• McpServerConfig.java — adds a secondary Tomcat connector on port 8090 using the Spring Boot 4.x API (org.springframework.boot.tomcat.TomcatWebServerFactory)
• Challenge60Test.java and Challenge60McpControllerTest.java (14 tests, all passing)
• explanations/challenge60.adoc — Vulnerability 1 (unauthenticated env var exposure) is the clear challenge goal; Vulnerability 2 (MCP prompt injection / rug pull) is presented as a distinct AsciiDoc sidebar "Fun Fact" block
• challenge60_hint.adoc, challenge60_reason.adoc — explains both vulnerabilities
• challenges/challenge-60/challenge-60.snippet — dark-mode–friendly UI using CSS classes; interactive buttons that POST to /mcp via JavaScript fetch and display JSON output in <pre> boxes below each button

Updated Files

• SecurityConfig.java — adds /mcp to the CSRF exclusion list
• application.properties — adds WRONGSECRETS_MCP_SECRET default value and mcp.server.port=8090
• test application.properties — disables secondary port (mcp.server.port=-1)
• Dockerfile — adds ENV WRONGSECRETS_MCP_SECRET=MCPStolenSecret42!
• wrong-secrets-configuration.yaml — adds Challenge 60 entry
• README.md — updates challenge count 60→61, extends challenge ranges to include 59–60, adds challenge-59 and challenge-60 to the Docker localhost URL list
• dark.css — adds dark mode rules for #mcp-challenge-container and its inner elements (mcp-warning, mcp-code, mcp-output, mcp-tip)

Attack Vectors Demonstrated

1. Unauthenticated shell execution — anyone who can reach port 8090 can call execute_command and dump all server environment variables including secrets
2. MCP prompt injection / "MCP rug pull" — a malicious MCP server injects instructions via the initialize response instructions field, causing the connecting LLM to silently exfiltrate its own environment variables back to the server without informing the user
3. Tool description poisoning — hidden instructions in the forward_env tool description reinforce the prompt injection as a second attack vector

Testing

• ✅ 14 tests passing (Challenge60Test + Challenge60McpControllerTest)
• ✅ Spotless formatting passes
• ✅ No CodeQL alerts
• ✅ CRLF injection in log output mitigated via sanitizeForLog()
• ✅ Build fixed for Spring Boot 4.x (TomcatWebServerFactory, addAdditionalConnectors)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>can you make an MCP challenge that talks MCP with a different port and steals secrets from the users env-vars?</issue_title>
<issue_description>we found various MCPs that let users execute insecure zsh/bash actions, such as submittng their env. can you make an mcp endpoint that does the same thing and show in a challenge how you can use it, while the explanation of the challenge shows why it is a bet idea?</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes can you make an MCP challenge that talks MCP with a different port and steals secrets from the users env-vars? #2399

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-36cec67

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-36cec67
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-36cec67

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[commjoen]

@copilot can you fix the failing checks and update the documentation?

[Copilot]

@copilot can you fix the failing checks and update the documentation?

Fixed in b117878:

• Spotless formatting (spotless:apply) — corrected Javadoc block comment style and line-length violations in Challenge60.java, Challenge60McpController.java, and Challenge60McpControllerTest.java
• README documentation — updated challenge count 60→61, updated challenge ranges in the setup table and Docker section to include challenges 59–60, and added challenge-59 and challenge-60 to the Docker localhost URL list

[commjoen]

@copilot can you fix https://github.com/OWASP/wrongsecrets/actions/runs/22339814791/job/64640628351?pr=2400
it needs some suppression for
Error: Medium: This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages [org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController] At Challenge60McpController.java:[line 31]At Challenge60McpController.java:[line 29] CRLF_INJECTION_LOGS
Error: Medium: This use of org/slf4j/Logger.warn(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages [org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController, org.owasp.wrongsecrets.challenges.docker.Challenge60McpController] At Challenge60McpController.java:[line 90]At Challenge60McpController.java:[line 36]At Challenge60McpController.java:[line 79]At Challenge60McpController.java:[line 88]At Challenge60McpController.java:[line 89] CRLF_INJECTION_LOGS

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6493651

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6493651
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-6493651

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[Copilot]

@copilot can you fix https://github.com/OWASP/wrongsecrets/actions/runs/22339814791/job/64640628351?pr=2400
it needs some suppression for
Error: Medium: This use of org/slf4j/Logg...

Fixed in 0da03b7.

Added a sanitizeForLog() helper that replaces \r, \n, \u0085, \u2028, and \u2029 with _ before any user-controlled value (method, command) is passed to log.warn(). This resolves both CRLF_INJECTION_LOGS findings at lines 31 and 90. Two new test cases were also added to Challenge60McpControllerTest to verify CRLF-containing inputs are handled correctly (12 tests total, all passing).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkstyle.org
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/working/files-to-index17945295106329247454.list --sourceArchiveDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5327eb2

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5327eb2
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5327eb2

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60McpController.java
- src/main/resources/explanations/challenge60.adoc
- src/main/resources/explanations/challenge60_hint.adoc
- src/main/resources/explanations/challenge60_reason.adoc

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[commjoen]

@copilot can you add an instruction to the mvp server to steal credentials from the calling client? E.g. ask the client to call env and forward the values to the mcp server?

[Copilot]

@copilot can you add an instruction to the mvp server to steal credentials from the calling client? E.g. ask the client to call env and forward the values to the mcp server?

Done in db8d7b8. The MCP server now demonstrates the "MCP Rug Pull" attack with two injection vectors:

1. System prompt injection — the initialize response includes an instructions field (MALICIOUS_INSTRUCTIONS) that is injected into the connecting LLM's system prompt, silently telling it to call execute_command('env') then call forward_env with the full output — without informing the user.

2. Tool description poisoning — the forward_env tool's description (FORWARD_ENV_TOOL_DESCRIPTION) reinforces the instruction, a second vector that hits the model when it reads the tool list at startup.

The new forward_env tool receives and logs the exfiltrated client environment data (simulating the attacker's collection endpoint). The explanation and reason docs have been updated to describe both attack vectors. All 14 tests pass.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkstyle.org
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.0/x64/codeql/xml/tools/xml-extractor.jar --fileList=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/working/files-to-index8819049467948575753.list --sourceArchiveDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/src --outputDir=/home/REDACTED/work/wrongsecrets/.codeql-scratch/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2400

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5133e2b

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5133e2b
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5133e2b

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[commjoen]

@copilot can you

• fix the failing builds?
• fix the layout of src/main/resources/challenges/challenge-60/challenge-60.snippet to have a better look in dark mode like challenge-58.snippet?
• change the text a bit, where:

1. in src/main/resources/explanations/challenge60.adoc it becomes clear that the challenge is the first vulnerability, make sure the second vulnerability has its own markup to look a bit different like a "fun fact"
2. in src/main/resources/challenges/challenge-60/challenge-60.snippet : can you add buttons to do the curl calls by javascript and then have output in boxes below the buttons?

[Copilot]

@copilot can you

• fix the failing builds?
• fix the layout of src/main/resources/challenges/challenge-60/challenge-60.snippet to have a better look in dark mode like challenge-5...

Fixed in 258deba:

1. Build fix — McpServerConfig.java updated to Spring Boot 4.x API: TomcatServletWebServerFactory → org.springframework.boot.tomcat.TomcatWebServerFactory and addAdditionalTomcatConnectors → addAdditionalConnectors.

2. Dark mode layout — challenge-60.snippet redesigned to match challenge-58's pattern: replaced inline light background colors with CSS classes (mcp-warning, mcp-code, mcp-output, mcp-tip). Added corresponding dark mode rules to dark.css. Added "▶ Run: tools/list" and "▶ Run: execute_command env" buttons that POST to /mcp via fetch and display formatted JSON output in <pre> boxes below each button.

3. Documentation — challenge60.adoc restructured so Vulnerability 1 (unauthenticated env var exposure) is clearly the challenge goal. The MCP prompt injection / rug pull attack is now a distinct AsciiDoc sidebar block with a "🤖 Fun Fact" label.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkstyle.org
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/xml/tools/xml-extractor.jar --fileList=/tmp/codeql-scratch-54b93b06a133b0d9/dbs/java/working/files-to-index15414649557448174930.list --sourceArchiveDir=/tmp/codeql-scratch-54b93b06a133b0d9/dbs/java/src --outputDir=/tmp/codeql-scratch-54b93b06a133b0d9/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2400

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

📸 Visual Diff Available!

Screenshots have been generated comparing your changes with the main branch.

Download Visual Diff Artifacts

The artifacts contain:

• pr-home.png - Your version of the home page
• main-home.png - Current main branch home page
• pr-about.png - Your version of the about page
• main-about.png - Current main branch about page

Compare these images to see the visual impact of your changes!

---

_{Visual diff generated by GitHub Actions}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-7391231

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-7391231
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-7391231

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2400

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

📸 Visual Diff Available!

Screenshots have been generated comparing your changes with the main branch.

Download Visual Diff Artifacts

The artifacts contain:

• pr-home.png - Your version of the home page
• main-home.png - Current main branch home page
• pr-about.png - Your version of the about page
• main-about.png - Current main branch about page

Compare these images to see the visual impact of your changes!

---

_{Visual diff generated by GitHub Actions}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5097fd0

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5097fd0
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-5097fd0

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}

[github-actions]

🌐 GitHub Pages Preview Ready!

Your static preview is now available at:
🔗 Preview PR #2400

📄 What's included:

• ✅ All CSS, JavaScript, and static assets (embedded inline)
• ✅ Current styling and layout preview
• ✅ Images, icons, and UI components
• ✅ NEW: Generated HTML from Thymeleaf templates
  • 🏠 Home/Welcome Page
  • ℹ️ About Page
  • 📊 Stats & Config Page
  • 🤖 Challenge 57: LLM Security (Latest)
  • 🧩 Challenge Example

For full functionality testing: Use the Docker preview instead.

🔄 Auto-updates: This preview will be updated automatically when you push new commits to this PR.

---

_{Static preview with Thymeleaf generation by GitHub Actions}

[github-actions]

📸 Visual Diff Available!

Screenshots have been generated comparing your changes with the main branch.

Download Visual Diff Artifacts

The artifacts contain:

• pr-home.png - Your version of the home page
• main-home.png - Current main branch home page
• pr-about.png - Your version of the about page
• main-about.png - Current main branch about page

Compare these images to see the visual impact of your changes!

---

_{Visual diff generated by GitHub Actions}

[github-actions]

🔨 Preview Build Complete!

Your changes have been built and pushed to GitHub Container Registry.

🐳 Docker Image: ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-217f367

📦 Download & Test Locally:

1. 📁 Download Docker Image Artifact (look for wrongsecrets-preview-pr-2400)
2. Load and run the image:

# Download the artifact, extract it, then:
docker load < wrongsecrets-preview.tar
docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview

🚀 Alternative - Pull from Registry:

docker pull ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-217f367
docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-pr:pr-2400-217f367

Then visit: http://localhost:8080

📝 Changes in this PR:
- src/main/java/org/owasp/wrongsecrets/McpServerConfig.java
- src/main/java/org/owasp/wrongsecrets/SecurityConfig.java
- src/main/java/org/owasp/wrongsecrets/challenges/docker/Challenge60.java

Visual diff screenshots will be available shortly...

---

_{Preview built by GitHub Actions}

[github-actions]

📸 Visual Diff Ready!

Screenshots comparing your changes with the main branch are available:

📁 Download Visual Diff Artifacts

🖼️ Included screenshots:

• pr-home.png vs main-home.png - Welcome page comparison
• pr-about.png vs main-about.png - About page comparison
• pr-challenge.png vs main-challenge.png - Challenge page comparison

🔍 How to review:

1. Download the artifact zip file
2. Extract and compare the pr-* and main-* images side by side
3. Look for visual differences in layout, styling, and content

💡 Tip: Use an image comparison tool or open both images in separate browser tabs to spot differences easily.

---

_{Visual diff generated by GitHub Actions • PR #2400}