Carview!

HOME
ABOUT
- RESULTS
- differences
- BENEFITS
- HISTORY
- TEAM
- LOCATION
- FACILITIES
- BANKING
- MEMBERSHIPS
- APPROVALS
- LICENCES
- SUPPLIERS
- SPONSORSHIPS
- MEDIA
- PRIVACY
AUCTIONS
SHIPPING
FEES
- TS REWARDS
TOOLS
guides
FAQ
CONTACT
- CONNECT

VEHICLES
BRAND
- JAPANESE CARS
  - DAIHATSU
  - EUNOS
  - FORD
  - HONDA
  - ISUZU
  - LEXUS
  - MAZDA
  - MITSUBISHI
  - MITSUOKA
  - NISSAN
  - SUBARU
  - SUZUKI
  - TOYOTA
- GERMAN CARS
- AMERICAN CARS
- BRITISH CARS
- ITALIAN CARS
- FRENCH CARS
- SWEDISH CARS
- KOREAN CARS
TYPE
- mobility
- VENDING
- instruction
- TAXIS
- AMBULANCES
- FIRE ENGINES
- HEARSES
- LIMOUSINES
- COMMERCIAL
CLASS
FUEL
TRUCKS
minitrucks
- DAIHATSU
- HONDA
- MAZDA
- MITSUBISHI
- NISSAN
- SUBARU
- SUZUKI
- DUMP
- CRANE
- CAMPER
- REFRIGERATED
- 4WD
- NEW
BUSES
MOTORHOMES
- YAHOO!
- RAKUTEN
- DEALER

PARTS
- FREE REPORT
- PARTS CONTAINERS
- PARTS SYSTEMS
- PARTS PROTECTION
- BODY SHELLS
- DISMANTLING
- ONLINE PARTS
- NEW PARTS
- INTERIOR PARTS
- EXTERIOR PARTS
  - BONNETS
  - BUMPERS
  - GRILLES
  - FENDERS
  - DOORS
  - TRUNKS
  - SPOILERS
  - LIGHTS
  - EMBLEMS
  - CAMERAS
- ENGINES
- TRANSMISSIONS
- WHEELS & TYRES
  - WHEELS
  - TYRES
CUTS
PERFORMANCE PARTS
TRUCK PARTS
MOTORBIKE PARTS
- MOTORBIKE ENGINES
- MOTORBIKE ACCESSORIES

MOTORBIKES
MARINE
FORKLIFTS
MACHINERY
AGRICULTURAL
OTHER
COUNTRY
- AUSTRALIA
- CANADA
- KENYA
- MYANMAR
- NEW ZEALAND
- PAKISTAN
- TANZANIA
- UNITED STATES

CARVIEW

MOTORHOMES

Select Language

HTTP/2 200 cache-control: no-cache, no-store, max-age=0, must-revalidate content-encoding: gzip content-language: en-US content-security-policy: default-src * 'self'; script-src * 'self' 'unsafe-inline'; style-src * 'self' 'unsafe-inline'; img-src data: content-type: text/html;charset=UTF-8 date: Wed, 24 Dec 2025 16:56:29 GMT expires: 0 nel: {"report_to":"heroku-nel","response_headers":["Via"],"max_age":3600,"success_fraction":0.01,"failure_fraction":0.1} pragma: no-cache report-to: {"group":"heroku-nel","endpoints":[{"url":"https://nel.heroku.com/reports?s=baw%2FkNh%2BQ0wqbfohvPZnmB4cSpCdseFQK4dPij4dSlA%3D\u0026sid=c4c9725f-1ab0-44d8-820f-430df2718e11\u0026ts=1766595389"}],"max_age":3600} reporting-endpoints: heroku-nel="https://nel.heroku.com/reports?s=baw%2FkNh%2BQ0wqbfohvPZnmB4cSpCdseFQK4dPij4dSlA%3D&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&ts=1766595389" server: Heroku set-cookie: JSESSIONID=9FCAFF5DC972AD6AF7C39F3644AE934E; Path=/; Secure; HttpOnly strict-transport-security: max-age=31536000 ; includeSubDomains vary: accept-encoding via: 2.0 heroku-router x-content-type-options: nosniff x-frame-options: DENY x-xss-protection: 0 OWASP WrongSecrets

WrongSecrets

Home
Challenges
Github
Stats
About

☀

Environment: Heroku Version: 1.12.9heroku

Welcome to OWASP WrongSecrets

Learn about secrets management by finding real secrets hidden in code, configuration files, and cloud infrastructure.

🎯 How to Play

Your Mission: Find hidden secrets in this repository and enter them to score points!

Where to Look:

📁 Source code files (Java, JavaScript, etc.)
🐳 Docker files and configurations
☁️ Cloud deployment configurations (AWS, GCP, Azure)
🔧 Environment variables and config files
🗄️ Vault and secret management tools

Getting Started: Check out the GitHub repository to examine the code and find the secrets!

Pro Tip: Each challenge below has a different difficulty level and may require different environments. Start with the easier ones and work your way up! 🚀

Difficulty: ⭐ (Easy) ⭐⭐ (Medium) ⭐⭐⭐ (Hard) ⭐⭐⭐⭐ (Expert) ⭐⭐⭐⭐⭐ (Master) | Environment: Where the challenge can be solved

#	Challenge	Focus	Difficulty	Runs on environment (current: Heroku)
0	Challenge 0	Intro	★☆☆☆☆	Docker
1	Challenge 1	Git	★☆☆☆☆	Docker
2	Challenge 2	Git	★☆☆☆☆	Docker
3	Challenge 3	Docker	★☆☆☆☆	Docker
4	Challenge 4	Docker	★★☆☆☆	Docker
5	Challenge 5	Configmaps	★★☆☆☆	K8s
6	Challenge 6	Secrets	★★☆☆☆	K8s
7	Challenge 7	Vault	★★★★☆	K8s with Vault
8	Challenge 8	Logging	★★☆☆☆	Docker
9	Challenge 9	Terraform	★★★☆☆	AWS, GCP, Azure
10	Challenge 10	CSI-Driver	★★★★☆	AWS, GCP, Azure
11	Challenge 11	IAM privilege escalation	★★★★☆	AWS, GCP, Azure
12	Challenge 12	Docker	★★★☆☆	Docker
13	Challenge 13	CI/CD	★★★☆☆	Docker
14	Challenge 14	Password Manager	★★★★☆	Docker
15	Challenge 15	Git	★★☆☆☆	Docker
16	Challenge 16	Front-end	★★★☆☆	Docker
17	Challenge 17	Docker	★★★☆☆	Docker
18	Challenge 18	Cryptography	★★★★★	Docker
19	Challenge 19	Binary	★★★★☆	Docker
20	Challenge 20	Binary	★★★★☆	Docker
21	Challenge 21	Binary	★★★★★	Docker
22	Challenge 22	Binary	★★★★★	Docker
23	Challenge 23	Front-end	★☆☆☆☆	Docker
24	Challenge 24	Cryptography	★★☆☆☆	Docker
25	Challenge 25	Web3	★★☆☆☆	Docker
26	Challenge 26	Web3	★★☆☆☆	Docker
27	Challenge 27	Web3	★★☆☆☆	Docker
28	Challenge 28	Documentation	★☆☆☆☆	Docker
29	Challenge 29	Documentation	★☆☆☆☆	Docker
30	Challenge 30	Front-end	★★☆☆☆	Docker
31	Challenge 31	Front-end	★☆☆☆☆	Docker
32	Challenge 32	AI	★★☆☆☆	Docker
33	Challenge 33	Secrets	★★☆☆☆	K8s
34	Challenge 34	Cryptography	★★☆☆☆	Docker
35	Challenge 35	Documentation	★☆☆☆☆	Docker
36	Challenge 36	Binary	★★★★★	Docker
37	Challenge 37	CI/CD	★★☆☆☆	Docker
38	Challenge 38	Git	★☆☆☆☆	Docker
39	Challenge 39	Cryptography	★☆☆☆☆	Docker
40	Challenge 40	Cryptography	★☆☆☆☆	Docker
41	Challenge 41	Cryptography	★★★☆☆	Docker
42	Challenge 42	Logging	★★☆☆☆	Docker
43	Challenge 43	Documentation	★☆☆☆☆	Docker
44	Challenge 44	Vault	★★★★☆	K8s with Vault
45	Challenge 45	Vault	★★★★☆	K8s with Vault
46	Challenge 46	Vault	★★★★☆	K8s with Vault
47	Challenge 47	Vault	★★☆☆☆	K8s with Vault
48	Challenge 48	Secrets	★★☆☆☆	K8s
49	Challenge 49	Cryptography	★★★☆☆	Docker
50	Challenge 50	Binary	★★☆☆☆	Docker
51	Challenge 51	Secrets	★★☆☆☆	Docker
52	Challenge 52	Secrets	★★☆☆☆	Docker
53	Challenge 53	Secrets	★★★☆☆	K8s
54	Challenge 54	Secrets	★★☆☆☆	Docker
55	Challenge 55	Secrets	★☆☆☆☆	Docker
56	Challenge 56	AI	★☆☆☆☆	Docker
57	Challenge 57	AI	★★☆☆☆	Docker
58	Challenge 58	Logging	★★☆☆☆	Docker
59	Challenge 59	CI/CD	★★☆☆☆	Docker

Total score: 0

🚀 Ready to Start?

1. Choose a challenge from the table above

2. Examine the repository - Look at the source code, config files, and documentation

3. Find the secret - It could be in plain text, encoded, or stored in environment variables

4. Enter your answer - Submit the secret to score points!

Hasty? Here is the Vault secret;-)

Like what you see? Please
Star us on Github

Note: The above button only takes you to the repository. Please ensure to star the repository once you are there!

OWASP Project Leaders:

Ben de Haan @bendehaan
Jeroen Willemsen @commjoen

Top Contributors:

Jannik Hollenbach @J12934
Puneeth Y @puneeth072003
Joss Sparkes @RemakingEden

Contributors:

Nanne Baars @nbaars
Marcin Nowak @drnow4u
Rodolfo Neves @roddas
Osama Magdy @osamamagdy
Shubham Patel @Shubham-Patel07
za @za
Divyanshu Dev @Novice-expert
Pastekitoo @Pastekitoo
Tibor Hercz @tiborhercz
Chris Elbring Jr. @neatzsche
Adarsh A @adarsh-a-tw
Diamond Rivero @diamant3
Norbert Wolniak @nwolniak
Filip Chyla @fchyla
Dmitry Litosh @Dlitosh
Vineeth Jagadeesh @djvinnie
Mahaputra Ilham Awal @mahaputrailhamawal
Turjo Chowdhury @turjoc120
SndR @SndR85
Josh Grossman @tghosth
alphasec @alphasecio
CaduRoriz @CaduRoriz
Madhu Akula @madhuakula
Mike Woudenberg @mikewoudenberg
Spyros @northdpole
RubenAtBinx @RubenAtBinx
Alex Bender @alex-bender
Danny Lloyd @dannylloyd
Nicolas Humblot @nhumblot
Rick M @kingthorin
Shlomo Zalman Heigh @szh
Fern @f3rn0s
Jeff Tong @Wind010

Testers:

Dave van Stein @davevs
Marcin Nowak @drnow4u
Marc Chang Sing Pang @mchangsp
Vineeth Jagadeesh @djvinnie

Special mentions for helping out:

Madhu Akula @madhuakula @madhuakula
Nanne Baars @nbaars @nbaars
Björn Kimminich @bkimminich
Dan Gora @devsecops
Xiaolu Dai @saragluna
Jonathan Giles @jonathanGiles

Resources/further reading on secrets management:

Blog: 10 Pointers on Secrets Management
OWASP SAMM on Secret Management
The secret detection topic at Github
OWASP Secretsmanagement Cheatsheet
Open CRE on Secrets Management

Wondering what a secret is? A secret is often a confidential piece of information that is required to unlock certain functionalities or information. It can exists in many shapes or forms, for instance:

2FA keys
Activation/Callback links
API keys
Credentials
Passwords
Private keys (decryption, signing, TLS, SSH, GPG)
Secret keys (symmetric encryption, HMAC)
Session cookies
Tokens (Session, Refresh, Authentication, Activation, etc.)

Want to see if your tool of choice detects all the secrets available in this project?
Check the instructions in the README .

Developing our solution in 3 clouds costs money. Want to help us to cover our cloud bills? Donate.

HOME
ABOUT
AUCTIONS
SHIPPING
FEES
TOOLS
HOW
FAQ
CONTACT

Original Source | Taken Source