OWASP WrongSecrets
OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used in security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.
Description
WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 20 exercises with various “hidden” secrets - which you need to find.
Contributors
Leaders:
Top contributors:
- Nanne Baars @nbaars
- Marcin Nowak @MarcinNowak-codes
- Joss Sparkes @remakingeden
- Tibor Hercz @tiborhercz
- Chris Elbring Jr. @neatzsche
- Filip Chyla @fchyla
- Dmitry Litosh @Dlitosh
- Josh Grossman @tghosth
- Spyros @northdpole
- Mike Woudenberg @mikewoudenberg
- Ruben Kruiver @RubenAtBinx
- Finn @f3rn0s
- Alex Bender @alex-bender
- Rick M @kingthorin
Testers:
Special mentions for helping out:
Actual contributors at this point in time.
Licensing
This program is free software: You can redistribute it and/or modify it under the terms of the MIT License. OWASP WrongSecrets and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2022.
Presentations about OWASP WrongSecrets
The project has been promoted at:
- AllDayDevOps: Our secrets management journey from Code to Vault
- Conf42 DevSecOps 2021: Secrets-management: challenges from code to cloud
- Club Cloud 2021: Securing your secrets in the cloud
- OWASP Dutch Chapter Meetup: Our Secrets Management Journey: From Code to Vault
- Application Security Podcast: Jeroen Willemsen & Ben de Haan – Dirty little secrets
- Open Security Summit: OWASP Wrong Secrets: project goals, under the hood, and where do we go from here?
- WrongSecrets demo - How not to store secrets with the project founder Jeroen Willemsen
- Security Journey: Jeroen Willemsen and Ben de Haan - Dirty little secrets
- Meetup OWASP Bay Area: OWASP WrongSecrets: how to NOT mange your secrets
- Code to Cloud Virtual Summit: Learn How to (Not) Use Secrets with OWASP WrongSecrets!
- Teqnation 2022 Utrecht
- Devops Pro Europe: Introducing OWASP WrongSecrets: How You Should NOT Handle Your Secrets
- OWASP Virtual Appsec Europe 2022: OWASP WrongSecrets: We have a secret for Everyone!
- Tweakers Developers Summit: OWASP WrongSecrets - waar je je applicatiegeheimen (niet) moet neerzetten
- OWASP Frankfurt #55 In-Person Event: Cloud Secrets,Cyber-Crime & Threat Modeling: Can’t you keep a secret? Learn Secrets Management with OWASP WrongSecrets by Dan Gora, OWASP Frankfurt
- OWASP Hamburg Stammtich
Soon to come:
- DevSecOps Days 2022 Washington DC (Virtual): Learn How To (Not) Use Secrets With OWASP Wrong Secrets!
- Allday Devops
We would like to thank many people that have given a shoutout or a share about this project! Thank you for your forum-posts, blogs, and more!
Overview
The application can best be run as a Docker container as part of a K8s cluster. Some challenges are unique to specific public clouds (AWS, GCP, and Azure only for now).
The overview above nicely shows which technologies are mostly used to build up the full application. Consult the GitHub repo readme for more information.
CTF
We support playing CTFs with OWASP WrongSecrets! Want to know more? Have a look at the Git repo README and the additional CTF documentation
Note that we are working on a larger CTF platform, which you can find at https://github.com/commjoen/wrongsecrets-ctf-party.
Wrongsecrets Desktop
Want to try out the secrets-hunting, but don’t want to install all the recommended tools? Try to use our WrongSecrets desktop.
You can run all the tools and a desktop environment in a container by doing the following:
docker run -p 3000:3000 jeroenwillemsen/wrongsecrets-desktop:1.5.2
and open a browser at http://localhost:3000. Want to know more? Checkout the Readme at the WrongSecrets github repo.