// the find
OWASP/wrongsecrets
Vulnerable app with examples showing how to not use secrets
WrongSecrets is an intentionally vulnerable Java/Spring Boot app with 67 challenges teaching developers how secrets get exposed — in source code, Docker images, Kubernetes configs, environment variables, cloud IAM, and vault misconfigurations. It's aimed at security engineers, developers doing devsecops training, and CTF organizers who want a realistic secrets-hunting environment rather than a toy.
The challenge coverage is genuinely broad: it goes from trivial hardcoded strings all the way to cloud-specific IAM privilege escalation on AWS, GCP, and Azure with real Terraform, which is rare in training tools. The project doubles as a secret scanner benchmark — there's a GitHub Actions workflow that runs seven different scanning tools against the codebase and publishes a comparison, which is legitimately useful when evaluating tooling. Active maintenance is evident: 67 challenges, Spring Boot 4 adoption checklist already written, pushed two days ago, and a large contributor list with real CI coverage including Minikube, ZAP, and visual diffs. CTF deployment is first-class — CTFD integration works out of the box via juice-shop-ctf-cli, and there's a separate CTF Party project for per-player isolated instances.
The Docker-only path skips challenges 5, 6, 7, 33, 44–47, 48, and 53, which means the quick-start experience is incomplete and players hit gaps without obvious explanation. The cloud challenge setup requires you to provision real AWS/GCP/Azure infrastructure with Terraform and explicitly warns about IAM privilege escalation risks — there's no sandbox or teardown automation that's truly safe for beginners, and cost surprises are likely. The Java/Spring Boot app is a monolith where challenges share a single running process, so a player who crashes the JVM via one challenge breaks everyone else's session in shared deployments. Score tracking is in-memory only with no persistence, so a restart resets all progress.