OWASP WrongSecrets

logo by Ben de Haan

Github Stars OWASP Production Project Release version OpenSSF Best Practices Docker pulls Tweet

OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used as a stand-alone game, as part of security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling. It even has a supporting CTF platform to play the game in a larger group.

Want to give it a shot? Go to our Heroku demo environment

Image

Description

WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 40 exercises with various wrongly stored or misconfigured secrets - which you need to find. Finding these secrets will

  • Help you to look for secrets being misconfigured at your own environment, or target environments for bug bounties.
  • Help you to re-evaluate your own secrets management practices as well.

Want to play?

There are multiple ways on how you can play/work with OWASP WrongSecrets. Want to play locally? Try

docker run -p 8080:8080  jeroenwillemsen/wrongsecrets:latest-no-vault

Otherwise, try one of the following online environments:

Or try to deploy it using free services:

Deploy to Render

Deploy on Railway

Contributors

GitHub contributors WrongSecrets GitHub contributors WrongSecrets-ctf-party GitHub contributors WrongSecrets-binaries

Leaders:

Top contributors:

Contributors:

Testers:

Special thanks:

Sponsorships

We would like to thank the following parties for helping us out:

gitguardian_logo.png

GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.

jetbrains_logo.png

Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!

docker_logo.png

Docker for granting us their Docker Open Source Sponsored program.

1password_logo.png

1Password for granting us an open source license to 1Password for the secret detection testbed.

AWS Open Source

AWS for granting us AWS Open Source credits which we use to test our project and the Wrongsecrets CTF Party setup on AWS.

Individual supporters

Licensing

license

This program is free software: You can redistribute it and/or modify it under the terms of the AGPLv3 License. OWASP WrongSecrets and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2024.

Want to help out?

You can help us in many ways:

  • Star us on github: Star Wrongsecrets on Github
  • Promote us using Tweet .
  • Promote us with a Blog, Vlog, Podcast, or presentation on a conference. Or use our materials to organize a CTF! If you do, let us know, so we can list your event or publication here on the webiste.
  • Work with us on the project! Take a look at the Readme of the project, How to contribute, and the Github Issues. If you want to contribute to an issue: make sure it is not yet assigned to someone, comment on it with your intention, and then we can assign it to you.
  • Sponsor our project! We will use the money for covering our cloud costs (building & maintaining the project in 3 clouds costs money). And soon we hope to be able to buy you some stickers if you do ;-).

Presentations about OWASP WrongSecrets

The project has been promoted at:

We would like to thank many people that have given a shoutout or a share about this project! Thank you for your forum-posts, blogs, and more!


Overview

The application can best be run as a Docker container as part of a K8s cluster. Some challenges are unique to specific public clouds (AWS, GCP, and Azure only for now).

overview

The overview above nicely shows which technologies are mostly used to build up the full application. Consult the GitHub repo readme for more information.


CTF

With just OWASP WrongSecrets

We support playing CTFs with OWASP WrongSecrets! Want to know more? Have a look at the Git repo README and the additional CTF documentation

With OWASP WrongSecrets-CTF-Party

Github Stars Docker pulls.

Want to play OWASP WrongSecrets in a large group in CTF mode, but not go over all the hassle of setting up local copies of OWASP WrongSecrets? Here is OWASP WrongSecrets CTF Party! This is a fork of OWASP MultiJuicer, which is adapted to become a dynamic multi-tenant setup for doing a CTF together!

Note that we:

  • have a Webtop integrated for each player
  • have a WrongSecrets instance integrated for each player
  • A working admin interface which can restart both or delete both (by deleting the full namespace)
  • It can cleanup old & unused namespaces automatically.

You can currently play OWASP WrongSecrets CTF Party using:

  • Any k8s setup that allows you to have multiple namespaces (including Minikube), by leveraging our helm charts.
  • AWS, Azure, and GCP by using terraform which is part of the repo.

Special thanks

Special thanks to @commjoen, @madhuakula, @bendehaan, and @mikewoudenberg, and @osamamagdy for making this port a reality!


Wrongsecrets Desktop

Docker pullsDocker pulls

Want to try out the secrets-hunting, but don’t want to install all the recommended tools? Try to use our WrongSecrets desktop.

WrongSecrets desktopt

You can run all the tools and a desktop environment in a container by doing the following:

docker run -p 3000:3000 jeroenwillemsen/wrongsecrets-desktop:latest

and open a browser at http://localhost:3000. Want to know more? Checkout the Readme at the WrongSecrets github repo.


Creating Passwords

You can create various types of passwords. OWASP WrongSecrets has quite a few of them as an example. There are complex passwords, which you can easily create with tools like OpenSSL and/or password managers. There are short passphrases, which you can easily remember There are longer passphrases with a more extensive set of words involved.

Complex passwords

Complex passwords can be easily generated securely using tools like OpenSSL (using openssl rand 20 -base64) or a password manager. For instance, the generation of challenge 31’s password. The password (SGF2ZSBhIG5pY2UgZGF5) was obtained using random information generated through OpenSSL.

Of course, we need to reference the (in)famous XKCD on this topic.

Short passphrases

Short passphrases uses short combinations of words. These are easy to think of and easy to remember. The solution to challenge0 is a good example here. Here a short passphrase(The first answer) is used as a solution.

Longer passphrases

In other challenges we packed longer passphrases, which are still easy to remember, but do have a lot more entropy to them.

References

NIST Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html OWASP Authentication cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html