DEV.co
Open-Source Security · OWASP

wrongsecrets

OWASP WrongSecrets is an intentionally vulnerable web application designed to teach secrets management security through hands-on challenges. It contains 67 challenges demonstrating real-world mistakes in how secrets are stored across code, containers, Kubernetes, and cloud platforms.

Source: GitHub — github.com/OWASP/wrongsecrets
1.4k
GitHub stars
588
Forks
Java
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryOWASP/wrongsecrets
OwnerOWASP
Primary languageJava
LicenseAGPL-3.0 — OSI-approved
Stars1.4k
Forks588
Open issues28
Latest release1.13.5 (2026-05-19)
Last updated2026-07-07
Sourcehttps://github.com/OWASP/wrongsecrets

What wrongsecrets is

Java-based web application with Docker, Kubernetes, and multi-cloud (AWS/GCP/Azure) deployment options. Includes integration points for HashiCorp Vault, Terraform examples, and DAST scanning. Actively maintained with comprehensive CI/CD testing across container, orchestration, and cloud deployment scenarios.

Quickstart

Get the wrongsecrets source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/OWASP/wrongsecrets.gitcd wrongsecrets# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Security Training & Awareness

Deploy as an isolated learning environment for development teams to understand common secrets exposure patterns and build practical remediation skills without production risk.

Secrets Detection Tool Evaluation

Use as a benchmark to test and validate secret detection tools (SAST, DAST, container scanners) before integrating them into CI/CD pipelines.

CTF & Competitive Security Events

Host challenges in Capture-The-Flag competitions or internal security competitions using provided CTFD/FBCTF support for structured scoring and team tracking.

Implementation considerations

  • Isolate in air-gapped or internal-only networks; the app contains real API keys and credentials (fake in some cases, real in others per README) intentionally exposed.
  • Provision adequate compute for cloud challenge deployments (AWS/GCP/Azure terraform modules create live cloud resources with associated costs).
  • Plan secrets cleanup post-exercise; Vault, KMS, and cloud-native secret stores are referenced and may require teardown to avoid lingering test credentials.
  • Decide on CTF vs. free-play vs. Heroku demo mode upfront; each has different setup complexity and participant experience.
  • Review Java/Spring Security configuration if customizing challenges; checkstyle and CodeQL CI runs suggest security-first maintenance culture.

When to avoid it — and what to weigh

  • Production Deployment Required — This is explicitly a vulnerable application. Never run on internet-facing infrastructure or production networks without extreme isolation and access controls.
  • Sensitive Data Handling — Do not use in environments where regulatory compliance (HIPAA, PCI-DSS, SOC 2) is required. The intentional vulnerabilities and exposed examples violate these standards.
  • License Incompatibility with Proprietary Systems — AGPL-3.0 requires source code disclosure of derivative works. Organizations unable to release modifications must avoid use or obtain commercial exemption.
  • Minimal Customization Needs — If you need a simple, one-off security demo, the 67-challenge complexity and multi-deployment options may exceed requirements; lighter alternatives exist.

License & commercial use

AGPL-3.0 (GNU Affero General Public License v3.0). This is a copyleft license requiring source code disclosure of any modifications and network-based derivative works. Modifications, if distributed or deployed, must be released under AGPL-3.0 with source made available to users.

AGPL-3.0 is not a permissive license for commercial use without modification. Deploying unmodified WrongSecrets internally for training is generally acceptable. However, using it as a base for a commercial security product, SaaS offering, or selling modifications requires either releasing all source code under AGPL-3.0 or obtaining a commercial license exemption from OWASP. Requires legal review before commercial incorporation.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityHigh
DEV.co fitGood
Assessment confidenceHigh
Security considerations

This is a deliberately vulnerable application. Security considerations are inverted: the app is safe to use only in isolated, non-production environments. Exposure to the internet or untrusted networks risks credential leakage (real or simulated). Secrets included may be fake or real; audit Vault/cloud credentials created during deployment and ensure cleanup. No exploitable RCE or unpatched CVEs are documented, but the application by design contains secrets-exposure vulnerabilities. Container scanning and source code review will flag 'secrets' as findings—this is intentional and expected.

Alternatives to consider

OWASP WebGoat

General application security training with intentional vulnerabilities. Broader scope than secrets only; less specialized for secrets management specific workflows.

Vault tutorials (HashiCorp)

Official Vault learning path for secrets management best practices. Focuses on solution design rather than vulnerability detection; less hands-on reverse-engineering.

TruffleHog / git-secrets demo repos

Lighter-weight secret detection tool testing. Suitable if only evaluating scanner accuracy without full CTF/training platform.

Software development agency

Build on wrongsecrets with DEV.co software developers

Try OWASP WrongSecrets free on Heroku, or run locally with Docker. 67 hands-on challenges teach real-world secrets exposure mistakes and remediation techniques.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

wrongsecrets FAQ

Are the secrets in the app real or fake?
Mixed per README. Some are intentionally fake for training; others are real credentials created during cloud deployments (AWS/GCP/Azure). Treat all as sensitive and ensure cleanup post-exercise. Use non-production cloud accounts.
Can I modify and release WrongSecrets for commercial use?
No without a commercial license exemption or releasing modifications under AGPL-3.0. AGPL-3.0 is copyleft; derivative works must be open-source. Contact OWASP for commercial licensing terms.
What's the minimum setup to try challenges?
Start with the Heroku demo link (https://wrongsecrets.herokuapp.com/) for free, zero-setup access to ~67 challenges. For full offline experience, run the Docker image locally: `docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault`.
Does it integrate with my SIEM or secret scanning CI tool?
Not natively. WrongSecrets is designed as a sandbox for testing detectors. Export results from tools (ZAP, git-secrets, etc.) run against WrongSecrets to validate detection. CI/CD integration requires custom scripting.

Work with a software development agency

Adopting wrongsecrets is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Start Learning Secrets Management Security

Try OWASP WrongSecrets free on Heroku, or run locally with Docker. 67 hands-on challenges teach real-world secrets exposure mistakes and remediation techniques.