OWASP WrongSecrets

logo by Ben de Haan

Github Stars OWASP Lab Project Release version

OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used in security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.



WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 10 exercises with various “hidden” secrets - which you need to find.


GitHub contributors


Top contributors:


Special mentions for helping out:

Actual contributors at this point in time.



This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. OWASP WrongSecrets and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2022.

Presentations about OWASP WrongSecrets

The project has been promoted at:

Soon to come:

We would like to thank many people that have given a shoutout or a share about this project! Thank you for your forum-posts, blogs, and more!


The application can best be run as a Docker container as part of a K8s cluster. Some challenges are unique to specific public clouds (AWS, GCP, and Azure only for now).


The overview above nicely shows which technologies are mostly used to build up the full application. Consult the GitHub repo readme for more information.