Skip to content

Latest commit

 

History

History
206 lines (151 loc) · 16.5 KB

index.md

File metadata and controls

206 lines (151 loc) · 16.5 KB
layout title tags level type pitch
col-sidebar
OWASP WrongSecrets
wrongsecrets
3.5
tool
Examples with how to not use secrets

logo by Ben de Haan

Github Stars OWASP Production Project Release version OpenSSF Best Practices Docker pulls Tweet

OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used as a stand-alone game, as part of security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling. It even has a supporting CTF platform to play the game in a larger group.

Want to give it a shot? Go to our demo environment running on Heroku.

Image

Description

WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 50 exercises with various wrongly stored or misconfigured secrets - which you need to find. Finding these secrets will

  • Help you to look for secrets being misconfigured at your own environment, or target environments for bug bounties.
  • Help you to re-evaluate your own secrets management practices as well.

Want to play?

There are multiple ways on how you can play/work with OWASP WrongSecrets. Want to play locally? Try

docker run -p 8080:8080  jeroenwillemsen/wrongsecrets:latest-no-vault

Otherwise, try one of the following online environments:

Or try to deploy it using free services:

Deploy to Render

Deploy on Railway

Contributors

GitHub contributors WrongSecrets GitHub contributors WrongSecrets-ctf-party GitHub contributors WrongSecrets-binaries

Leaders:

Top contributors:

Contributors:

Testers:

Special thanks:

Sponsorships

We would like to thank the following parties for helping us out:

gitguardian_logo.png

GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.

jetbrains_logo.png

Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!

docker_logo.png

Docker for granting us their Docker Open Source Sponsored program.

1password_logo.png

1Password for granting us an open source license to 1Password for the secret detection testbed.

AWS Open Source

AWS for granting us AWS Open Source credits which we use to test our project and the Wrongsecrets CTF Party setup on AWS.

Individual supporters

{% assign individual_supporter = site.data.ow_attributions | uniq %} {% for supporter in individual_supporter %}

Licensing

license

This program is free software: You can redistribute it and/or modify it under the terms of the AGPLv3 License. OWASP WrongSecrets and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2024.

Want to help out?

You can help us in many ways:

  • Star us on github: Star Wrongsecrets on Github
  • Promote us using Tweet .
  • Promote us with a Blog, Vlog, Podcast, or presentation on a conference. Or use our materials to organize a CTF! If you do, let us know, so we can list your event or publication here on the webiste.
  • Work with us on the project! Take a look at the Readme of the project, How to contribute, and the Github Issues. If you want to contribute to an issue: make sure it is not yet assigned to someone, comment on it with your intention, and then we can assign it to you.
  • Sponsor our project! We will use the money for covering our cloud costs (building & maintaining the project in 3 clouds costs money). And soon we hope to be able to buy you some stickers if you do ;-).

Presentations about OWASP WrongSecrets

The project has been promoted at:

We would like to thank many people that have given a shoutout or a share about this project! Thank you for your forum-posts, blogs, and more!