Wrongsecrets - Examples With How To Not Use Secrets
Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
Can you solve all the 16 challenges?
Support
Need support? Contact us via OWASP Slack for which you sign up here, file a PR, file an issue , or use discussions. Please note that this is an OWASP volunteer based project, so it might take a little while before we respond.
Basic docker exercises
Can be used for challenges 1-4, 8, 12-15
For the basic docker exercises you currently require:
- Docker Install from here
- Some Browser that can render HTML
You can install it by doing:
docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:1.4.0-no-vault
Now you can try to find the secrets by means of solving the challenge offered at:
- localhost:8080/challenge/1
- localhost:8080/challenge/2
- localhost:8080/challenge/3
- localhost:8080/challenge/4
- localhost:8080/challenge/8
- localhost:8080/challenge/12
- localhost:8080/challenge/13
- localhost:8080/challenge/14
- localhost:8080/challenge/15
- localhost:8080/challenge/16
Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look better ;-).
Running these on Heroku
You can test them out at https://wrongsecrets.herokuapp.com/ as well! But please understand that we have NO guarantees that this works. Given we run in Heroku free-tier, please do not fuzz and/or try to bring it down: you would be spoiling it for others that want to testdrive it.
Deploying the app under your own heroku account
- Sign up to Heroku and log in to your account
- Click the button below and follow the instructions
Basic K8s exercise
Can be used for challenges 1-6, 8, 12-16
Minikube based
Make sure you have the following installed:
- Docker Install from here
- Minikube Install from here
The K8S setup currently is based on using Minikube for local fun:
minikube start
kubectl apply -f k8s/secrets-config.yml
kubectl apply -f k8s/secrets-secret.yml
kubectl apply -f k8s/secret-challenge-deployment.yml
while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
minikube service secret-challenge
now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
k8s based
Want to run vanilla on your own k8s? Use the commands below:
kubectl apply -f k8s/secrets-config.yml
kubectl apply -f k8s/secrets-secret.yml
kubectl apply -f k8s/secret-challenge-deployment.yml
while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.conditions[?(@.type=="Ready")].status}') != "True" ]]; do echo "waiting for secret-challenge" && sleep 2; done
kubectl port-forward \
$(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
8080:8080
now you can use the provided IP address and port to further play with the K8s variant (instead of localhost).
Vault exercises with minikube
Can be used for challenges 1-8, 12-16 Make sure you have the following installed:
- minikube with docker (or comment out line 8 and work at your own k8s setup),
- docker,
- helm Install from here,
- kubectl Install from here,
- jq Install from here,
- vault Install from here,
- grep, Cat, and Sed
Run ./k8s-vault-minkube-start.sh
, when the script is done, then the challenges will wait for you at http://localhost:8080 . This will allow you to run challenges 1-8, 12-15.
When you stopped the k8s-vault-minikube-start.sh
script and want to resume the port forward run: k8s-vault-minikube-resume.sh
. This is because if you run the start script again it will replace the secret in the vault and not update the secret-challenge application with the new secret.
Cloud Challenges
Can be used for challenges 1-16
READ THIS: Given that the exercises below contain IAM privilege escalation exercises, never run this on an account which is related to your production environment or can influence your account-over-arching resources.
Running WrongSecrets in AWS
Follow the steps in the README in the AWS subfolder.
Running WrongSecrets in GCP
Follow the steps in the README in the GCP subfolder.
Running WrongSecrets in Azure
Follow the steps in the README in the Azure subfolder.
Running Challenge15 in your own cloud only
When you want to include your own Canarytokens for your cloud-deployment, do the following:
- Fork the project.
- Make sure you use the GCP ingress or AWS ingress scripts to generate an ingress for your project.
- Go to canarytokens.org and select
AWS Keys
, in the webHook URL field add<your-domain-created-at-step1>/canaries/tokencallback
. - Encrypt the received credentials so that Challenge15 can decrypt them again.
- Commit the unencrypted and encrypted materials to Git and then commit again without the decrypted materials.
- Adapt the hints of Challenge 15 in your fork to point to your fork.
- Create a container and push it to your registry
- Override the K8s definition files for either AWS or GCP.
Do you want to play without guidance?
Each challenge has a Show hints
button and a What's wrong?
button. These buttons help to simplify the challenges and give explanation to the reader. Though, the explanations can spoil the fun if you want to do this as a hacking exercise. Therefore, you can manipulate them by overriding the following settings in your env:
hints_enabled=false
will turn off theShow hints
button.reason_enabled=false
will turn of theWhat's wrong?
explanation button.
Special thanks & Contributors
Leaders:
Top contributors:
- Nanne Baars @nbaars
- Marcin Nowak @MarcinNowak-codes
- Tibor Hercz @tiborhercz
- Filip Chyla @fchyla
- Dmitry Litosh @Dlitosh
- Josh Grossman @tghosth
- Spyros @northdpole
- Mike Woudenberg @mikewoudenberg
- Ruben Kruiver @RubenAtBinx
- Finn @f3rn0s
- Joss Sparkes @remakingeden
Testers:
Special mentions for helping out:
Help Wanted
You can help us by the following methods:
- Star us
- Share this app with others
- Of course, we can always use your help to get more flavors of "wrongly" configured secrets in to spread awareness! We would love to get some help with other cloudproiders, like Alibabaor Tencent cloud for instance. Do you miss something else than a cloud provider as an example? File an issue or create a PR! See our guide on contributing for more details. Contributors will be listed in releases, in the "Special thanks & Contributors"-section, and the web-app.
Use OWASP WrongSecrets as a secret detection benchmark
As tons of secret detection tools are coming up for both Docker and Git, we are creating a Benchmark testbed for it. Want to know if your tool detects everything? We will keep track of the embedded secrets in this issue and have a branch in which we put additional secrets for your tool to detect. The branch will contain a Docker container generation script using which you can eventually test your container secret scanning.
Notes on development
For development on local machine use the local
profile ./mvnw spring-boot:run -Dspring-boot.run.profiles=local
If you want to test against vault without K8s: start vault locally with
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_API_ADDR='http://127.0.0.1:8200'
vault server -dev
and in your next terminal, do (with the token from the previous commands):
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='<TOKENHERE>'
vault token create -id="00000000-0000-0000-0000-000000000000" -policy="root"
vault kv put secret/secret-challenge vaultpassword.password="$(openssl rand -base64 16)"
Now use the local-vault
profile to do your development.
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,local-vault
If you want to dev without a Vault instance, use additionally the without-vault
profile to do your development:
./mvnw spring-boot:run -Dspring-boot.run.profiles=local,without-vault
Want to push a container? See .github/scripts/docker-create-and-push.sh
for a script that generates and pushes all containers. Do not forget to rebuild the app before composing the container
Dependency management
We have CycloneDX and OWASP Dependency-check integrated to check dependencies for vulnerabilities. You can use the OWASP Dependency-checker by calling mvn dependency-check:aggregate
and mvn cyclonedx:makeBom
to use CycloneDX to create an SBOM.
Automatic reload during development
To make changes made load faster we added spring-dev-tools
to the Maven project. To enable this in IntelliJ automatically, make sure:
- Under Compiler -> Automatically build project is enabled, and
- Under Advanced settings -> Allow auto-make to start even if developed application is currently running.
You can also manually invoke: Build -> Recompile the file you just changed, this will also force reloading of the application.
How to add a Challenge
Follow the steps below on adding a challenge:
- First make sure that you have an Issue reported for which a challenge is really wanted.
- Add the new challenge in the
org.owasp.wrongsecrets.challenges
folder. Make sure you add an explanation insrc/main/resources/explanations
and refer to it from your new Challenge class. - Add a unit and integration test to show that your challenge is working.
- Don't forget to add
@Order
annotation to your challenge ;-).
If you want to move existing cloud challenges to another cloud: extend Challenge classes in the org.owasp.wrongsecrets.challenges.cloud
package and make sure you add the required Terraform in a folder with the separate cloud identified. Make sure that the environment is added to org.owasp.wrongsecrets.RuntimeEnvironment
. Collaborate with the others at the project to get your container running so you can test at the cloud account.