wrongsecrets
OWASP WrongSecrets is an intentionally vulnerable web application designed to teach secrets management security through hands-on challenges. It contains 67 challenges demonstrating real-world mistakes in how secrets are stored across code, containers, Kubernetes, and cloud platforms.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | OWASP/wrongsecrets |
| Owner | OWASP |
| Primary language | Java |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.4k |
| Forks | 588 |
| Open issues | 28 |
| Latest release | 1.13.5 (2026-05-19) |
| Last updated | 2026-07-07 |
| Source | https://github.com/OWASP/wrongsecrets |
What wrongsecrets is
Java-based web application with Docker, Kubernetes, and multi-cloud (AWS/GCP/Azure) deployment options. Includes integration points for HashiCorp Vault, Terraform examples, and DAST scanning. Actively maintained with comprehensive CI/CD testing across container, orchestration, and cloud deployment scenarios.
Get the wrongsecrets source
Clone the repository and explore it locally.
git clone https://github.com/OWASP/wrongsecrets.gitcd wrongsecrets# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Isolate in air-gapped or internal-only networks; the app contains real API keys and credentials (fake in some cases, real in others per README) intentionally exposed.
- Provision adequate compute for cloud challenge deployments (AWS/GCP/Azure terraform modules create live cloud resources with associated costs).
- Plan secrets cleanup post-exercise; Vault, KMS, and cloud-native secret stores are referenced and may require teardown to avoid lingering test credentials.
- Decide on CTF vs. free-play vs. Heroku demo mode upfront; each has different setup complexity and participant experience.
- Review Java/Spring Security configuration if customizing challenges; checkstyle and CodeQL CI runs suggest security-first maintenance culture.
When to avoid it — and what to weigh
- Production Deployment Required — This is explicitly a vulnerable application. Never run on internet-facing infrastructure or production networks without extreme isolation and access controls.
- Sensitive Data Handling — Do not use in environments where regulatory compliance (HIPAA, PCI-DSS, SOC 2) is required. The intentional vulnerabilities and exposed examples violate these standards.
- License Incompatibility with Proprietary Systems — AGPL-3.0 requires source code disclosure of derivative works. Organizations unable to release modifications must avoid use or obtain commercial exemption.
- Minimal Customization Needs — If you need a simple, one-off security demo, the 67-challenge complexity and multi-deployment options may exceed requirements; lighter alternatives exist.
License & commercial use
AGPL-3.0 (GNU Affero General Public License v3.0). This is a copyleft license requiring source code disclosure of any modifications and network-based derivative works. Modifications, if distributed or deployed, must be released under AGPL-3.0 with source made available to users.
AGPL-3.0 is not a permissive license for commercial use without modification. Deploying unmodified WrongSecrets internally for training is generally acceptable. However, using it as a base for a commercial security product, SaaS offering, or selling modifications requires either releasing all source code under AGPL-3.0 or obtaining a commercial license exemption from OWASP. Requires legal review before commercial incorporation.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Strong |
| License clarity | Clear |
| Deployment complexity | High |
| DEV.co fit | Good |
| Assessment confidence | High |
This is a deliberately vulnerable application. Security considerations are inverted: the app is safe to use only in isolated, non-production environments. Exposure to the internet or untrusted networks risks credential leakage (real or simulated). Secrets included may be fake or real; audit Vault/cloud credentials created during deployment and ensure cleanup. No exploitable RCE or unpatched CVEs are documented, but the application by design contains secrets-exposure vulnerabilities. Container scanning and source code review will flag 'secrets' as findings—this is intentional and expected.
Alternatives to consider
OWASP WebGoat
General application security training with intentional vulnerabilities. Broader scope than secrets only; less specialized for secrets management specific workflows.
Vault tutorials (HashiCorp)
Official Vault learning path for secrets management best practices. Focuses on solution design rather than vulnerability detection; less hands-on reverse-engineering.
TruffleHog / git-secrets demo repos
Lighter-weight secret detection tool testing. Suitable if only evaluating scanner accuracy without full CTF/training platform.
Build on wrongsecrets with DEV.co software developers
Try OWASP WrongSecrets free on Heroku, or run locally with Docker. 67 hands-on challenges teach real-world secrets exposure mistakes and remediation techniques.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
wrongsecrets FAQ
Are the secrets in the app real or fake?
Can I modify and release WrongSecrets for commercial use?
What's the minimum setup to try challenges?
Does it integrate with my SIEM or secret scanning CI tool?
Work with a software development agency
Adopting wrongsecrets is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Start Learning Secrets Management Security
Try OWASP WrongSecrets free on Heroku, or run locally with Docker. 67 hands-on challenges teach real-world secrets exposure mistakes and remediation techniques.