OWASP WrongSecrets: Secrets Management-focused vulnerable app

OWASP WrongSecrets

Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.

It can be used in security training, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.

OWASP WrongSecrets

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exist in many shapes or forms, for instance:

  • 2FA keys
  • Activation/Callback links
  • API keys
  • Credentials
  • Passwords
  • Private keys (decryption, signing, TLS, SSH, GPG)
  • Secret keys (symmetric encryption, HMAC)
  • Session cookies
  • Tokens (Session, Refresh, Authentication, Activation, etc.)

Install

Copyright (c) 2020-2022 Jeroen Willemsen and WrongSecret contributors.