OWASP WrongSecrets
Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to not store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
Can you solve all the 33 challenges?
Try some of them on our Heroku demo environment.
Want to play the other challenges? Read the instructions on how to set them up below.
Table of contents
- Support
- Basic docker exercises
- Basic K8s exercise
- Cloud Challenges
- Do you want to play without guidance?
- Special thanks & Contributors
- Sponsorships
- Help Wanted
- Use OWASP WrongSecrets as a secret detection benchmark
- CTF
- Notes on development
- Want to play, but are not allowed to install the tools?
- Further reading on secrets management
Support
Need support? Contact us via OWASP Slack for which you sign up here , file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.
Copyright (c) 2020-2023 Jeroen Willemsen and WrongSecrets contributors.
Basic docker exercises
Can be used for challenges 1-4, 8, 12-33
For the basic docker exercises you currently require:
- Docker Install from here
- Some Browser that can render HTML
You can install it by doing:
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
Now you can try to find the secrets by means of solving the challenge offered at:
- localhost:8080/challenge/1
- localhost:8080/challenge/2
- localhost:8080/challenge/3
- localhost:8080/challenge/4
- localhost:8080/challenge/8
- localhost:8080/challenge/12
- localhost:8080/challenge/13
- localhost:8080/challenge/14
- localhost:8080/challenge/15
- localhost:8080/challenge/16
- localhost:8080/challenge/17
- localhost:8080/challenge/18
- localhost:8080/challenge/19
- localhost:8080/challenge/20
- localhost:8080/challenge/21
- localhost:8080/challenge/22
- localhost:8080/challenge/23
- localhost:8080/challenge/24
- localhost:8080/challenge/25
- localhost:8080/challenge/26
- localhost:8080/challenge/27
- localhost:8080/challenge/28
- localhost:8080/challenge/29
- localhost:8080/challenge/30
- localhost:8080/challenge/31
- localhost:8080/challenge/32
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
Running these on Heroku
You can test them out at https://wrongsecrets.herokuapp.com/ as well! But please understand that we have NO guarantees that this works. Given we run in Heroku free-tier, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.
Running on Fly.io
You can test them out at https://wrongsecrets.fly.dev as well! Please understand that we run on a free-tier instance, we cannot give any guarantees. Please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.
Basic K8s exercise
Can be used for challenges 1-6, 8, 12-33
Minikube based
Make sure you have the following installed:
- Docker Install from here
- Minikube Install from here
The K8S setup currently is based on using Minikube for local fun:
minikube start
kubectl apply -f k8s/secrets-config.yml
kubectl apply -f k8s/secrets-secret.yml
kubectl apply -f k8s/challenge33.yml
kubectl apply -f k8s/secret-challenge-deployment.yml
while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
minikube service secret-challenge
now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
k8s based
Want to run vanilla on your own k8s? Use the commands below:
kubectl apply -f k8s/secrets-config.yml
kubectl apply -f k8s/secrets-secret.yml
kubectl apply -f k8s/challenge33.yml
kubectl apply -f k8s/secret-challenge-deployment.yml
while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
kubectl port-forward \
$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
8080:8080
now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
Okteto based
Don't want to go over the hassle of setting up K8S yourself? visit https://wrongsecrets-commjoen.cloud.okteto.net. Please note that we are using the free Developer version here, so it might take a while for it to respond at first (e.g. "development environment not ready" and then a 50x for a minute). Please: do not try to hack/Fuzz the application as this might bring it down and spoil the fun for others.
Vault exercises with minikube
Can be used for challenges 1-8, 12-29 Make sure you have the following installed:
- minikube with docker (or comment out line 8 and work at your own k8s setup),
- docker,
- helm Install from here,
- kubectl Install from here,
- jq Install from here,
- vault Install from here,
- grep, Cat, and Sed
Run ./k8s-vault-minkube-start.sh
, when the script is done, then the challenges will wait for you at http://localhost:8080 . This will allow you to run challenges 1-8, 12-33.
When you stopped the k8s-vault-minikube-start.sh
script and want to resume the port forward run: k8s-vault-minikube-resume.sh
.
This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
Cloud Challenges
Can be used for challenges 1-33
READ THIS: Given that the exercises below contain IAM privilege escalation exercises, never run this on an account which is related to your production environment or can influence your account-over-arching resources.
Running WrongSecrets in AWS
Follow the steps in the README in the AWS subfolder.
Running WrongSecrets in GCP
Follow the steps in the README in the GCP subfolder.
Running WrongSecrets in Azure
Follow the steps in the README in the Azure subfolder.
Running Challenge15 in your own cloud only
When you want to include your own Canarytokens for your cloud-deployment, do the following:
- Fork the project.
- Make sure you use the GCP ingress or AWS ingress scripts to generate an ingress for your project.
- Go to canarytokens.org and select
AWS Keys
, in the webHook URL field add<your-domain-created-at-step1>/canaries/tokencallback
. - Encrypt the received credentials so that Challenge15 can decrypt them again.
- Commit the unencrypted and encrypted materials to Git and then commit again without the decrypted materials.
- Adapt the hints of Challenge 15 in your fork to point to your fork.
- Create a container and push it to your registry
- Override the K8s definition files for either AWS or GCP.
Do you want to play without guidance or spoils?
Each challenge has a Show hints
button and a What's wrong?
button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise.
Therefore, you can manipulate them by overriding the following settings in your env:
hints_enabled=false
will turn off theShow hints
button.reason_enabled=false
will turn of theWhat's wrong?
explanation button.spoiling_enabled=false
will turn off the/spoil-x
endpoint (wherex
is the number of the challenge).
Enabling Swaggerdocs and UI
You can enable Swagger documentation and the Swagger UI by overriding the SPRINGDOC_UI
and SPRINGDOC_DOC
when running the Docker container. See our Okteto Deployment for more details.
Special thanks & Contributors
Leaders:
Top contributors:
- Nanne Baars @nbaars
- Joss Sparkes @remakingeden
- Marcin Nowak @MarcinNowak-codes
- Tibor Hercz @tiborhercz
- Chris Elbring Jr. @neatzsche
- Puneeth Y @puneeth072003
- Mike Woudenberg @mikewoudenberg
- Divyanshu Dev @Novice-expert
- Filip Chyla @fchyla
- Dmitry Litosh @Dlitosh
- Josh Grossman @tghosth
- Turjo Chowdhury @turjoc120
- Spyros @northdpole
- Ruben Kruiver @RubenAtBinx
- Shlomo Zalman Heigh @szh
- Nicolas Humblot @nhumblot
- Madhu Akula @madhuakula
- Finn @f3rn0s
- Alex Bender @alex-bender
- Rick M @kingthorin
Testers:
Special mentions for helping out:
- Madhu Akula @madhuakula
- Björn Kimminich @bkimminich
- Dan Gora @devsecops
- Xiaolu Dai @saragluna
- Jonathan Giles @jonathanGiles
Sponsorships
We would like to thank the following parties for helping us out:
GitGuardian for their sponsorship which allows us to pay the bills for our cloud-accounts.
Jetbrains for licensing an instance of Intellij IDEA Ultimate edition to the project leads. We could not have been this fast with the development without it!
Docker for granting us their Docker Open Source Sponsored program.
1Password for granting us an open source license to 1Password for the secret detection testbed.
AWS for granting us AWS Open Source credits which we use to test our project and the Wrongsecrets CTF Party setup on AWS.
Help Wanted
You can help us by the following methods:
- Star us
- Share this app with others
- Of course, we can always use your help to get more flavors of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloud providers, like Alibaba or Tencent cloud for instance. Do you miss something else than a cloud provider? File an issue or create a PR! See our guide on contributing for more details. Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.
Use OWASP WrongSecrets as a secret detection benchmark
As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it. Want to know if your tool detects everything? We will keep track of the embedded secrets in this issue and have a branch in which we put additional secrets for your tool to detect. The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
CTF
We have 3 ways of playing CTFs:
- The quick "let's play"-approach based on our own Heroku domain https://wrongsecrets-ctf.herokuapp.com or our Okteto domain https://wrongsecrets-ctf-commjoen.cloud.okteto.net/, which we documented for you here.
- A more extended approach documented in ctf-instructions.md.
- A fully customizable CTF setup where every player gets its own virtual instance of WrongSecrets and a virtual instance of the wrongsecrets-desktop, so they all can play hassle-free. For this you have to use the WrongSecrets CTF Party setup.
CTFD Support
Want to use CTFD to play a CTF based on the free Heroku wrongsecrets-ctf instance together with CTFD? You can!
NOTE: CTFD support now works based on the Juiceshop CTF CLI.
NOTE-II: https://wrongsecrets-ctf.herokuapp.com (temporary down based on lack of oss credits) is based on Heroku and has limited capacity. Alternatively you can use our Okteto setup at https://wrongsecrets-ctf-commjoen.cloud.okteto.net/, which uses a free tier and needs some time to warm up. However, the Okteto environment does have more resources & supports the kubernetes challenges, unlike our Heroku setup that only supports the Docker challenges.
Initial creation of the zip file for CTFD requires you to visit https://wrongsecrets-ctf.herokuapp.com/api/Challenges or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/ once before executing the steps below.
Follow the following steps:
npm install -g [email protected]
juice-shop-ctf #choose ctfd and https://wrongsecrets-ctf.herokuapp.com (or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/) as domain. No trailing slash! The key is 'TRwzkRJnHOTckssAeyJbysWgP!Qc2T', feel free to enable hints. We do not support snippets or links/urls to code or hints.
docker run -p 8001:8000 -it ctfd/ctfd:3.4.3
Now visit the CTFD instance at http://localhost:8001 and setup your CTF. Then use the administrative backup function to import the zipfile you created with the juice-shop-ctf command. Game on using https://wrongsecrets-ctf.herokuapp.com or https://wrongsecrets-ctf-commjoen.cloud.okteto.net/! Want to setup your own? You can! Watch out for people finding your key though, so secure it properly: make sure the running container with the actual ctf-key is not exposed to the audience, similar to our heroku container.
FBCTF Support (Experimental!)
NOTE: FBCTF support is experimental.
Follow the same step as with CTFD, only now choose fbctfd and as a url for the countrymapping choose https://raw.githubusercontent.com/OWASP/wrongsecrets/79a982558016c8ce70948a8106f9a2ee5b5b9eea/config/fbctf.yml
.
Then follow https://github.com/facebookarchive/fbctf/wiki/Quick-Setup-Guide to run the FBCTF.
Notes on development
For development on local machine use the local
profile ./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault
If you want to test against vault without K8s: start vault locally with
export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
export VAULT_API_ADDR='http://127.0.0.1:8200'
vault server -dev
and in your next terminal, do (with the token from the previous commands):
export SPRING_CLOUD_VAULT_URI='http://127.0.0.1:8200'
export SPRING_CLOUD_VAULT_TOKEN='<TOKENHERE>'
vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
Now use the local-vault
profile to do your development.
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,local-vault
If you want to dev without a Vault instance, use additionally the without-vault
profile to do your development:
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault
Want to push a container? See .github/scripts/docker-create-and-push.sh
for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container
Dependency management
We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities.
You can use the OWASP Dependency-checker by calling mvn dependency-check:aggregate
and mvn cyclonedx:makeBom
to use CycloneDX to create an SBOM.
Get the project started in IntelliJ IDEA
Requirements: make sure you have the following tools installed: Docker, Java19 JDK, NodeJS 18 and IntelliJ IDEA.
- Fork and clone the project as described in the documentation.
- Import the project in IntelliJ (e.g. import as mvn project / local sources)
- Go to the project settings and make sure it uses Java19 (And that the JDK can be found)
- Go to the IDE settings>Language & Frameworks > Lombok and make sure Lombok processing is enabled
- Open the Maven Tab in your IDEA and run "Reload All Maven Projects" to make the system sync and download everything. Next, in that same tab use the "install" option as part of the OWASP WrongSecrets Lifecycle to genereate the asciidoc and such.
- Now run the
main
method inorg.owasp.wrongsecrets.WrongSecretsApplication.java
. This should fail with a stack trace. - Now go to the run configuration of the app and make sure you have the active profile
without-vault
. This is done by setting the VM options arguments to-Dserver.port=8080 -Dspring.profiles.active=local,without-vault
. SetK8S_ENV=docker
as environment argument. - Repeat step 6: run the app again, you should have a properly running application which is visitable in your browser at http://localhost:8080.
Pictorial Guide on how to get the project started in IntelliJ IDEA is available at Contributing.md.
Feel free to edit and propose changes via pull requests. Be sure to follow our guidance in the documentation to get your work accepted.
Please note that we officially only support Linux and MacOS for development. If you want to develop using a Windows machine, use WSL2 or a virtual machine running Linux. We did include Windows detection & a bunch of exe
files for a first experiment, but are looking for active maintainers of them. Want to make sure it runs on Windows? Create PRs ;-).
If, after reading this section, you still have no clue on the application code: Have a look at some tutorials on Spring boot from Baeldung
Automatic reload during development
To make changes made load faster we added spring-dev-tools
to the Maven project.
To enable this in IntelliJ automatically, make sure:
- Under Compiler -> Automatically build project is enabled, and
- Under Advanced settings -> Allow auto-make to start even if developed application is currently running.
You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application.
How to add a Challenge
Follow the steps below on adding a challenge:
- First make sure that you have an Issue reported for which a challenge is really wanted.
- Add the new challenge in the
org.owasp.wrongsecrets.challenges
folder. Make sure you add an explanation insrc/main/resources/explanations
and refer to it from your new Challenge class. - Add unit, integration and UI tests as appropriate to show that your challenge is working.
- Don't forget to add
@Order
annotation to your challenge ;-). - Review the CONTRIBUTING guide for setting up your contributing environment and writing good commit messages.
For more details please refer Contributing.md.
If you want to move existing cloud challenges to another cloud: extend Challenge classes in the org.owasp.wrongsecrets.challenges.cloud
package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to org.owasp.wrongsecrets.RuntimeEnvironment
.
Collaborate with the others at the project to get your container running so you can test at the cloud account.
Local testing
If you have made some changes to the codebase or added a new challenge and would like to see exactly how the container will look after merge for testing, we have a script that makes this very easy. Follow the steps below:
- Ensure you have bash installed and open.
- Navigate to .github/scripts.
- Run the docker-create script
bash docker-create.sh
. - Follow any instructions given, you made need to install/change packages.
- Run the newly created container
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test
Want to play, but are not allowed to install the tools?
If you want to play the challenges, but cannot install tools like keepass, Radare, etc. But are allowed to run Docker containers, try the following:
docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest
or use something more configurable:
docker run -d \
--name=webtop \
--security-opt seccomp=unconfined \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/London \
-e SUBFOLDER=/ \
-e KEYBOARD=en-us-qwerty \
-p 3000:3000 \
-v /var/run/docker.sock:/var/run/docker.sock \
--shm-size="2gb" \
--restart unless-stopped \
jeroenwillemsen/wrongsecrets-desktop:latest
And then at http://localhost:3000.
Note: be careful with trying to deploy the jeroenwillemsen/wrongsecrets-desktop
container to Heroku ;-).
Docker on macOS with M1 and Colima (Experimental!)
NOTE: Colima support is experimental.
Using Colima (version 0.5.2 when written) you your macOS with Apple Silicon M1
to run Docker image jeroenwillemsen/wrongsecrets
you try one of:
- switch off Colima
- change Docker context
- run Colima with 1 CPU
Switch off Colima
colima stop
and run natively Docker image jeroenwillemsen/wrongsecrets
on ARM.
Change Docker context
Running docker image on Colima container runtimes on macOS Ventura with M1 CPU can run very slowly or can hang at some point.
Wrong Secrets provide arm64
Docker image and switching to desktop-linux
context will use the native arm64
image.
To do that in the terminal run:
docker context ls
you should see context default colima *
:
NAME TYPE DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR
colima * moby colima unix:///Users/YOUR_USER_NAME/.colima/default/docker.sock
default moby Current DOCKER_HOST based configuration unix:///var/run/docker.sock https://127.0.0.1:6443 (default) swarm
desktop-linux moby unix:///Users/YOUR_USER_NAME/.docker/run/docker.sock
Now run one of the above Docker commands together with --context
switch e.g.:
docker --context desktop-linux run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
Run Colima with 1 CPU
Colima is using QEMU behind and for QEMU on Apple Silicon M1 is recommended to use 1 CPU core:
colima start -m 8 -c 1 --arch x86_64
and run with AMD x64 emulation e.g.:
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
Further reading on secrets management
Want to learn more? Checkout the sources below: