OWASP WrongSecrets

Github Stars OWASP Incubator Project Release version

OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used in security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.



WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 10 exercises with various “hidden” secrets - which you need to find.


GitHub contributors


Top contributors:

Special mentions for helping out:

Actual contributors at this point in time.



This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. OWASP Juice Shop and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2021.


The application can best be run in a Docker container as part of a K8s cluster. Some challenges are unique to specific public clouds (AWS only for now). More overview details will follow later. Consult the GitHub repo readme for more information.