├── .gitignore
├── 404.html
├── Gemfile
├── README.md
├── _config.yml
├── _data
    └── ow_attributions.json
├── assets
    └── images
    │   ├── 1password_logo.png
    │   ├── README.md
    │   ├── aws-white_48x29.png
    │   ├── aws.svg.png
    │   ├── docker_logo.png
    │   ├── gitguardian_logo.jpeg
    │   ├── icon.png
    │   ├── jetbrains_logo.png
    │   ├── layerswithchallenges.png
    │   ├── railway-button.svg
    │   └── wrongsecrets-desktop.png
├── index.md
├── info.md
├── leaders.md
├── tab_ctf.md
├── tab_overview.md
├── tab_passwords.md
└── tab_webdesktop.md


/.gitignore:
--------------------------------------------------------------------------------
1 | /Gemfile
2 | /Gemfile.lock
3 | /favicon.ico
4 | _site/
5 | .idea
6 | .DS_Store


--------------------------------------------------------------------------------
/404.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | title: 404 - Not Found
 4 | layout: col-generic
 5 | 
 6 | ---
 7 | 
 8 | <div class="container">
 9 |   <p><img src="/assets/images/web/404-old-owasp.png"></p>
10 |   <h2>WHOA THAT PAGE CANNOT BE FOUND</h2>
11 |   <p>Try the <strong>SEARCH</strong> function in the main navigation to find something. If you are looking for chapter information, please see <a href="/chapters/">Chapters</a> for the correct chapter. For information about OWASP projects see <a href="/projects/">Projects</a>. For common attacks, vulnerabilities, or information about other community-led contributions see <a href="/www-community/">Contributed Content</a>.</p>
12 |   
13 |   <hr>
14 |   <p><strong>If all else fails you can search our <a href="https://wiki.owasp.org/">historical site</a>.</strong></p>
15 | </div>
16 | 


--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org' 
2 | group :jekyll_plugins do
3 |     gem "github-pages"
4 | end


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # www-project-wrongsecrets
2 | OWASP Foundation Web Respository for https://owasp.org/www-project-wrongsecrets/
3 | 


--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | remote_theme: "owasp/www--site-theme@main"
2 | plugins:
3 |  - jekyll-include-cache-0.2.0


--------------------------------------------------------------------------------
/_data/ow_attributions.json:
--------------------------------------------------------------------------------
1 | ["Jeroen Willemsen"]


--------------------------------------------------------------------------------
/assets/images/1password_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/1password_logo.png


--------------------------------------------------------------------------------
/assets/images/README.md:
--------------------------------------------------------------------------------
1 | # placeholder
2 | 
3 | Put images you wish to link to in this folder
4 | 
5 | link would be in form /assets/images/<filename.ext>
6 | 


--------------------------------------------------------------------------------
/assets/images/aws-white_48x29.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/aws-white_48x29.png


--------------------------------------------------------------------------------
/assets/images/aws.svg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/aws.svg.png


--------------------------------------------------------------------------------
/assets/images/docker_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/docker_logo.png


--------------------------------------------------------------------------------
/assets/images/gitguardian_logo.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/gitguardian_logo.jpeg


--------------------------------------------------------------------------------
/assets/images/icon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/icon.png


--------------------------------------------------------------------------------
/assets/images/jetbrains_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/jetbrains_logo.png


--------------------------------------------------------------------------------
/assets/images/layerswithchallenges.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/layerswithchallenges.png


--------------------------------------------------------------------------------
/assets/images/railway-button.svg:
--------------------------------------------------------------------------------
1 | <svg width="183" height="40" viewBox="0 0 183 40" fill="none" xmlns="http://www.w3.org/2000/svg"><path d="M0 6a6 6 0 0 1 6-6h171a6 6 0 0 1 6 6v28a6 6 0 0 1-6 6H6a6 6 0 0 1-6-6V6Z" fill="url(#5nw9xbrzfa)"/><path d="M50.494 25c3.103 0 4.982-1.919 4.982-5.1 0-3.173-1.88-5.082-4.952-5.082h-3.64V25h3.61Zm-1.456-1.845v-6.492h1.372c1.909 0 2.918.974 2.918 3.236 0 2.272-1.01 3.256-2.923 3.256h-1.367ZM60.51 25.15c1.889 0 3.162-.92 3.46-2.337l-1.959-.129c-.214.582-.76.885-1.466.885-1.06 0-1.73-.7-1.73-1.84v-.004h5.2v-.582c0-2.595-1.571-3.878-3.59-3.878-2.247 0-3.704 1.596-3.704 3.953 0 2.42 1.437 3.932 3.789 3.932Zm-1.696-4.738c.045-.87.707-1.566 1.646-1.566.92 0 1.556.656 1.561 1.566h-3.206Zm6.583 7.453h2.118v-4.087h.064c.294.636.935 1.347 2.168 1.347 1.74 0 3.097-1.377 3.097-3.932 0-2.625-1.417-3.928-3.092-3.928-1.278 0-1.89.76-2.173 1.382h-.094v-1.282h-2.088v10.5Zm2.073-6.682c0-1.362.577-2.232 1.606-2.232 1.049 0 1.606.91 1.606 2.232 0 1.332-.567 2.257-1.606 2.257-1.02 0-1.606-.895-1.606-2.257Zm8.904-6.364h-2.118V25h2.118V14.818Zm5.147 10.331c2.317 0 3.758-1.586 3.758-3.937 0-2.367-1.441-3.948-3.758-3.948s-3.759 1.581-3.759 3.948c0 2.351 1.442 3.937 3.759 3.937Zm.01-1.64c-1.069 0-1.616-.98-1.616-2.312 0-1.333.547-2.317 1.616-2.317 1.049 0 1.596.984 1.596 2.317 0 1.332-.547 2.312-1.596 2.312Zm6.173 4.355c1.576 0 2.412-.806 2.844-2.039l2.968-8.451-2.242-.01-1.596 5.608h-.08l-1.58-5.608H85.79l2.74 7.855-.125.323c-.278.716-.81.75-1.556.522l-.477 1.58c.303.13.795.22 1.332.22Zm13.587-2.715c2.316 0 3.758-1.586 3.758-3.937 0-2.367-1.442-3.948-3.758-3.948-2.317 0-3.759 1.581-3.759 3.948 0 2.351 1.442 3.937 3.759 3.937Zm.009-1.64c-1.068 0-1.615-.98-1.615-2.312 0-1.333.547-2.317 1.615-2.317 1.049 0 1.596.984 1.596 2.317 0 1.332-.547 2.312-1.596 2.312Zm7.244-2.924c.005-.984.592-1.56 1.447-1.56.85 0 1.362.556 1.357 1.49V25h2.118v-4.862c0-1.78-1.044-2.874-2.635-2.874-1.133 0-1.954.557-2.297 1.447h-.089v-1.347h-2.019V25h2.118v-4.415ZM118.416 25h2.153v-3.61h1.571l1.929 3.61h2.376l-2.162-3.957c1.158-.497 1.799-1.507 1.799-2.899 0-2.023-1.337-3.326-3.649-3.326h-4.017V25Zm2.153-5.34v-3.082h1.452c1.242 0 1.844.552 1.844 1.566 0 1.01-.602 1.517-1.834 1.517h-1.462Zm9.172 5.484c1.129 0 1.86-.492 2.233-1.203h.059V25h2.009v-5.15c0-1.82-1.541-2.586-3.242-2.586-1.829 0-3.032.875-3.326 2.267l1.959.16c.144-.508.597-.88 1.357-.88.721 0 1.134.362 1.134.989v.03c0 .492-.522.556-1.849.686-1.512.139-2.869.646-2.869 2.351 0 1.512 1.079 2.277 2.535 2.277Zm.607-1.461c-.651 0-1.119-.304-1.119-.885 0-.597.493-.89 1.238-.995.463-.064 1.218-.174 1.472-.343v.81c0 .801-.661 1.413-1.591 1.413ZM135.685 25h2.118v-7.636h-2.118V25Zm1.064-8.62c.631 0 1.148-.483 1.148-1.075 0-.586-.517-1.069-1.148-1.069-.626 0-1.144.483-1.144 1.07 0 .591.518 1.073 1.144 1.073Zm4.868-1.562h-2.118V25h2.118V14.818ZM144.82 25h2.238l1.312-4.803h.094L149.777 25h2.242l2.073-7.636h-2.137l-1.164 5.1h-.064l-1.253-5.1h-2.103l-1.233 5.13h-.07l-1.183-5.13h-2.143L144.82 25Zm12.58.144c1.128 0 1.859-.492 2.232-1.203h.06V25h2.008v-5.15c0-1.82-1.541-2.586-3.241-2.586-1.83 0-3.033.875-3.326 2.267l1.958.16c.145-.508.597-.88 1.358-.88.721 0 1.133.362 1.133.989v.03c0 .492-.522.556-1.849.686-1.512.139-2.869.646-2.869 2.351 0 1.512 1.079 2.277 2.536 2.277Zm.606-1.461c-.651 0-1.118-.304-1.118-.885 0-.597.492-.89 1.238-.995.462-.064 1.218-.174 1.471-.343v.81c0 .801-.661 1.413-1.591 1.413Zm6.371 4.18c1.576 0 2.412-.805 2.844-2.038l2.968-8.451-2.242-.01-1.596 5.608h-.08l-1.58-5.608h-2.228l2.74 7.855-.125.323c-.278.716-.81.75-1.556.522l-.477 1.58c.303.13.795.22 1.332.22Z" fill="#fff"/><path fill-rule="evenodd" clip-rule="evenodd" d="M13.554 14.105C15.614 10.464 19.516 8 24 8c6.628 0 12 5.373 12 12a11.967 11.967 0 0 1-.61 3.764H12.61a11.896 11.896 0 0 1-.451-1.893l.212 1.008h16.693c1.064 0 1.943-.545 2.35-1.457.444-.994.257-2.03-.396-2.933-.705-.975-1.889-2.343-2.709-2.964-1.51-1.143-3.43-1.31-4.991-1.363l-.449-.016-.13-.006c-.625-.027-.965-.041-4.438-.041v.001s-3.137.002-4.747.005Zm-1.528 5.379c.017-.405.054-.808.111-1.208h9.573V17.06h-9.332a.145.145 0 0 1-.003.012l-.003.01-.214 1.055a12.06 12.06 0 0 1 .797-2.814c1.798-.005 3.645-.01 5.343-.01 3.18 0 3.721.014 4.52.047.217.009.428.015.635.02 2.076.055 3.718.098 6.549 3.758.086.11.172.221.235.346H12.026Zm1.484-5.303c-.205.37-.39.75-.555 1.142h-.01c.166-.393.359-.771.565-1.142Zm.041-.073Zm-1.516 6.593h18.346c-.138.532-.56.96-1.315.96H12.128a12.315 12.315 0 0 1-.093-.96Zm.582 3.079c.138.407.296.808.475 1.199H34.91C33.017 29.119 28.85 32 24 32c-5.305 0-9.798-3.447-11.384-8.22Zm-.607-4.005.01-.158v.763c-.002-.054-.006-.107-.01-.16-.005-.074-.01-.147-.01-.222 0-.075.005-.149.01-.223Z" fill="#fff"/><path fill-rule="evenodd" clip-rule="evenodd" d="M13.554 14.105C15.614 10.464 19.516 8 24 8c6.628 0 12 5.373 12 12a11.967 11.967 0 0 1-.61 3.764H12.61a11.896 11.896 0 0 1-.451-1.893l.212 1.008h16.693c1.064 0 1.943-.545 2.35-1.457.444-.994.257-2.03-.396-2.933-.705-.975-1.889-2.343-2.709-2.964-1.51-1.143-3.43-1.31-4.991-1.363l-.449-.016-.13-.006c-.625-.027-.965-.041-4.438-.041v.001s-3.137.002-4.747.005Zm-1.528 5.379c.017-.405.054-.808.111-1.208h9.573V17.06h-9.332a.145.145 0 0 1-.003.012l-.003.01-.214 1.055a12.06 12.06 0 0 1 .797-2.814c1.798-.005 3.645-.01 5.343-.01 3.18 0 3.721.014 4.52.047.217.009.428.015.635.02 2.076.055 3.718.098 6.549 3.758.086.11.172.221.235.346H12.026Zm1.484-5.303c-.205.37-.39.75-.555 1.142h-.01c.166-.393.359-.771.565-1.142Zm.041-.073Zm-1.516 6.593h18.346c-.138.532-.56.96-1.315.96H12.128a12.315 12.315 0 0 1-.093-.96Zm.582 3.079c.138.407.296.808.475 1.199H34.91C33.017 29.119 28.85 32 24 32c-5.305 0-9.798-3.447-11.384-8.22Zm-.607-4.005.01-.158v.763c-.002-.054-.006-.107-.01-.16-.005-.074-.01-.147-.01-.222 0-.075.005-.149.01-.223Z" fill="url(#re8jimy8sb)" fill-opacity=".1"/><defs><linearGradient id="5nw9xbrzfa" x1="181" y1="0" x2="26" y2="37.5" gradientUnits="userSpaceOnUse"><stop stop-color="#B63BCE"/><stop offset="1" stop-color="#5016A1"/></linearGradient><linearGradient id="re8jimy8sb" x1="19.5" y1="32" x2="19.5" y2="8" gradientUnits="userSpaceOnUse"><stop stop-color="#5B1BA7"/><stop offset="1" stop-color="#fff" stop-opacity="0"/></linearGradient></defs></svg>


--------------------------------------------------------------------------------
/assets/images/wrongsecrets-desktop.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OWASP/www-project-wrongsecrets/633683c88c91c44d21365a26736f4cfc53865d07/assets/images/wrongsecrets-desktop.png


--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout: col-sidebar
  3 | title: OWASP WrongSecrets
  4 | tags: wrongsecrets
  5 | level: 3.5
  6 | type: tool
  7 | pitch: Examples with how to not use secrets
  8 | ---
  9 | 
 10 | <!-- Rebuild 001 -->
 11 | 
 12 | <img src="assets/images/icon.png" alt="logo by Ben de Haan" width="100px" />
 13 | 
 14 | [![Github Stars](https://img.shields.io/github/stars/OWASP/wrongsecrets?label=Stars%20WrongSecrets&style=social)](https://github.com/OWASP/wrongsecrets/stargazers)
 15 | [![OWASP Production Project](https://img.shields.io/badge/OWASP-production%20project-48A646.svg)](https://owasp.org/projects/)
 16 | [![Release version](https://img.shields.io/github/v/release/OWASP/wrongsecrets)](https://github.com/OWASP/wrongsecrets/releases/latest)
 17 | [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7024/badge)](https://bestpractices.coreinfrastructure.org/projects/7024)
 18 | [![Docker pulls](https://img.shields.io/docker/pulls/jeroenwillemsen/wrongsecrets.svg)](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets)
 19 | [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this&url=https://github.com/OWASP/wrongsecrets&hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets)
 20 | [<img src="https://img.shields.io/badge/-MASTODON-%232B90D9?style=for-the-badge&logo=mastodon&logoColor=white" width=86>](https://tootpick.org/#text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this%0A%0Ahttps://github.com/OWASP/wrongsecrets%20%23secretsmanagement,%20%23secrets,%20%23hunting,%20%23p0wnableapp,%20%23OWASP,%20%23WrongSecrets)
 21 | 
 22 | OWASP WrongSecrets is the first Secrets Management-focused vulnerable/p0wnable app! It can be used as a stand-alone game, as part of security trainings, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling. It even has a supporting CTF platform to play the game in a larger group.
 23 | 
 24 | Want to give it a shot? Go to [our demo environment running on Heroku](https://www.wrongsecrets.com/).
 25 | 
 26 | ![Image](https://raw.githubusercontent.com/OWASP/wrongsecrets/master/images/screenshot.png)
 27 | 
 28 | ## Description
 29 | 
 30 | WrongSecrets is based on Java, Docker, Terraform, and a bit of scripting fun. It contains more than 50 exercises with various wrongly stored or misconfigured secrets - which you need to find. Finding these secrets will
 31 | 
 32 | - Help you to look for secrets being misconfigured at your own environment, or target environments for bug bounties.
 33 | - Help you to re-evaluate your own secrets management practices as well.
 34 | 
 35 | ## Want to play?
 36 | 
 37 | There are multiple ways on how you can play/work with OWASP WrongSecrets.
 38 | Want to play locally? Try
 39 | 
 40 | ```sh
 41 | docker run -p 8080:8080  jeroenwillemsen/wrongsecrets:latest-no-vault
 42 | ```
 43 | 
 44 | Otherwise, try one of the following online environments:
 45 | 
 46 | - [Online demo env (Heroku)](https://wrongsecrets.herokuapp.com/ "Online demo on a Heroku Dyno")
 47 | - [Online CTF demo (Heroku)](https://wrongsecrets-ctf.herokuapp.com/ "Online CTF demo on a Heroku Dyno")
 48 | 
 49 | Or try to deploy it using free services:
 50 | 
 51 | [![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/OWASP/wrongsecrets) 
 52 | 
 53 | [![Deploy on Railway](assets/images/railway-button.svg)](https://railway.app/new/template/7pnwRj)
 54 | 
 55 | 
 56 | ## Contributors
 57 | 
 58 | [![GitHub contributors WrongSecrets](https://img.shields.io/github/contributors/OWASP/Wrongsecrets?label=Contributors%20WrongSecrets)](https://github.com/OWASP/wrongsecrets/graphs/contributors) [![GitHub contributors WrongSecrets-ctf-party](https://img.shields.io/github/contributors/OWASP/Wrongsecrets-ctf-party?label=Contributors%20WrongSecrets-ctf-party)](https://github.com/OWASP/wrongsecrets-ctf-party/graphs/contributors) [![GitHub contributors WrongSecrets-binaries](https://img.shields.io/github/contributors/OWASP/Wrongsecrets-binaries?label=Contributors%20WrongSecrets-binaries)](https://github.com/OWASP/wrongsecrets-binaries/graphs/contributors)
 59 | 
 60 | Leaders:
 61 | 
 62 | - [Ben de Haan @bendehaan](https://www.github.com/bendehaan)
 63 | - [Jeroen Willemsen @commjoen](https://www.github.com/commjoen)
 64 | 
 65 | Top contributors:
 66 | 
 67 | - [Jannik Hollenbach @J12934](https://www.github.com/J12934)
 68 | - [Puneeth Y @puneeth072003](https://www.github.com/puneeth072003)
 69 | - [Joss Sparkes @RemakingEden](https://www.github.com/RemakingEden)
 70 | 
 71 | Contributors:
 72 | 
 73 | - [Nanne Baars @nbaars](https://www.github.com/nbaars)
 74 | - [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)
 75 | - [Rodolfo Neves @roddas](https://www.github.com/roddas)
 76 | - [Osama Magdy @osamamagdy](https://www.github.com/osamamagdy)
 77 | - [Pastekitoo @Pastekitoo](https://www.github.com/Pastekitoo)
 78 | - [Shubham Patel @Shubham-Patel07](https://www.github.com/Shubham-Patel07)
 79 | - [za @za](https://www.github.com/za)
 80 | - [Divyanshu Dev @Novice-expert](https://www.github.com/Novice-expert)
 81 | - [Tibor Hercz @tiborhercz](https://www.github.com/tiborhercz)
 82 | - [Chris Elbring Jr. @neatzsche](https://www.github.com/neatzsche)
 83 | - [Adarsh A @adarsh-a-tw](https://www.github.com/adarsh-a-tw)
 84 | - [Diamond Rivero @diamant3](https://www.github.com/diamant3)
 85 | - [Norbert Wolniak @nwolniak](https://www.github.com/nwolniak)
 86 | - [Filip Chyla @fchyla](https://www.github.com/fchyla)
 87 | - [Dmitry Litosh @Dlitosh](https://www.github.com/Dlitosh)
 88 | - [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)
 89 | - [Mahaputra Ilham Awal @mahaputrailhamawal](https://www.github.com/mahaputrailhamawal)
 90 | - [Turjo Chowdhury @turjoc120](https://www.github.com/turjoc120)
 91 | - [SndR @SndR85](https://www.github.com/SndR85)
 92 | - [Josh Grossman @tghosth](https://www.github.com/tghosth)
 93 | - [alphasec @alphasecio](https://www.github.com/alphasecio)
 94 | - [CaduRoriz @CaduRoriz](https://www.github.com/CaduRoriz)
 95 | - [Madhu Akula @madhuakula](https://www.github.com/madhuakula)
 96 | - [Mike Woudenberg @mikewoudenberg](https://www.github.com/mikewoudenberg)
 97 | - [Spyros @northdpole](https://www.github.com/northdpole)
 98 | - [RubenAtBinx @RubenAtBinx](https://www.github.com/RubenAtBinx)
 99 | - [Alex Bender @alex-bender](https://www.github.com/alex-bender)
100 | - [Danny Lloyd @dannylloyd](https://www.github.com/dannylloyd)
101 | - [Nicolas Humblot @nhumblot](https://www.github.com/nhumblot)
102 | - [Rick M @kingthorin](https://www.github.com/kingthorin)
103 | - [Shlomo Zalman Heigh @szh](https://www.github.com/szh)
104 | - [Fern @f3rn0s](https://www.github.com/f3rn0s)
105 | - [Jeff Tong @Wind010](https://www.github.com/Wind010)
106 | 
107 | Testers:
108 | 
109 | - [Dave van Stein @davevs](https://www.github.com/davevs)
110 | - [Marcin Nowak @drnow4u](https://www.github.com/drnow4u)
111 | - [Marc Chang Sing Pang @mchangsp](https://www.github.com/mchangsp)
112 | - [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)
113 | 
114 | Special thanks:
115 | 
116 | - [Madhu Akula @madhuakula @madhuakula](https://www.github.com/madhuakula)
117 | - [Nanne Baars @nbaars @nbaars](https://www.github.com/nbaars)
118 | - [Björn Kimminich @bkimminich](https://www.github.com/bkimminich)
119 | - [Dan Gora @devsecops](https://www.github.com/devsecops)
120 | - [Xiaolu Dai @saragluna](https://www.github.com/saragluna)
121 | - [Jonathan Giles @jonathanGiles](https://www.github.com/jonathanGiles)
122 | 
123 | ### Sponsorships
124 | 
125 | We would like to thank the following parties for helping us out:
126 | 
127 | [![gitguardian_logo.png](assets/images/gitguardian_logo.jpeg)](https://blog.gitguardian.com/gitguardian-is-proud-sponsor-of-owasp/)
128 | 
129 | [GitGuardian](https://blog.gitguardian.com/gitguardian-is-proud-sponsor-of-owasp/) for their sponsorship which allows us to pay the bills for our cloud-accounts.
130 | 
131 | [![jetbrains_logo.png](assets/images/jetbrains_logo.png)](https://www.jetbrains.com/)
132 | 
133 | [Jetbrains](https://www.jetbrains.com/) for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!
134 | 
135 | [![docker_logo.png](assets/images/docker_logo.png)](https://www.docker.com)
136 | 
137 | [Docker](https://www.docker.com) for granting us their Docker Open Source Sponsored program.
138 | 
139 | [![1password_logo.png](assets/images/1password_logo.png)](https://github.com/1Password/1password-teams-open-source/pull/552)
140 | 
141 | [1Password](https://github.com/1Password/1password-teams-open-source/pull/552) for granting us an open source license to 1Password for the secret detection testbed.
142 | 
143 | [![AWS Open Source](assets/images/aws.svg.png)](https://aws.amazon.com/)
144 | 
145 | [AWS](https://aws.amazon.com/) for granting us AWS Open Source credits which we use to test our project and the [Wrongsecrets CTF Party](https://github.com/OWASP/wrongsecrets-ctf-party) setup on AWS.
146 | 
147 | #### Individual supporters
148 | 
149 | {% assign individual_supporter = site.data.ow_attributions | uniq %}
150 | {% for supporter in individual_supporter %}
151 | 
152 | - {{ supporter | strip_html | strip_newlines | strip }}
153 |   {% endfor %}
154 | - _You want to appear on this list?_
155 |   [Donate to OWASP here! 🤲](https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets)<!-- @IGNORE PREVIOUS: link -->
156 | 
157 | ## Licensing
158 | 
159 | [![license](https://img.shields.io/github/license/OWASP/wrongsecrets.svg)](https://github.com/OWASP/wrongsecrets/blob/master/LICENSE)
160 | 
161 | This program is free software: You can redistribute it and/or modify it under the terms of the [AGPLv3 License](https://github.com/OWASP/wrongsecrets/blob/master/LICENSE).
162 | OWASP WrongSecrets and any contributions are Copyright © by Jeroen Willemsen & the OWASP WrongSecrets contributors 2020-2025.
163 | 
164 | ## Want to help out?
165 | 
166 | You can help us in many ways:
167 | 
168 | - Star us on github: <a class="github-button" href="https://github.com/OWASP/WrongSecrets" data-color-scheme="no-preference: light; light: light; dark: light;" data-size="large" data-show-count="true" aria-label="Star OWASP/WrongSecrets on GitHub">Star Wrongsecrets on Github</a>
169 | - Promote us using [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this&url=https://github.com/OWASP/wrongsecrets&hashtags=secretsmanagement,secrets,hunting,p0wnableapp,OWASP,WrongSecrets)
170 |   [<img src="https://img.shields.io/badge/-MASTODON-%232B90D9?style=for-the-badge&logo=mastodon&logoColor=white" width=86>](https://tootpick.org/#text=Want%20to%20dive%20into%20secrets%20management%20and%20do%20some%20hunting?%20try%20this%0A%0Ahttps://github.com/OWASP/wrongsecrets%20%23secretsmanagement,%20%23secrets,%20%23hunting,%20%23p0wnableapp,%20%23OWASP,%20%23WrongSecrets).
171 | - Promote us with a Blog, Vlog, Podcast, or presentation on a conference. Or use our materials to organize a CTF! If you do, let us know, so we can list your event or publication here on the webiste.
172 | - Work with us on the project! Take a look at the [Readme of the project](https://github.com/OWASP/wrongsecrets), [How to contribute](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md), and the [Github Issues](https://github.com/OWASP/wrongsecrets/issues). If you want to contribute to an issue: make sure it is not yet assigned to someone, comment on it with your intention, and then we can assign it to you.
173 | - [Sponsor our project](https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets)! We will use the money for covering our cloud costs (building & maintaining the project in 3 clouds costs money). And soon we hope to be able to buy you some stickers if you do ;-).
174 | 
175 | ## Presentations about OWASP WrongSecrets
176 | 
177 | The project has been promoted at:
178 | 
179 | - [AllDayDevOps: Our secrets management journey from Code to Vault](https://www.alldaydevops.com/addo-speakers/jeroen-willemsen)
180 | - [Conf42 DevSecOps 2021: Secrets-management: challenges from code to cloud](https://www.youtube.com/watch?v=EsMS7gOBrY4)
181 | - [Club Cloud 2021: Securing your secrets in the cloud](https://youtu.be/lXMRTP5eg9Q)
182 | - [OWASP Dutch Chapter Meetup: Our Secrets Management Journey: From Code to Vault](https://www.youtube.com/watch?v=qR6JCkZgOlY)
183 | - [Open Security Summit: OWASP Wrong Secrets: project goals, under the hood, and where do we go from here?](https://www.youtube.com/watch?v=EYkjgGuhOYw)
184 | - [WrongSecrets demo - How not to store secrets with the project founder Jeroen Willemsen](https://www.youtube.com/watch?v=nqzxpgvLEv4&t=709s)
185 | - [Security Journey: Jeroen Willemsen and Ben de Haan - Dirty little secrets](https://www.youtube.com/watch?v=0HGPnQAYFNY)
186 | - [Meetup OWASP Bay Area: OWASP WrongSecrets: how to NOT mange your secrets](https://www.youtube.com/watch?v=oRUPVhp1Bfw)
187 | - [Code to Cloud Virtual Summit: Learn How to (Not) Use Secrets with OWASP WrongSecrets!](https://start.paloaltonetworks.com/code-to-cloud-summit.html)
188 | - [Teqnation 2022 Utrecht](https://teqnation.com/timetable-2022/)
189 | - [Devops Pro Europe: Introducing OWASP WrongSecrets: How You Should NOT Handle Your Secrets](https://devopspro.lt/Jeroen-Willemsen/)
190 | - [OWASP Virtual Appsec Europe 2022: OWASP WrongSecrets: We have a secret for Everyone!](https://whova.com/web/GKSmlhCK%2FWzBY2c8qqJ%2Bp7kNcnjsUQAQJ%2ByBsjLrbOo%3D/Agenda)
191 | - [Tweakers Developers Summit: OWASP WrongSecrets - waar je je applicatiegeheimen (niet) moet neerzetten](https://tweakers.net/partners/devsummit2022/1684/bendehaan/)
192 | - [OWASP Frankfurt #55 In-Person Event: Cloud Secrets,Cyber-Crime & Threat Modeling: Can't you keep a secret? Learn Secrets Management with OWASP WrongSecrets by Dan Gora, OWASP Frankfurt](https://www.meetup.com/nl-NL/it-security-stammtisch-frankfurt-owasp-u-w/events/286925136/)
193 | - OWASP Hamburg Stammtich
194 | - [DevSecOps Days 2022 Washington DC (Virtual): Learn How To (Not) Use Secrets With OWASP Wrong Secrets!](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=887917) and [see the Youtube recording here](https://www.youtube.com/watch?v=bYDnMYkRUN0)
195 | - [AllDayDevOps - Learn how to (not) use secrets with OWASP WrongSecrets!](https://www.alldaydevops.com/addo-speakers/jeroen-willemsen)
196 | - [Azure Cloud Security Group - Can't You Keep a Secret ? Cloud Native Secrets Management with OWASP Wrong Secrets](https://www.youtube.com/watch?v=Aafvip8XGDI)
197 | - [Azure Cloud Security Meetup: Cloud-Native Secrets Management with OWASP WrongSecrets by Dan Gora](https://www.youtube.com/watch?v=Aafvip8XGDI&t=2505s)
198 | - [OWASP Benelux Days 2022 - CTF Kickoff](https://www.owaspbenelux.eu/program/conference#Jeroen-Willemsen-and-Ben-De-Haan) with actual [CTF info](https://www.owaspbenelux.eu/program/ctf)
199 | - [WeHackPurple: Don’t make the same mistakes we did: How you can do secrets management better with OWASP WrongSecrets](https://community.wehackpurple.com/events/dont-make-the-same-mistakes-we-did-how-you-can-do-secrets-management-better-with-owasp-wrongsecrets)
200 | - [Open Security Summit: OWASP WrongSecrets a journey into secrets management](https://open-security-summit.org/sessions/2024/mini-summits/jan/governance/owasp-wrongsecrets-a-journey-into-secret-management-failures/)
201 | - [Open Security Summit: OWASP WrongSecrets: Define the future challenges togeter](https://open-security-summit.org/sessions/2024/mini-summits/jan/governance/owasp-wrongsecrets-define-the-future-challenges-together/)
202 | - [Cyberwisecon: OWASP WrongSecrets: How We Keep on Growing Our Open Source Project](https://events.pinetool.ai/3152/#sessions/102169?referrer%5Bpathname%5D=%2Fsessions&referrer%5Bsearch%5D=&referrer%5Btitle%5D=Sessions)
203 | - [NLUUG: How to (not) Use Secrets with OWASP WrongSecrets](https://nluug.nl/evenementen/nluug/voorjaarsconferentie-2024/talks/ben-de-haan-jeroen-willemsen-how-to-not-use-secrets-with-owasp-wrongsecrets/) [recording from From 2:13](https://www.youtube.com/live/iJGV-SP1vRw?si=PE1rUH-py0GIvkuv)
204 | - [ADDO: OWASP WrongSecrets: How We Keep on Growing Our Open Source Project](https://event.alldaydevops.com/event/registration/websitePage:04030226-24b8-49ac-9c30-5671087b28ec?_gl=1*1r8zqhp*_gcl_au*MTkyNDMzMzAxOS4xNzI1NTI1OTY4&session=f7080cbc-c775-4c3d-8c6b-c6cca2158a74)
205 | - [OWASP Spotlight Series WrongSecrets](https://www.youtube.com/watch?v=inSkNPLDlWo)
206 | - Coverage on youtube: [walkthrough by sec right](https://youtu.be/tSQATLTuSqQ?si=DwCnQ4FlQQALGVfZ)
207 | - Various Blogs: [A blog by Gitguardian](https://blog.gitguardian.com/gitguardian-is-proud-sponsor-of-owasp/), [Another blog by Gitguardian](https://blog.gitguardian.com/a-beginners-guide-to-owasp/), [Blogs by the author(s)](https://dev.to/commjoen), [A blog by Okteto](https://www.okteto.com/blog/practice-secrets-management-in-kubernetes-with-owasp-wrongsecrets-and-okteto/), [A blog by Nec](https://jpn.nec.com/cybersecurity/blog/230707/index.html), [A blog from vineeth.dj](https://medium.com/@vineeth.dj/owasp-wrongsecrets-writeup-24ad3460be0a).
208 | - Various Podcasts: [Application Security Podcast: Jeroen Willemsen & Ben de Haan -- Dirty little secrets](https://appsecpodcast.securityjourney.com/1730684/9864567-jeroen-willemsen-and-ben-de-haan-dirty-little-secrets), [Devsec for scale: Secrets Management Pt 1](https://www.youtube.com/watch?v=dxgXUQZgUnI), [Devsec for scale: Secrets Management Pt 2](https://www.youtube.com/watch?v=_gY0T9vIl4E), [Devsec for scale: Secrets Management Pt 3](https://www.youtube.com/watch?v=vtUk2bc34AY).
209 | 
210 | We would like to thank many people that have given a shoutout or a share about this project! Thank you for your forum-posts, blogs, and more!
211 | 


--------------------------------------------------------------------------------
/info.md:
--------------------------------------------------------------------------------
 1 | ### Project Information
 2 | 
 3 | * <i class="fas fa-city" style="color:#53AAE5;"></i> Production Project
 4 | 
 5 | #### Classification
 6 | 
 7 | * <i class="fas fa-tools" style="color:#233e81;"></i> Tool
 8 | 
 9 | #### Audience
10 | 
11 | * <i class="fas fa-toolbox" style="color:#233e81;"></i> Builder
12 | * <i class="fas fa-hammer" style="color:#233e81;"></i> Breaker
13 | * <i class="fas fa-shield-alt" style="color:#233e81;"></i> Defender
14 | 
15 | ### Getting Started
16 | 
17 | * [WrongSecrets Github repo](https://github.com/OWASP/wrongsecrets "Github Repository")
18 | * [Online demo env (Heroku)](https://wrongsecrets.herokuapp.com/ "Online demo on a Heroku Dyno")
19 | * [Sometimes Online CTF demo (Heroku)](https://wrongsecrets-ctf.herokuapp.com/ "Online demo on a Heroku Dyno, which is not always up")
20 | * [Online demo (Render.io free)](https://wrongsecrets.onrender.com/ "Online demo on a free Render.io instance")
21 | * [Get Latest Docker](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets "WrongSecrets docker container")
22 | * [Get Latest WrongSecrets Desktop](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets-desktop "WrongSecrets-desktop docker container")
23 | * [Download Releases](https://github.com/OWASP/wrongsecrets/releases "WrongSecrets releases")
24 | 
25 | ### Socials and Support
26 | 
27 | * [Slack Channel](https://owasp.slack.com/messages/project-wrongsecrets "OWASP Slack")([Self-registration](https://owasp.org/slack/invite "Get yourself invited to OWASP Slack"))
28 | * [Twitter Jeroen](https://twitter.com/commjoenie "Twitter Jeroen Willemsen")
29 | * [Twitter Ben](https://twitter.com/BJFdeHaan "Twitter Ben de Haan")
30 | 
31 | ### Code Repository
32 | 
33 | * [Github repo](https://github.com/OWASP/wrongsecrets "Github Repository")
34 | * [Github repo binaries](https://github.com/OWASP/wrongsecrets-binaries "Github Repository for the binary challenges")
35 | * [Github CTF party repo](https://github.com/OWASP/wrongsecrets-ctf-party "Github Repository for WrongSecrets CTF Party")
36 | 
37 | ### Getting Involved
38 | 
39 | * [Code of Conduct](https://github.com/OWASP/wrongsecrets/blob/master/CODE_OF_CONDUCT.md)
40 | * [Contributing to the project](https://github.com/OWASP/wrongsecrets/blob/master/CONTRIBUTING.md)
41 | 
42 | ### Sponsoring
43 | 
44 | * [Sponsor the project](https://owasp.org/donate/?reponame=www-project-wrongsecrets&title=OWASP+wrongsecrets)
45 | 


--------------------------------------------------------------------------------
/leaders.md:
--------------------------------------------------------------------------------
1 | ### Leaders
2 | 
3 | * [Jeroen Willemsen](mailto:jeroen.willemsen@owasp.org) ([@commjoenie](https://twitter.com/commjoenie "Twitter Jeroen Willemsen"))
4 | * [Ben de Haan](mailto:ben.dehaan@owasp.org) ([@BJFdeHaan](https://twitter.com/BJFdeHaan "Twitter Ben de Haan"))
5 | 


--------------------------------------------------------------------------------
/tab_ctf.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: CTF
 3 | layout: col-sidebar
 4 | tab: true
 5 | order: 2
 6 | tags: wrongsecrets
 7 | ---
 8 | 
 9 | ## CTF
10 | 
11 | ### With just OWASP WrongSecrets
12 | 
13 | We support playing CTFs with OWASP WrongSecrets! Want to know more? Have a look at [the Git repo README](https://github.com/OWASP/wrongsecrets#ctf) and [the additional CTF documentation](https://github.com/OWASP/wrongsecrets/blob/master/ctf-instructions.md)
14 | 
15 | ### With OWASP WrongSecrets-CTF-Party
16 | 
17 | [![Github Stars](https://img.shields.io/github/stars/OWASP/wrongsecrets-ctf-party?label=Stars%20wrongsecrets-ctf-party&style=social)](https://github.com/OWASP/wrongsecrets-ctf-party/stargazers) [![Docker pulls](https://img.shields.io/docker/pulls/jeroenwillemsen/wrongsecrets-balancer.svg)](https://img.shields.io/docker/pulls/jeroenwillemsen/wrongsecrets-balancer.svg).
18 | 
19 | Want to play OWASP WrongSecrets in a large group in CTF mode, but not go over all the hassle of setting up local copies of OWASP WrongSecrets? Here is [OWASP WrongSecrets CTF Party](https://github.com/OWASP/wrongsecrets-ctf-party)! This is a fork of [OWASP MultiJuicer](https://github.com/iteratec/multi-juicer), which is adapted to become a dynamic multi-tenant setup for doing a CTF together!
20 | 
21 | Note that we:
22 | 
23 | - have a [Webtop](https://docs.linuxserver.io/images/docker-webtop) integrated for each player
24 | - have a WrongSecrets instance integrated for each player
25 | - A working admin interface which can restart both or delete both (by deleting the full namespace)
26 | - It can cleanup old & unused namespaces automatically.
27 | 
28 | You can currently play [OWASP WrongSecrets CTF Party](https://github.com/OWASP/wrongsecrets-ctf-party) using:
29 | 
30 | - Any k8s setup that allows you to have multiple namespaces (including Minikube), by leveraging our [helm charts](https://owasp.org/wrongsecrets-ctf-party).
31 | - AWS, Azure, and GCP by using terraform which is part of the repo.
32 | 
33 | ## Special thanks
34 | 
35 | Special thanks to [@commjoen](https://github.com/commjoen), [@madhuakula](https://github.com/madhuakula), [@bendehaan](https://github.com/bendehaan), and [@mikewoudenberg](https://github.com/mikewoudenberg), and [@osamamagdy](https://github.com/osamamagdy) for making this port a reality!
36 | 


--------------------------------------------------------------------------------
/tab_overview.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: Overview
 3 | layout: col-sidebar
 4 | tab: true
 5 | order: 1
 6 | tags: wrongsecrets
 7 | ---
 8 | 
 9 | ## Overview
10 | 
11 | The application can best be run as a [Docker container](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets) as part of a K8s cluster. Some challenges are unique to specific public clouds (AWS, GCP, and Azure only for now).
12 | 
13 | ![overview](assets/images/layerswithchallenges.png)
14 | 
15 | The overview above nicely shows which technologies are mostly used to build up the full application. Consult the [GitHub repo readme](https://github.com/OWASP/wrongsecrets) for more information.
16 | 


--------------------------------------------------------------------------------
/tab_passwords.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: passwords
 3 | layout: col-sidebar
 4 | tab: true
 5 | order: 4
 6 | tags: wrongsecrets
 7 | ---
 8 | 
 9 | ## Creating Passwords
10 | You can create various types of passwords. OWASP WrongSecrets has quite a few of them as an example.
11 | There are complex passwords, which you can easily create with tools like OpenSSL and/or password managers.
12 | There are short passphrases, which you can easily remember
13 | There are longer passphrases with a more extensive set of words involved.
14 | 
15 | ### Complex passwords
16 | Complex passwords can be easily generated securely using tools like OpenSSL (using `openssl rand 20 -base64`) or a password manager. For instance, the generation of challenge 31’s password. The password (SGF2ZSBhIG5pY2UgZGF5) was obtained using random information generated through OpenSSL.
17 | 
18 | Of course, we need to reference the [(in)famous XKCD on this topic](https://xkcd.com/936/).
19 | 
20 | ### Short passphrases
21 | Short passphrases uses short combinations of words. These are easy to think of and easy to remember. The solution to challenge0 is a good example here. Here a short passphrase(The first answer) is used as a solution.
22 | 
23 | ### Longer passphrases
24 | In other challenges we packed longer passphrases, which are still easy to remember, but do have a lot more entropy to them.
25 | 
26 | ## References
27 | NIST Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html
28 | OWASP Authentication cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html 
29 | 
30 | 


--------------------------------------------------------------------------------
/tab_webdesktop.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | title: webdesktop
 3 | layout: col-sidebar
 4 | tab: true
 5 | order: 3
 6 | tags: wrongsecrets
 7 | ---
 8 | 
 9 | ## Wrongsecrets Desktop
10 | [![Docker pulls](https://img.shields.io/docker/pulls/jeroenwillemsen/wrongsecrets-desktop?label=docker%20pulls%20wrongsecrets-desktop)](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets-desktop)[![Docker pulls](https://img.shields.io/docker/pulls/jeroenwillemsen/wrongsecrets-desktop-k8s?label=docker%20pulls%20wrongsecrets-desktop-k8s)](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets-desktop-k8s)
11 | 
12 | Want to try out the secrets-hunting, but don't want to install all the recommended tools? Try to use our [WrongSecrets desktop](https://hub.docker.com/r/jeroenwillemsen/wrongsecrets-desktop).
13 | 
14 | <img src="assets/images/wrongsecrets-desktop.png" alt="WrongSecrets desktopt" width="300px" />
15 | 
16 | You can run all the tools and a desktop environment in a container by doing the following:
17 | 
18 | ```shell
19 | docker run -p 3000:3000 jeroenwillemsen/wrongsecrets-desktop:latest
20 | ```
21 | 
22 | and open a browser at [http://localhost:3000](http://localhost:3000). 
23 | Want to know more? Checkout the [Readme at the WrongSecrets github repo](https://github.com/OWASP/wrongsecrets#want-to-play-but-are-not-allowed-to-install-the-tools).
24 | 


--------------------------------------------------------------------------------