Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to not store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
Can you solve all the 58 challenges?
Try some of them on our Heroku demo environment.
Want to play the other challenges? Read the instructions on how to set them up below.
New to WrongSecrets? Start here:
- Try Online First: Visit our Heroku demo to get familiar with the challenges
- Run Locally: Use Docker for the full experience with all challenges:
Then open http://localhost:8080docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault 
- Want to see what's ahead? Try our bleeding-edge master container with the latest features:
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master ⚠️ Note: This is a development version and may be unstable
- Advanced Setup: For cloud challenges and Kubernetes exercises, see the detailed instructions below
What you'll learn:
- Common secrets management mistakes
- How to identify exposed credentials
- Best practices for securing secrets
- Tools and techniques for secret detection
How it works: This repository contains intentionally vulnerable code and configuration files with real and fake secrets hidden throughout the codebase. You'll examine source code, configuration files, Docker containers, and cloud deployments to discover these secrets. Each challenge teaches you different ways secrets can be accidentally exposed in real-world applications.
For basic usage:
- A web browser
- Docker (for local setup) - Install here
For advanced setups:
- Kubernetes/Minikube - Install here
- Cloud account (AWS/GCP/Azure) for cloud challenges
- Command line familiarity
Need support? Contact us via OWASP Slack for which you sign up here , file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.
Copyright (c) 2020-2025 Jeroen Willemsen and WrongSecrets contributors.
Not sure which setup is right for you? Here's a quick guide:
| I want to... | Recommended Setup | Challenges Available | 
|---|---|---|
| Try it quickly online | Container running on Heroku | Basic challenges (1-4, 8, 12-32, 34-43, 49-52, 54-58) | 
| Run locally with Docker | Basic Docker | Same as above, but on your machine | 
| Learn Kubernetes secrets | K8s/Minikube Setup | Kubernetes challenges (1-6, 8, 12-43, 48-58) | 
| Practice with cloud secrets | Cloud Challenges | All challenges (1-87) | 
| Run a workshop/CTF | CTF Setup | Customizable challenge sets | 
| Contribute to the project | Development Setup | All challenges + development tools | 
Can be used for challenges 1-4, 8, 12-32, 34, 35-43, 49-52, 54-58
For the basic docker exercises you currently require:
- Docker Install from here
- Some Browser that can render HTML
You can install it by doing:
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault🚀 Want to try the bleeding-edge version?
If you want to see what's coming in the next release, you can use our automatically-built master container:
docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-masterNow you can try to find the secrets by means of solving the challenge offered at the links below
all the links for docker challenges (click triangle to open the block).
- localhost:8080/challenge/challenge-1
- localhost:8080/challenge/challenge-2
- localhost:8080/challenge/challenge-3
- localhost:8080/challenge/challenge-4
- localhost:8080/challenge/challenge-8
- localhost:8080/challenge/challenge-12
- localhost:8080/challenge/challenge-13
- localhost:8080/challenge/challenge-14
- localhost:8080/challenge/challenge-15
- localhost:8080/challenge/challenge-16
- localhost:8080/challenge/challenge-17
- localhost:8080/challenge/challenge-18
- localhost:8080/challenge/challenge-19
- localhost:8080/challenge/challenge-20
- localhost:8080/challenge/challenge-21
- localhost:8080/challenge/challenge-22
- localhost:8080/challenge/challenge-23
- localhost:8080/challenge/challenge-24
- localhost:8080/challenge/challenge-25
- localhost:8080/challenge/challenge-26
- localhost:8080/challenge/challenge-27
- localhost:8080/challenge/challenge-28
- localhost:8080/challenge/challenge-29
- localhost:8080/challenge/challenge-30
- localhost:8080/challenge/challenge-31
- localhost:8080/challenge/challenge-32
- localhost:8080/challenge/challenge-34
- localhost:8080/challenge/challenge-35
- localhost:8080/challenge/challenge-36
- localhost:8080/challenge/challenge-37
- localhost:8080/challenge/challenge-38
- localhost:8080/challenge/challenge-39
- localhost:8080/challenge/challenge-40
- localhost:8080/challenge/challenge-41
- localhost:8080/challenge/challenge-42
- localhost:8080/challenge/challenge-43
- localhost:8080/challenge/challenge-49
- localhost:8080/challenge/challenge-50
- localhost:8080/challenge/challenge-51
- localhost:8080/challenge/challenge-52
- localhost:8080/challenge/challenge-54
- localhost:8080/challenge/challenge-55
- localhost:8080/challenge/challenge-56
- localhost:8080/challenge/challenge-57
- localhost:8080/challenge/challenge-58
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
You can test them out at https://wrongsecrets.herokuapp.com/ as well! The folks at Heroku have given us an awesome open source support package, which allows us to run the app for free there, where it is almost always up. Still, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it. Use this link to use our hosted version of the app. If you want to host it on Heroku yourself (e.g., for running a training), you can do so by clicking this link. Please be aware that this will incur costs for which this project and/or its maintainers cannot be held responsible.
status: experimental
You can test them out at https://wrongsecrets.onrender.com/. Please understand that we run on a free-tier instance, we cannot give any guarantees. Please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it. Want to deploy yourself with Render? Click the button below:
status: maintained by alphasec.io
If you want to host WrongSecrets on Railway, you can do so by deploying this one-click template. Railway does not offer an always-free plan anymore, but the free trial is good enough to test-drive this before you decide to upgrade. If you need a step-by-step companion guide, see this blog post.
Can be used for challenges 1-6, 8, 12-43, 48-58
Make sure you have the following installed:
- Docker Install from here
- Minikube Install from here
The K8S setup currently is based on using Minikube for local fun. You can use the commands below from the root of the project:
    minikube start
    kubectl apply -f k8s/secrets-config.yml
    kubectl apply -f k8s/secrets-secret.yml
    kubectl apply -f k8s/challenge33.yml
    kubectl apply -f k8s/challenge53/secret-challenge53.yml
    echo "Setting up the bitnami sealed secret controler"
    kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
    kubectl apply -f k8s/sealed-secret-controller.yaml
    kubectl apply -f k8s/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    kubectl create -f k8s/sealed-challenge48.json
    echo "finishing up the sealed secret controler part"
    wait 10 #or check whether secret48 is there
    kubectl apply -f k8s/secret-challenge-deployment.yml
    while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
    kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
    minikube service secret-challengeAlternatively you can do :
    ./k8s-vault-minikube-start.shnow you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
- localhost:8080/challenge/challenge-5
- localhost:8080/challenge/challenge-6
- localhost:8080/challenge/challenge-33
- localhost:8080/challenge/challenge-48
- localhost:8080/challenge/challenge-48
Want to run vanilla on your own k8s? Use the commands below:
    kubectl apply -f k8s/secrets-config.yml
    kubectl apply -f k8s/secrets-secret.yml
    echo "Setting up the bitnami sealed secret controler"
    kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.27.0/controller.yaml
    kubectl apply -f k8s/sealed-secret-controller.yaml
    kubectl apply -f k8s/main.key
    kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    kubectl create -f k8s/sealed-challenge48.json
    echo "finishing up the sealed secret controler part"
    wait 10 #or check whether secret48 is there
    kubectl apply -f k8s/challenge33.yml
    kubectl apply -f k8s/secret-challenge-deployment.yml
    while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
    kubectl port-forward \
        $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
        8080:8080now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
- localhost:8080/challenge/challenge-5
- localhost:8080/challenge/challenge-6
- localhost:8080/challenge/challenge-33
- localhost:8080/challenge/challenge-48
Can be used for challenges 1-8, 12-58 Make sure you have the following installed:
- minikube with docker (or comment out line 8 and work at your own k8s setup),
- docker,
- helm Install from here,
- kubectl Install from here,
- jq Install from here,
- vault Install from here,
- grep, Cat, and Sed
Run ./k8s-vault-minikube-start.sh, when the script is done, then the challenges will wait for you at http://localhost:8080 . This will allow you to run challenges 1-8, 12-48.
When you stopped the k8s-vault-minikube-start.sh script and want to resume the port forward run: k8s-vault-minikube-resume.sh.
This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
Can be used for challenges 1-58
READ THIS: Given that the exercises below contain IAM privilege escalation exercises, never run this on an account which is related to your production environment or can influence your account-over-arching resources.
Follow the steps in the README in the AWS subfolder.
Follow the steps in the README in the GCP subfolder.
Follow the steps in the README in the Azure subfolder.
When you want to include your own Canarytokens for your cloud-deployment, do the following:
- Fork the project.
- Make sure you use the GCP ingress or AWS ingress scripts to generate an ingress for your project.
- Go to canarytokens.org and select AWS Keys, in the webHook URL field add<your-domain-created-at-step1>/canaries/tokencallback.
- Encrypt the received credentials so that Challenge15 can decrypt them again.
- Commit the unencrypted and encrypted materials to Git and then commit again without the decrypted materials.
- Adapt the hints of Challenge 15 in your fork to point to your fork.
- Create a container and push it to your registry
- Override the K8s definition files for either AWS or GCP.
Each challenge has a Show hints button and a What's wrong? button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise.
Therefore, you can manipulate them by overriding the following settings in your env:
- hints_enabled=falsewill turn off the- Show hintsbutton.
- reason_enabled=falsewill turn of the- What's wrong?explanation button.
- spoiling_enabled=falsewill turn off the- /spoil/challenge-xendpoint (where- xis the short-name of the challenge).
You can enable Swagger documentation and the Swagger UI by overriding the SPRINGDOC_UI and SPRINGDOC_DOC when running the Docker container.
Leaders:
Top contributors:
Contributors:
- Nanne Baars @nbaars
- Marcin Nowak @drnow4u
- Rodolfo Neves @roddas
- Osama Magdy @osamamagdy
- Pastekitoo @Pastekitoo
- Shubham Patel @Shubham-Patel07
- za @za
- Divyanshu Dev @Novice-expert
- Tibor Hercz @tiborhercz
- Chris Elbring Jr. @neatzsche
- Adarsh A @adarsh-a-tw
- Diamond Rivero @diamant3
- Norbert Wolniak @nwolniak
- Filip Chyla @fchyla
- Dmitry Litosh @Dlitosh
- Vineeth Jagadeesh @djvinnie
- Mahaputra Ilham Awal @mahaputrailhamawal
- Turjo Chowdhury @turjoc120
- SndR @SndR85
- Josh Grossman @tghosth
- alphasec @alphasecio
- CaduRoriz @CaduRoriz
- Madhu Akula @madhuakula
- Mike Woudenberg @mikewoudenberg
- Spyros @northdpole
- RubenAtBinx @RubenAtBinx
- Alex Bender @alex-bender
- Danny Lloyd @dannylloyd
- Nicolas Humblot @nhumblot
- Rick M @kingthorin
- Shlomo Zalman Heigh @szh
- Fern @f3rn0s
- Jeff Tong @Wind010
Testers:
- Dave van Stein @davevs
- Marcin Nowak @drnow4u
- Marc Chang Sing Pang @mchangsp
- Vineeth Jagadeesh @djvinnie
Special thanks:
- Madhu Akula @madhuakula @madhuakula
- Nanne Baars @nbaars @nbaars
- Björn Kimminich @bkimminich
- Dan Gora @devsecops
- Xiaolu Dai @saragluna
- Jonathan Giles @jonathanGiles
We would like to thank the following parties for helping us out:
GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.
Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!
1Password for granting us an open source license to 1Password for the secret detection testbed.
AWS for granting us AWS Open Source credits which we use to test our project and the Wrongsecrets CTF Party setup on AWS.
You can help us by the following methods:
- Star us
- Share this app with others
- Of course, we can always use your help to get more flavors of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See our guide on contributing for more details. Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.
As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it. Want to know if your tool detects everything? We will keep track of the embedded secrets in this issue and have a branch in which we put additional secrets for your tool to detect. The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
We now provide an automated GitHub Action workflow that benchmarks multiple secret scanning tools against the WrongSecrets codebase. The Secret Scanner Comparison workflow tests 7 different tools:
- TruffleHog - Docker-based secret scanner
- git-secrets - AWS Labs' git hook scanner
- gitleaks - High-performance Go-based scanner
- detect-secrets - Yelp's enterprise scanner
- gittyleaks - Python-based pattern detector
- whispers - Skyscanner's structured scanner
- trufflehog3 - Python version of TruffleHog
The workflow runs weekly and provides a comparison table showing how many secrets each tool detects, helping you understand the relative effectiveness of different secret scanning tools. See docs/scanner-comparison.md for more details on running and interpreting the results.
We have 3 ways of playing CTFs:
- The quick "let's play"-approach based on our own Heroku domain https://wrongsecrets-ctf.herokuapp.com, which we documented for you here.
- A more extended approach documented in ctf-instructions.md.
- A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use the WrongSecrets CTF Party setup.
Want to use CTFD to play a CTF based on the free Heroku wrongsecrets-ctf instance together with CTFD? You can!
NOTE: CTFD support now works based on the Juiceshop CTF CLI.
NOTE-II: https://wrongsecrets-ctf.herokuapp.com (temporary down based on lack of oss credits) is based on Heroku and has limited capacity.
Initial creation of the zip file for CTFD requires you to visit https://wrongsecrets-ctf.herokuapp.com/api/Challenges once before executing the steps below.
Follow the following steps:
    npm install -g [email protected]
    juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
    docker run -p 8001:8000 -it ctfd/ctfd:3.7.4Now visit the CTFD instance at http://localhost:8001 and setup your CTF. Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command. Game on using https://wrongsecrets-ctf.herokuapp.com! Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
NOTE: FBCTF support is experimental.
Follow the same step as with CTFD, only now choose fbctfd and as a url for the countrymapping choose https://raw.githubusercontent.com/OWASP/wrongsecrets/79a982558016c8ce70948a8106f9a2ee5b5b9eea/config/fbctf.yml.
Then follow https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide to run the FBCTF.
For development on local machine use the local profile ./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault
If you want to test against vault without K8s: start vault locally with
 export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
 export VAULT_API_ADDR='http://127.0.0.1:8200'
 vault server -devand in your next terminal, do (with the token from the previous commands):
export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
export SPRING_CLOUD_VAULT_TOKEN='<TOKENHERE>'
vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
vault kv put secret/injected vaultinjected.value="$(openssl rand -base64 16)"
vault kv put secret/codified challenge47secret.value="debugvalue"Now use the local-vault profile to do your development.
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,local-vaultIf you want to dev without a Vault instance, use additionally the without-vault profile to do your development:
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vaultWant to push a container? See .github/scripts/docker-create-and-push.sh for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container.
Want to check why something in vault is not working in kubernetes? Do kubectl exec vault-0 -n vault -- vault audit enable file file_path=stdout.
We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities.
You can use the OWASP Dependency-checker by calling mvn dependency-check:aggregate and mvn cyclonedx:makeBom to use CycloneDX to create an SBOM.
OWASP WrongSecrets uses the dependency-check-maven plugin to automatically scan project dependencies for known vulnerabilities (CVEs).
- The plugin runs during the Maven build (./mvnw clean install) and checks all dependencies against public vulnerability databases.
- By default, it uses the NVD (National Vulnerability Database) and can also use OSS Index for additional coverage.
The plugin is configured in pom.xml under the <build><plugins> section:
<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>dependency-check-maven</artifactId>
  <version>${dependency-check-maven.version}</version>
  <configuration>
    <nvdApiKey>...</nvdApiKey>
    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
    <ossIndexServerId>ossindex</ossIndexServerId>
    <ossindexAnalyzerEnabled>true</ossindexAnalyzerEnabled> <!-- SET THIS TO FALSE IF YOU HAVE NO SONATYPE ACCOUNT! -->
  </configuration>
  <executions>
    <execution>
      <goals>
        <goal>check</goal>
      </goals>
    </execution>
  </executions>
</plugin>- nvdApiKey: API key for accessing the NVD database (recommended for faster and more reliable scans).
- ossIndexServerId: References credentials in your Maven settings.xmlfor OSS Index (see below).
- ossindexAnalyzerEnabled: Set to trueto enable OSS Index scanning. If you encounter authentication errors (401), set this tofalseto disable OSS Index.
To use OSS Index, you need to add your credentials to your Maven settings.xml:
<servers>
  <server>
    <id>ossindex</id>
    <username>YOUR_OSSINDEX_USERNAME</username>
    <password>YOUR_OSSINDEX_API_TOKEN</password>
  </server>
</servers>Replace YOUR_OSSINDEX_USERNAME and YOUR_OSSINDEX_API_TOKEN with your OSS Index account details.
- If you see 401 Unauthorizederrors for OSS Index, check your credentials or disable OSS Index by setting<ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled>inpom.xml.
- You can always run the build without OSS Index if you prefer only NVD-based scanning.
See Dependency-Check Maven Plugin Documentation for advanced configuration options.
Requirements: make sure you have the following tools installed: Docker, Java25 JDK, NodeJS 24 and IntelliJ IDEA.
- Fork and clone the project as described in the documentation.
- Import the project in IntelliJ (e.g. import as mvn project / local sources)
- Go to the project settings and make sure it uses Java25 (And that the JDK can be found)
- Go to the IDE settings>Language & Frameworks > Lombok and make sure Lombok processing is enabled
- Open the Maven Tab in your IDEA and run "Reload All Maven Projects" to make the system sync and download everything. Next, in that same tab use the "install" option as part of the OWASP WrongSecrets Lifecycle to genereate the asciidoc and such.
- Now run the mainmethod inorg.owasp.wrongsecrets.WrongSecretsApplication.java. This should fail with a stack trace.
- Now go to the run configuration of the app and make sure you have the active profile without-vault. This is done by setting the VM options arguments to--server.port=8080 --spring.profiles.active=local,without-vault. SetK8S_ENV=dockeras environment argument.
- Repeat step 6: run the app again, you should have a properly running application which is visitable in your browser at http://localhost:8080.
Pictorial Guide on how to get the project started in IntelliJ IDEA is available at Contributing.md.
Feel free to edit and propose changes via pull requests. Be sure to follow our guidance in the documentation to get your work accepted.
Please note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection & a bunch of exe files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).
If, after reading this section, you still have no clue on the application code: Have a look at some tutorials on Spring boot from Baeldung.
To make changes made load faster we added spring-dev-tools to the Maven project.
To enable this in IntelliJ automatically, make sure:
- Under Compiler -> Automatically build project is enabled, and
- Under Advanced settings -> Allow auto-make to start even if developed application is currently running.
You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application.
Follow the steps below on adding a challenge:
- First make sure that you have an Issue reported for which a challenge is really wanted.
- Add the new challenge in the org.owasp.wrongsecrets.challengesfolder. Make sure you add an explanation insrc/main/resources/explanationsand refer to it from your new Challenge class.
- Add unit, integration and UI tests as appropriate to show that your challenge is working.
- Do not forget to configure the challenge in src/main/resources/wrong-secrets-configuration.yaml
- Review the CONTRIBUTING guide for setting up your contributing environment and writing good commit messages.
For more details please refer Contributing.md.
If you want to move existing cloud challenges to another cloud: extend Challenge classes in the org.owasp.wrongsecrets.challenges.cloud package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to org.owasp.wrongsecrets.RuntimeEnvironment.
Collaborate with the others at the project to get your container running so you can test at the cloud account.
If you have made some changes to the codebase or added a new challenge and would like to see exactly how the container will look after merge for testing, we have a script that makes this very easy. Follow the steps below:
- Ensure you have bash installed and open.
- Navigate to .github/scripts.
- Run the docker-create script bash docker-create.sh.- Note: Do you want to run this on your minikube? then first run eval $(minikube docker-env).
 
- Note: Do you want to run this on your minikube? then first run 
- Follow any instructions given, you made need to install/change packages.
- Run the newly created container:
- to running locally: docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test-no-vault
- to run it on your minikube: use the container jeroenwillemsen/wrongsecrets:local-test-k8s-vaultin your deployment definition.
- to run it with Vault on your minikube: use the container jeroenwillemsen/wrongsecrets:local-test-local-vaultin your deployment definition.
We currently have 2 different test-suites, both fired with ./mvnw test.
- A normal junit test suite of unit and integration tests, located at the test/javafolder with output stored at the default target directory.
- A cypress test suite, integrated by means of a junit test, located at test/e2efolder with output stored attarget/test-classes/e2e/cypress/reports/. See the cypress readme for more details.
Note: You can do a full roundtrip of cleaning, building, and testing with ./mvnw clean install.
Docker Issues:
- Port already in use: Change the port mapping: docker run -p 8081:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
- Docker not found: Make sure Docker is installed and running
- Permission denied: On Linux, you might need to add your user to the docker group
Browser Issues:
- Can't access localhost:8080: Check if Docker container is running with docker ps
- Challenges not loading: Clear browser cache or try incognito mode
Kubernetes Issues:
- Minikube won't start: Try minikube deletethenminikube start
- Pods stuck in pending: Check resources with kubectl describe pod <pod-name>
Need Help?
- Check our GitHub Issues
- Join us on OWASP Slack
- Review the Support section
If you want to play the challenges, but cannot install tools like keepass, Radare, etc. But are allowed to run Docker containers, try the following:
docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latestor use something more configurable:
docker run -d \
  --name=webtop \
  --security-opt seccomp=unconfined \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/London \
  -e SUBFOLDER=/ \
  -e KEYBOARD=en-us-qwerty \
  -p 3000:3000 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  --shm-size="2gb" \
  --restart unless-stopped \
  jeroenwillemsen/wrongsecrets-desktop:latestAnd then at http://localhost:3000.
Note: be careful with trying to deploy the jeroenwillemsen/wrongsecrets-desktop container to Heroku ;-).
NOTE: We do not officially support Colima, as we can tell that Github runners have loads of issues with it.
If you cannot switch to Docker Desktop/Podman and you want to use Colima with Apple Silicon M1
to run Docker image jeroenwillemsen/wrongsecrets you try one of:
- switch off Colima (colima stop)
- change Docker context (docker --context desktop-linux run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault)
- run Colima with 1 CPU (colima start -m 8 -c 1 --arch x86_64)
If you want to run WrongSecrets but without certain challenges you don't want to present to others: please read this section.
NOTE Please note that we do not deliver any support to your fork when you follow the process below. Please understand that license and copyright of the original application remain intact for your Fork.
Requirements:
- Have the JDK of Java 25 installed;
- Have an account at a registry to which you can push your variant of the WrongSecrets container;
Here are the steps you have to follow to create your own release of WrongSecrets with certain challenges disabled:
- Fork the repository.
- In src/main/resources/wrong-secrets-configuration.yamlremove the reference to the challenge you no longer want to have in your fork.
- In the root of the project run ./mvnw clean install
- Now build the Docker image for your target of choice:
   docker buildx create --name mybuilder
   docker buildx use mybuilder
   docker buildx build --platform linux/amd64,linux/arm64 -t <registry/container-name>:<yourtag>-no-vault --build-arg "argBasedPassword='this is on your command line'" --build-arg "PORT=8081" --build-arg "argBasedVersion=<yourtag>" --build-arg "spring_profile=without-vault" --push
   docker buildx build --platform linux/amd64,linux/arm64 -t <registry/container-name>:<yourtag>-kubernetes-vault--build-arg "argBasedPassword='this is on your command line'" --build-arg "PORT=8081" --build-arg "argBasedVersion=<yourtag>" --build-arg "spring_profile=kubernetes-vault" --pushWant to learn more? Checkout the sources below: