OWASP / wrongsecrets

OWASP WrongSecrets Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy. Can you solve all the 62 challenges? Try some of them on our Heroku demo environment. Want to play the other challenges? Read the instructions on how to set them up below. 🚀 Quick Start **New to WrongSecrets? Start here:** • **Try Online First**: Visit our Heroku demo to get familiar with the challenges • **Run Locally**: Use Docker for the full experience with all challenges: Then open http://localhost:8080 • **Want to see what's ahead?** Try our bleeding-edge master container with the latest features: ⚠️ *Note: This is a development version and may be unstable* • **Advanced Setup**: For cloud challenges and Kubernetes exercises, see the detailed instructions below **What you'll learn:** • Common secrets management mistakes • How to identify exposed credentials • Best practices for securing secrets • Tools and techniques for secret detection **How it works:** This repository contains **intentionally vulnerable code and configuration files** with real and fake secrets hidden throughout the codebase. You'll examine source code, configuration files, Docker containers, and cloud deployments to discover these secrets. Each challenge teaches you different ways secrets can be accidentally exposed in real-world applications. 📋 Prerequisites **For basic usage:** • A web browser • Docker (for local setup) - Install here **For advanced setups:** • Kubernetes/Minikube - Install here • Cloud account (AWS/GCP/Azure) for cloud challenges • Command line familiarity Table of contents 🎯 Getting Started • Quick Start • Prerequisites • Support 🐳 Deployment Options • Basic docker exercises • Running these on Heroku • Running these on Render.io • Running these on Railway • Basic K8s exercise • Minikube based • k8s based • Vault exercises with minikube ☁️ Cloud Challenges • Cloud Challenges • Running WrongSecrets in AWS • Running WrongSecrets in GCP • Running WrongSecrets in Azure • Running Challenge15 in your own cloud only 🎮 Advanced Usage • Do you want to play without guidance? • CTF • CTFD Support • FBCTF Support • Use OWASP WrongSecrets as a secret detection benchmark 👨‍💻 Development & Contribution • Notes on development • Spring Boot 4 adoption checklist • Dependency management • Get the project started in IntelliJ IDEA • Automatic reload during development • How to add a Challenge • Local testing • Local Automated testing • Want to disable challenges in your own release? 📚 Resources & Community • Special thanks & Contributors • Sponsorships • Help Wanted • Further reading on secrets management Support Need support? Contact us via OWASP Slack for which you sign up here , file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond. Copyright (c) 2020-2025 Jeroen Willemsen and WrongSecrets contributors. 🛤️ Choose Your Path Not sure which setup is right for you? Here's a quick guide: | **I want to...** | **Recommended Setup** | **Challenges Available** | |------------------|----------------------|--------------------------| | Try it quickly online | Container running on Heroku | Basic challenges (0-4, 8, 12-32, 34-43, 49-52, 54-61) | | Run locally with Docker | Basic Docker | Same as above, but on your machine | | Learn Kubernetes secrets | K8s/Minikube Setup | Kubernetes challenges (0-6, 8, 12-43, 48-61) | | Practice with cloud secrets | Cloud Challenges | All challenges (0-61) | | Run a workshop/CTF | CTF Setup | Customizable challenge sets | | Contribute to the project | Development Setup | All challenges + development tools | Basic docker exercises _Can be used for challenges 0-4, 8, 12-32, 34-43, 49-52, 54-61_ For the basic docker exercises you currently require: • Docker Install from here • Some Browser that can render HTML You can install it by doing: **🚀 Want to try the bleeding-edge version?** If you want to see what's coming in the next release, you can use our automatically-built master container: ⚠️ **Warning**: This is a development version built from the latest master branch and may contain experimental features or instabilities. **📝 Note on Ports:** • Port **8080**: Main application (challenges 0-61) • Port **8090**: MCP server (required for Challenge 60) Now you can try to find the secrets by means of solving the challenge offered at the links below all the links for docker challenges (click triangle to open the block). • localhost:8080/challenge/challenge-0 • localhost:8080/challenge/challenge-1 • localhost:8080/challenge/challenge-2 • localhost:8080/challenge/challenge-3 • localhost:8080/challenge/challenge-4 • localhost:8080/challenge/challenge-8 • localhost:8080/challenge/challenge-12 • localhost:8080/challenge/challenge-13 • localhost:8080/challenge/challenge-14 • localhost:8080/challenge/challenge-15 • localhost:8080/challenge/challenge-16 • localhost:8080/challenge/challenge-17 • localhost:8080/challenge/challenge-18 • localhost:8080/challenge/challenge-19 • localhost:8080/challenge/challenge-20 • localhost:8080/challenge/challenge-21 • localhost:8080/challenge/challenge-22 • localhost:8080/challenge/challenge-23 • localhost:8080/challenge/challenge-24 • localhost:8080/challenge/challenge-25 • localhost:8080/challenge/challenge-26 • localhost:8080/challenge/challenge-27 • localhost:8080/challenge/challenge-28 • localhost:8080/challenge/challenge-29 • localhost:8080/challenge/challenge-30 • localhost:8080/challenge/challenge-31 • localhost:8080/challenge/challenge-32 • localhost:8080/challenge/challenge-34 • localhost:8080/challenge/challenge-35 • localhos…