OWASP WrongSecrets

Welcome

Welcome to OWASP WrongSecrets. With this app, we hope you will re-evaluate your secrets management strategy.

For each of the challenges below: try to find the secret! Enter it in the `Answer to solution` box and score points! Note that some challenges require this app to run on additional infrastructure (see in the table below).

entries per page

Search:

#	Challenge	Focus	Difficulty	Runs on environment (current: Heroku)
0	Challenge 0	Intro	★☆☆☆☆	Docker
1	Challenge 1	Git	★☆☆☆☆	Docker
2	Challenge 2	Git	★☆☆☆☆	Docker
3	Challenge 3	Docker	★☆☆☆☆	Docker
4	Challenge 4	Docker	★★☆☆☆	Docker
5	Challenge 5	Configmaps	★★☆☆☆	K8s
6	Challenge 6	Secrets	★★☆☆☆	K8s
7	Challenge 7	Vault	★★★★☆	K8s with Vault
8	Challenge 8	Logging	★★☆☆☆	Docker
9	Challenge 9	Terraform	★★★☆☆	AWS, GCP, Azure
10	Challenge 10	CSI-Driver	★★★★☆	AWS, GCP, Azure
11	Challenge 11	IAM privilege escalation	★★★★☆	AWS, GCP, Azure
12	Challenge 12	Docker	★★★☆☆	Docker
13	Challenge 13	CI/CD	★★★☆☆	Docker
14	Challenge 14	Password Manager	★★★★☆	Docker
15	Challenge 15	Git	★★☆☆☆	Docker
16	Challenge 16	Front-end	★★★☆☆	Docker
17	Challenge 17	Docker	★★★☆☆	Docker
18	Challenge 18	Cryptography	★★★★★	Docker
19	Challenge 19	Binary	★★★★☆	Docker
20	Challenge 20	Binary	★★★★☆	Docker
21	Challenge 21	Binary	★★★★★	Docker
22	Challenge 22	Binary	★★★★★	Docker
23	Challenge 23	Front-end	★☆☆☆☆	Docker
24	Challenge 24	Cryptography	★★☆☆☆	Docker

Showing 1 to 25 of 54 entries

Total score: 0

Hasty? Here is the Vault secret;-)

Like what you see? Please
Star us on Github

Note: The above button only takes you to the repository. Please ensure to star the repository once you are there!

OWASP Project Leaders:

Top Contributors:

Contributors:

Testers:

Special mentions for helping out:

Resources/further reading on secrets management:

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exists in many shapes or forms, for instance:

2FA keys
Activation/Callback links
API keys
Credentials
Passwords
Private keys (decryption, signing, TLS, SSH, GPG)
Secret keys (symmetric encryption, HMAC)
Session cookies
Tokens (Session, Refresh, Authentication, Activation, etc.)

Want to see if your tool of choice detects all the secrets available in this project?
Check the instructions in the README .

Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills? Donate.