Challenge 0

Welcome to challenge Challenge 0. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Opening Challenge

Welcome to OWASP WrongSecrets its opening challenge!

In this challenge, we explain you everything you need to know to play OWASP WrongSecrets.

Every challenge is about finding a secret that has not been well hidden and/or configured inside our application code, Docker container, or in one of the related parts of the system.

Once you found the secret, you can put it in the box below and press "Submit". The "Clear" button will clean the input box. Want to play the challenge again? Press the "Reset button".

The correct answer below is The first answer . Copy it in the box and press "Submit".

Have a lot of fun with the more difficult challenges ;-).

Note: some of the challenges ahead will require you to use additional tools to get to the solution. For this you need a computer with all the tools installed. Don’t want to install them yourself? You can use a container to have them all available to you at once by using

docker run -p 3000:3000 -v /var/run/docker.sock:/var/run/docker.sock jeroenwillemsen/wrongsecrets-desktop:latest

Then, in your browser go to http://localhost:3000 to find a webtop waiting for you with all the tools required.

Answer to solution :

When you press the "Show hints" button, we will give you hints on how to solve that specific challenge.

Why are we doing this?

With this project, we hope that you will have some fun hunting for secrets. At the same time, we hope that you will learn about other peoples mistakes when it comes to secrets management, so that you will not make the same mistakes.

Did you know that we spotted all of these challenges in the wild? They can therefore be a great help if you want to do more bounty hunting.