OWASP WrongSecrets v1.6.5 releases: Secrets Management-focused vulnerable app

OWASP WrongSecrets

Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.

It can be used in security training, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exist in many shapes or forms, for instance:

• 2FA keys
• Activation/Callback links
• API keys
• Credentials
• Passwords
• Private keys (decryption, signing, TLS, SSH, GPG)
• Secret keys (symmetric encryption, HMAC)
• Session cookies
• Tokens (Session, Refresh, Authentication, Activation, etc.)

Changelog v1.6.5

Documentation:

• #630 Docker image jeroenwillemsen/wrongsecrets:1.5.14-no-vault hangs … by @MarcinNowak-codes in #631
• Update ctf instructions for challenge 30 by @commjoen in #821
• Update README.md (badges & screenshots), challenge1 text, and a ui-bug by @commjoen in #825

Quality updates:

• chore: add Spotless formatter by @nbaars in #790
• UI Test Framework by @RemakingEden in #808
• Automate spotless apply as part of pre-commit by @commjoen in #824
• Fix for okteto; namespace substitution in challenge33.yml by @commjoen in #827
• Scoring UI test tweaks by @RemakingEden in #828
• Pre-release fixes (docs, tests, bugfixes in challenge 33 & challenge 13, pre-commit&node upgrades) and setting up 1.6.5 release by @commjoen in #829

New Features:

• feat(#647): initial scoring and highlighting by @commjoen in #804

New Challenges:

• feat(#765): k8s challenge with securestring by @commjoen in #818

LCM

• Bump cyclonedx-maven-plugin from 2.7.8 to 2.7.9 by @dependabot in #834
• Bump spotless-maven-plugin from 2.36.0 to 2.37.0 by @dependabot in #833
• Bump spring-cloud-dependencies from 2022.0.2 to 2022.0.3 by @dependabot in #835
• Bump eslint-config-standard from 17.0.0 to 17.1.0 by @dependabot in #841
• Bump minimatch from 9.0.0 to 9.0.1 in /js by @dependabot in #837
• Bump cypress from 12.10.0 to 12.13.0 by @dependabot in #840
• Bump eslint from 8.39.0 to 8.41.0 by @dependabot in #842
• Bump terraform-aws-modules/eks/aws from 19.13.1 to 19.15.2 in /aws by @dependabot in #845
• Bump aws from 4.65.0 to 5.0.1 in /aws by @dependabot in #844
• Bump hashicorp/google-beta from 4.63.1 to 4.67.0 in /gcp by @dependabot in #839
• Bump hashicorp/google from 4.63.1 to 4.67.0 in /gcp by @dependabot in #838
• Update terraform-aws-modules/vpc/aws requirement from ~> 4.0.1 to ~> 5.0.0 in /aws by @dependabot in #846
• Bump spring-cloud-gcp-dependencies from 4.2.0 to 4.3.1 by @dependabot in #847
• Bump lombok from 1.18.26 to 1.18.28 by @dependabot in #849
• Bump bootstrap from 5.2.3 to 5.3.0 by @dependabot in #832
• Bump @commitlint/config-conventional from 17.6.1 to 17.6.5 by @dependabot in #843
• Bump azurerm from 3.54.0 to 3.58.0 in /azure by @dependabot in #836
• Delete secondkey.txt by @bendehaan in #850

Install

Copyright (c) 2020-2022 Jeroen Willemsen and WrongSecret contributors.