OWASP WrongSecrets v1.8 releases: Secrets Management-focused vulnerable app
OWASP WrongSecrets
Welcome to the OWASP WrongSecrets p0wnable app. With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
It can be used in security training, awareness demos, as a test environment for secret detection tools, and bad practice detection tooling.
Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exist in many shapes or forms, for instance:
- 2FA keys
- Activation/Callback links
- API keys
- Credentials
- Passwords
- Private keys (decryption, signing, TLS, SSH, GPG)
- Secret keys (symmetric encryption, HMAC)
- Session cookies
- Tokens (Session, Refresh, Authentication, Activation, etc.)
Changelog v1.8
Documentation:
- Doc fix: explain and correct the local container creation by @commjoen in #1082
- Adding alternative text in the pictures to the contribution file by @CaduRoriz in #1066
Refactor:
New challenge:
Fixes:
- Fix link checker by moving lycheeignore to root of folder again by @commjoen in #1109
- Hotfixes k8s defs, terratest and initial testing on okteto ctf by @commjoen in #1123
- Fix for arm at golang by @commjoen in #1126
- Fix docs and udpate nodejs version by @commjoen in #1127
- Fix image with new parameters for launching the app by @commjoen in #1128
- Challenge38 hint fix. by @djvinnie in #1129
- Bugfix: enable all challenges in cloud envs again by @commjoen in #1131
- fix: aws lb and gke by @bendehaan in #1137
- fix: fix gcp ingress by @bendehaan in #1138
- Fix for issues regarding challenge rendering by @commjoen in #1133
- fix: move gcp ingress to consul/vault script by @bendehaan in #1140
Install
Copyright (c) 2020-2022 Jeroen Willemsen and WrongSecret contributors.