Welcome

Welcome to OWASP WrongSecrets. With this app, we hope you will re-evaluate your secrets management strategy.


For each of the challenges below: try to find the secret! Enter it in the `Answer to solution` box and score points! Note that some challenges require this app to run on additional infrastructure (see in the table below).

Total score: 0

Hasty? Here is the Vault secret;-)

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exists in many shapes or forms, for instance:
  • 2FA keys
  • Activation/Callback links
  • API keys
  • Credentials
  • Passwords
  • Private keys (decryption, signing, TLS, SSH, GPG)
  • Secret keys (symmetric encryption, HMAC)
  • Session cookies
  • Tokens (Session, Refresh, Authentication, Activation, etc.)
Want to see if your tool of choice detects all the secrets available in this project?
Check the instructions in the README .
Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills? Donate.