OWASP WrongSecrets

Welcome to OWASP WrongSecrets

Learn about secrets management by finding real secrets hidden in code, configuration files, and cloud infrastructure.

🎯 How to Play

Your Mission: Find hidden secrets in this repository and enter them to score points!

Where to Look:

📁 Source code files (Java, JavaScript, etc.)
🐳 Docker files and configurations
☁️ Cloud deployment configurations (AWS, GCP, Azure)
🔧 Environment variables and config files
🗄️ Vault and secret management tools

Getting Started: Check out the GitHub repository to examine the code and find the secrets!

Pro Tip: Each challenge below has a different difficulty level and may require different environments. Start with the easier ones and work your way up! 🚀

Difficulty: ⭐ (Easy) ⭐⭐ (Medium) ⭐⭐⭐ (Hard) ⭐⭐⭐⭐ (Expert) ⭐⭐⭐⭐⭐ (Master) | Environment: Where the challenge can be solved

#	Challenge	Focus	Difficulty	Runs on environment (current: Heroku)
0	Challenge 0	Intro	★☆☆☆☆	Docker
1	Challenge 1	Git	★☆☆☆☆	Docker
2	Challenge 2	Git	★☆☆☆☆	Docker
3	Challenge 3	Docker	★☆☆☆☆	Docker
4	Challenge 4	Docker	★★☆☆☆	Docker
5	Challenge 5	Configmaps	★★☆☆☆	K8s
6	Challenge 6	Secrets	★★☆☆☆	K8s
7	Challenge 7	Vault	★★★★☆	K8s with Vault
8	Challenge 8	Logging	★★☆☆☆	Docker
9	Challenge 9	Terraform	★★★☆☆	AWS, GCP, Azure
10	Challenge 10	CSI-Driver	★★★★☆	AWS, GCP, Azure
11	Challenge 11	IAM privilege escalation	★★★★☆	AWS, GCP, Azure
12	Challenge 12	Docker	★★★☆☆	Docker
13	Challenge 13	CI/CD	★★★☆☆	Docker
14	Challenge 14	Password Manager	★★★★☆	Docker
15	Challenge 15	Git	★★☆☆☆	Docker
16	Challenge 16	Front-end	★★★☆☆	Docker
17	Challenge 17	Docker	★★★☆☆	Docker
18	Challenge 18	Cryptography	★★★★★	Docker
19	Challenge 19	Binary	★★★★☆	Docker
20	Challenge 20	Binary	★★★★☆	Docker
21	Challenge 21	Binary	★★★★★	Docker
22	Challenge 22	Binary	★★★★★	Docker
23	Challenge 23	Front-end	★☆☆☆☆	Docker
24	Challenge 24	Cryptography	★★☆☆☆	Docker
25	Challenge 25	Web3	★★☆☆☆	Docker
26	Challenge 26	Web3	★★☆☆☆	Docker
27	Challenge 27	Web3	★★☆☆☆	Docker
28	Challenge 28	Documentation	★☆☆☆☆	Docker
29	Challenge 29	Documentation	★☆☆☆☆	Docker
30	Challenge 30	Front-end	★★☆☆☆	Docker
31	Challenge 31	Front-end	★☆☆☆☆	Docker
32	Challenge 32	AI	★★☆☆☆	Docker
33	Challenge 33	Secrets	★★☆☆☆	K8s
34	Challenge 34	Cryptography	★★☆☆☆	Docker
35	Challenge 35	Documentation	★☆☆☆☆	Docker
36	Challenge 36	Binary	★★★★★	Docker
37	Challenge 37	CI/CD	★★☆☆☆	Docker
38	Challenge 38	Git	★☆☆☆☆	Docker
39	Challenge 39	Cryptography	★☆☆☆☆	Docker
40	Challenge 40	Cryptography	★☆☆☆☆	Docker
41	Challenge 41	Cryptography	★★★☆☆	Docker
42	Challenge 42	Logging	★★☆☆☆	Docker
43	Challenge 43	Documentation	★☆☆☆☆	Docker
44	Challenge 44	Vault	★★★★☆	K8s with Vault
45	Challenge 45	Vault	★★★★☆	K8s with Vault
46	Challenge 46	Vault	★★★★☆	K8s with Vault
47	Challenge 47	Vault	★★☆☆☆	K8s with Vault
48	Challenge 48	Secrets	★★☆☆☆	K8s
49	Challenge 49	Cryptography	★★★☆☆	Docker
50	Challenge 50	Binary	★★☆☆☆	Docker
51	Challenge 51	Secrets	★★☆☆☆	Docker
52	Challenge 52	Secrets	★★☆☆☆	Docker
53	Challenge 53	Secrets	★★★☆☆	K8s
54	Challenge 54	Secrets	★★☆☆☆	Docker
55	Challenge 55	Secrets	★☆☆☆☆	Docker
56	Challenge 56	AI	★☆☆☆☆	Docker
57	Challenge 57	AI	★★☆☆☆	Docker
58	Challenge 58	Logging	★★☆☆☆	Docker
59	Challenge 59	CI/CD	★★☆☆☆	Docker

Total score: 0

🚀 Ready to Start?

1. Choose a challenge from the table above

2. Examine the repository - Look at the source code, config files, and documentation

3. Find the secret - It could be in plain text, encoded, or stored in environment variables

4. Enter your answer - Submit the secret to score points!

Hasty? Here is the Vault secret;-)

Like what you see? Please
Star us on Github

Note: The above button only takes you to the repository. Please ensure to star the repository once you are there!

OWASP Project Leaders:

Top Contributors:

Contributors:

Testers:

Special mentions for helping out:

Resources/further reading on secrets management:

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exists in many shapes or forms, for instance:

2FA keys
Activation/Callback links
API keys
Credentials
Passwords
Private keys (decryption, signing, TLS, SSH, GPG)
Secret keys (symmetric encryption, HMAC)
Session cookies
Tokens (Session, Refresh, Authentication, Activation, etc.)

Want to see if your tool of choice detects all the secrets available in this project?
Check the instructions in the README .

Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills? Donate.