OWASP WrongSecrets

logo by Ben de Haan

Github Stars OWASP Lab Project Release version Docker pulls Tweet Share on Mastodon

OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used in security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.



WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 25 exercises with various wrongly stored or misconfigured secrets - which you need to find. Finding these secrets will

  • Help you to look for secrets being misconfigured at your own environment, or target environments for bug bounties.
  • Help you to re-evaluate your own secrets management practices as well.

Want to play?

There are multiple ways on how you can play/work with OWASP WrongSecrets. Want to play locally? Try

docker run -p 8080:8080  jeroenwillemsen/wrongsecrets:latest-no-vault

Otherwie try one of the following online environments:


GitHub contributors


Top contributors:


Special mentions for helping out:

Actual contributors at this point in time.


We would like to thank the following parties for helping us out:


GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.


Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!


Docker for granting us their Docker Open Source Sponsored program.


1Password for granting us an open source license to 1Password for the secret detection testbed.



This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. OWASP WrongSecrets and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2022.

Presentations about OWASP WrongSecrets

The project has been promoted at:

We would like to thank many people that have given a shoutout or a share about this project! Thank you for your forum-posts, blogs, and more!


The application can best be run as a Docker container as part of a K8s cluster. Some challenges are unique to specific public clouds (AWS, GCP, and Azure only for now).


The overview above nicely shows which technologies are mostly used to build up the full application. Consult the GitHub repo readme for more information.


We support playing CTFs with OWASP WrongSecrets! Want to know more? Have a look at the Git repo README and the additional CTF documentation

Note that we are working on a larger CTF platform, which you can find at https://github.com/OWASP/wrongsecrets-ctf-party. It has been succesfully used in a few CTFs right now. Feel free to take it for a spin!

Wrongsecrets Desktop

Docker pulls

Want to try out the secrets-hunting, but don’t want to install all the recommended tools? Try to use our WrongSecrets desktop.

WrongSecrets desktopt

You can run all the tools and a desktop environment in a container by doing the following:

docker run -p 3000:3000 jeroenwillemsen/wrongsecrets-desktop:latest

and open a browser at http://localhost:3000. Want to know more? Checkout the Readme at the WrongSecrets github repo.