OWASP Wrong Secrets

OWASP Wrong Secrets

Examples of bad secrets management

·

2 min read

The OWASP Wrong Secrets project is a set of secrets management focused challenges started by Ben de Haan and Jeroen Willemsen. It is similar to OWASP Juice Shop which is a vulnerable e-commerce web application mentioned before.

I decided to check in on this again since it's been a while and new challenges have been added. It's a great tool to learn about insecure secrets management and storage and has a great range of challenges involving multiple platforms and languages (Azure/AWS, Kubernetes, Docker, C/C++/Rust/Go). I also learned that this was the Capture-the-Flag (CTF) that would be hosted by work on April 1st. Since some of the challenges require a cloud infrastructure and the setup can be a pain, I was interested in seeing those become available as part of the hosted CTF.

While going through challenge 20, I wasn't getting the flag. I was pretty sure it was correct. Looking at the logs, I figured out what the problem could have been. I opened up issue 1279 and then proceeded to fix and validate it. Jeroen quickly reviewed and merged it in time for Monday's CTF.

I hope to contribute with a challenge or two in the future.

Update: Due to technical difficulties, the Cloud and Kubernetes challenges were unavailable. I withdrew from the competition since I had prior knowledge and lack of the aforementioned challenges. I still finished the available challenges.

References