Welcome to OWASP WrongSecrets

Learn about secrets management by finding real secrets hidden in code, configuration files, and cloud infrastructure.

🎯 How to Play

Your Mission: Find hidden secrets in this repository and enter them to score points!

Where to Look:

📁 Source code files (Java, JavaScript, etc.)
🐳 Docker files and configurations
☁️ Cloud deployment configurations (AWS, GCP, Azure)
🔧 Environment variables and config files
🗄️ Vault and secret management tools

Getting Started: Check out the GitHub repository to examine the code and find the secrets!

Pro Tip: Each challenge below has a different difficulty level and may require different environments. Start with the easier ones and work your way up! 🚀

Difficulty: ⭐ (Easy) ⭐⭐ (Medium) ⭐⭐⭐ (Hard) ⭐⭐⭐⭐ (Expert) ⭐⭐⭐⭐⭐ (Master) | Environment: Where the challenge can be solved

#	Challenge	Focus	Difficulty		Solved
	☑				☑

🚀 Ready to Start?

1. Choose a challenge from the table above

2. Examine the repository - Look at the source code, config files, and documentation

3. Find the secret - It could be in plain text, encoded, or stored in environment variables

4. Enter your answer - Submit the secret to score points!

Hasty? Here is the Vault secret;-)

Like what you see? Please
Star us on Github

Note: The above button only takes you to the repository. Please ensure to star the repository once you are there!

OWASP Project Leaders:

Top Contributors:

Contributors:

Testers:

Special mentions for helping out:

Resources/further reading on secrets management:

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exists in many shapes or forms, for instance:

2FA keys
Activation/Callback links
API keys
Credentials
Passwords
Private keys (decryption, signing, TLS, SSH, GPG)
Secret keys (symmetric encryption, HMAC)
Session cookies
Tokens (Session, Refresh, Authentication, Activation, etc.)

Want to see if your tool of choice detects all the secrets available in this project?
Check the instructions in the README .

Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills? Donate.