OWASP · commjoen · Mar 6, 2026 · Feb 23, 2026 · Feb 23, 2026 · Feb 24, 2026
@@ -202,7 +202,7 @@ class Challenge[Number]Test {
 docker build -t wrongsecrets .
 
 # Run locally
-docker run -p 8080:8080 wrongsecrets
+docker run -p 8080:8080 -p 8090:8090 wrongsecrets
 ```
 
 ## Testing Guidelines

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="Mvd9twjm41byoPqwaY66rZ8/xJ8FNQQnGW8jPMlMocw="
+export tempPassword="OeyxzcLdUbln0KxnhlQaT2wQKfpJpV/A7/ach+erH4M="
 mvn run tempPassword
 k6
 npx k6

@@ -64,10 +64,11 @@ Heroku_publish_demo() {
     heroku container:login
     echo "heroku deployment to demo"
     cd ../..
-    heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
+    # heroku container:push --recursive --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
+    heroku container:push --arg argBasedVersion=${tag}heroku --app arcane-scrubland-42646
     heroku container:release web --app arcane-scrubland-42646
-    heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
-    heroku container:release web --app wrongsecrets-ctf
+    # heroku container:push --recursive --arg argBasedVersion=${tag}heroku,CTF_ENABLED=true,HINTS_ENABLED=false --app wrongsecrets-ctf
+    # heroku container:release web --app wrongsecrets-ctf
     echo "wait for contianer to come up"
     until curl --output /dev/null --silent --head --fail https://arcane-scrubland-42646.herokuapp.com/; do
         printf '.'
@@ -236,7 +237,7 @@ local_extra_info() {
     if [[ $script_mode == "local" ]] ; then
         echo ""
         echo "⚠️⚠️ This script is running in local mode, with no arguments this script will build your current code and package into a docker container for easy local testing"
-        echo "If the container gets built correctly you can run the container with the command: docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test, if there are errors the script should tell you what to do ⚠️⚠️"
+        echo "If the container gets built correctly you can run the container with the command: docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test, if there are errors the script should tell you what to do ⚠️⚠️"
         echo ""
     fi
 }
@@ -447,7 +448,7 @@ test() {
     if [[ "$script_mode" == "test" ]]; then
         echo "Running the tests"
         echo "Starting the docker container"
-        docker run -d -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test
+        docker run -d -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test
         until $(curl --output /dev/null --silent --head --fail http://localhost:8080); do
             printf '.'
             sleep 5

@@ -19,6 +19,6 @@ jobs:
       - uses: actions/checkout@v5
       - name: run container
         run: |
-          podman run -dt -p 8080:8080 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
+          podman run -dt -p 8080:8080 -p 8090:8090 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
           echo "wait 20 seconds for container to come up" && sleep 20 && \
           curl localhost:8080
@@ -116,7 +116,7 @@ jobs:
           echo "**🐳 Try the bleeding-edge version:**" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
           echo "docker pull ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
-          echo "docker run -p 8080:8080 ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
+          echo "docker run -p 8080:8080 -p 8090:8090 ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Then visit: http://localhost:8080" >> $GITHUB_STEP_SUMMARY
@@ -62,7 +62,7 @@ jobs:
           kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
           kubectl port-forward \
               $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-              8080:8080 \
+              8080:8080 8090:8090 \
               &
           echo "Do minikube delete to stop minikube from running and cleanup to start fresh again"
           echo "wait 20 seconds so we can check if vault-k8s-container works"

@@ -178,13 +178,13 @@ jobs:
             \`\`\`bash
             # Download the artifact, extract it, then:
             docker load < wrongsecrets-preview.tar
-            docker run -p 8080:8080 wrongsecrets-preview
+            docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview
             \`\`\`
 
             **🚀 Alternative - Pull from Registry:**
             \`\`\`bash
             docker pull ${imageTag}
-            docker run -p 8080:8080 ${imageTag}
+            docker run -p 8080:8080 -p 8090:8090 ${imageTag}
             \`\`\`
 
             Then visit: http://localhost:8080
@@ -318,8 +318,8 @@ jobs:
 
       - name: Start both versions
         run: |
-          docker run -d -p 8080:8080 --name pr-version wrongsecrets-pr
-          docker run -d -p 8081:8080 --name main-version wrongsecrets-main
+          docker run -d -p 8080:8080 -p 8090:8090 --name pr-version wrongsecrets-pr
+          docker run -d -p 8081:8080 -p 8091:8090 --name main-version wrongsecrets-main
 
           # Wait for services to start
           echo "Waiting for services to start..."

@@ -79,8 +79,8 @@ jobs:
 
       - name: Start both versions
         run: |
-          docker run -d -p 8080:8080 --name pr-version wrongsecrets-pr
-          docker run -d -p 8081:8080 --name main-version wrongsecrets-main
+          docker run -d -p 8080:8080 -p 8090:8090 --name pr-version wrongsecrets-pr
+          docker run -d -p 8081:8080 -p 8091:8090 --name main-version wrongsecrets-main
 
           # Wait for containers to start
           echo "Waiting for containers to start..."

@@ -1,7 +1,7 @@
 FROM bellsoft/liberica-openjre-debian:25-cds AS builder
 WORKDIR /builder
 
-ARG argBasedVersion="1.12.11"
+ARG argBasedVersion="1.13.1-alpha5"
 
 COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
 RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
@@ -13,11 +13,12 @@
 ARG spring_profile=""
 ARG challenge59_webhook_url="YUhSMGNITTZMeTlvYjI5cmN5NXpiR0ZqYXk1amIyMHZjMlZ5ZG1salpYTXZWREEwVkRRd1RraFlMMEl3T1VSQlRrb3lUamRMTDJNeWFqYzFSVEUzVjFrd2NFeE5SRXRvU0RsbGQzZzBhdz09"
 ENV SPRING_PROFILES_ACTIVE=$spring_profile
 ENV ARG_BASED_PASSWORD=$argBasedPassword
 ENV APP_VERSION=$argBasedVersion
 ENV DOCKER_ENV_PASSWORD="This is it"
 ENV AZURE_KEY_VAULT_ENABLED=false
 ENV CHALLENGE59_SLACK_WEBHOOK_URL=$challenge59_webhook_url
+ENV WRONGSECRETS_MCP_SECRET=MCPStolenSecret42!
 ENV SPRINGDOC_UI=false
 ENV SPRINGDOC_DOC=false
 ENV BASTIONHOSTPATH="/home/wrongsecrets/.ssh"
@@ -70,4 +71,5 @@
 RUN adduser -u 2000 -D wrongsecrets
 USER wrongsecrets
 
-CMD java --add-modules=jdk.unsupported -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar
+CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
+# CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar
@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.12.11-no-vault
-ARG argBasedVersion="1.12.11-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.13.1-alpha5-no-vault
+ARG argBasedVersion="1.13.1-alpha5"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true
@@ -40,4 +40,4 @@ COPY .github/scripts/ /var/helpers
 COPY src/test/resources/alibabacreds.kdbx /var/helpers
 COPY src/test/resources/RSAprivatekey.pem /var/helpers
 COPY .ssh/ /home/wrongsecrets/.ssh/
-CMD java -Xms128m -Xmx128m -Xss512k -jar -Dserver.port=$PORT -XX:MaxRAMPercentage=75 -XX:MinRAMPercentage=25 -Dspring.profiles.active=without-vault -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} application.jar
+CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D  application.jar
@@ -16,7 +16,7 @@
 
 Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
 
-Can you solve all the 60 challenges?
+Can you solve all the 61 challenges?
 
 Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/).
 
@@ -29,12 +29,12 @@ Want to play the other challenges? Read the instructions on how to set them up b
 1. **Try Online First**: Visit our [Heroku demo](https://wrongsecrets.herokuapp.com/) to get familiar with the challenges
 2. **Run Locally**: Use Docker for the full experience with all challenges:
    ```bash
-   docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
+   docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault
    ```
    Then open [http://localhost:8080](http://localhost:8080)
 3. **Want to see what's ahead?** Try our bleeding-edge master container with the latest features:
    ```bash
-   docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
+   docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
    ```
    ⚠️ *Note: This is a development version and may be unstable*
 4. **Advanced Setup**: For cloud challenges and Kubernetes exercises, see the detailed instructions below
@@ -128,16 +128,16 @@ Not sure which setup is right for you? Here's a quick guide:
 
 | **I want to...** | **Recommended Setup** | **Challenges Available** |
 |------------------|----------------------|--------------------------|
-| Try it quickly online | [Container running on Heroku](https://www.wrongsecrets.com/) | Basic challenges (1-4, 8, 12-32, 34-43, 49-52, 54-58) |
+| Try it quickly online | [Container running on Heroku](https://www.wrongsecrets.com/) | Basic challenges (1-4, 8, 12-32, 34-43, 49-52, 54-60) |
 | Run locally with Docker | [Basic Docker](#basic-docker-exercises) | Same as above, but on your machine |
-| Learn Kubernetes secrets | [K8s/Minikube Setup](#basic-k8s-exercise) | Kubernetes challenges (1-6, 8, 12-43, 48-58) |
+| Learn Kubernetes secrets | [K8s/Minikube Setup](#basic-k8s-exercise) | Kubernetes challenges (1-6, 8, 12-43, 48-60) |
 | Practice with cloud secrets | [Cloud Challenges](#cloud-challenges) | All challenges (1-87) |
 | Run a workshop/CTF | [CTF Setup](#ctf) | Customizable challenge sets |
 | Contribute to the project | [Development Setup](#notes-on-development) | All challenges + development tools |
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-32, 34, 35-43, 49-52, 54-58_
+_Can be used for challenges 1-4, 8, 12-32, 34, 35-43, 49-52, 54-60_
 
 For the basic docker exercises you currently require:
 
@@ -147,19 +147,23 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
+docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault
 ```
 
 **🚀 Want to try the bleeding-edge version?**
 
 If you want to see what's coming in the next release, you can use our automatically-built master container:
 
 ```bash
-docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
+docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
 ```
 
 ⚠️ **Warning**: This is a development version built from the latest master branch and may contain experimental features or instabilities.
 
+**📝 Note on Ports:**
+- Port **8080**: Main application (challenges 1-59)
+- Port **8090**: MCP server (required for Challenge 60)
+
 Now you can try to find the secrets by means of solving the challenge offered at the links below
 <details>
     <summary>all the links for docker challenges (click triangle to open the block).
@@ -210,6 +214,8 @@ Now you can try to find the secrets by means of solving the challenge offered at
 -   [localhost:8080/challenge/challenge-56](http://localhost:8080/challenge/challenge-56)
 -   [localhost:8080/challenge/challenge-57](http://localhost:8080/challenge/challenge-57)
 -   [localhost:8080/challenge/challenge-58](http://localhost:8080/challenge/challenge-58)
+-   [localhost:8080/challenge/challenge-59](http://localhost:8080/challenge/challenge-59)
+-   [localhost:8080/challenge/challenge-60](http://localhost:8080/challenge/challenge-60)
 </details>
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
@@ -693,7 +699,7 @@ If you have made some changes to the codebase or added a new challenge and would
    - Note: Do you want to run this on your minikube? then first run `eval $(minikube docker-env)`.
 4. Follow any instructions given, you made need to install/change packages.
 5. Run the newly created container:
-  - to running locally: `docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test-no-vault`
+  - to running locally: `docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test-no-vault`
   - to run it on your minikube: use the container `jeroenwillemsen/wrongsecrets:local-test-k8s-vault` in your deployment definition.
   - to run it with Vault on your minikube: use the container `jeroenwillemsen/wrongsecrets:local-test-local-vault` in your deployment definition.
 
@@ -710,7 +716,7 @@ Note: You can do a full roundtrip of cleaning, building, and testing with `./mvn
 ### Common Issues
 
 **Docker Issues:**
-- **Port already in use**: Change the port mapping: `docker run -p 8081:8080 jeroenwillemsen/wrongsecrets:latest-no-vault`
+- **Port already in use**: Change the port mapping: `docker run -p 8081:8080 -p 8091:8090 jeroenwillemsen/wrongsecrets:latest-no-vault`
 - **Docker not found**: Make sure Docker is installed and running
 - **Permission denied**: On Linux, you might need to add your user to the docker group
 

@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   ;
@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.12.11-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha5-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]
@@ -79,6 +79,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: "/actuator/health/readiness"

@@ -11,5 +11,10 @@ spec:
     - port: 80
       targetPort: 8080
       protocol: TCP
+      name: http
+    - port: 81
+      targetPort: 8090
+      protocol: TCP
+      name: MCP
   selector:
     app: secret-challenge
@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   ;
@@ -7,5 +7,11 @@ spec:
   ports:
     - port: 80
       targetPort: 8080
+      protocol: TCP
+      name: http
+    - port: 81
+      targetPort: 8090
+      protocol: TCP
+      name: MCP
   selector:
     app: secret-challenge
@@ -61,7 +61,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "azure-wrongsecrets-vault"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.12.11-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha5-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]
@@ -78,6 +78,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: '/actuator/health/readiness'

@@ -86,7 +86,7 @@ you run tests every time that you are adding something new.
 - Use GitHub Actions for CI container builds and tests.
 
 ### Step 3: Deploy
-- **Docker**: Run locally with `docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault`.
+- **Docker**: Run locally with `docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault`.
 - **Kubernetes**: Apply manifests from `k8s/` and use challenge-specific images as needed.
 - **Heroku/Fly.io/Render/Okteto**: Use respective configuration files for cloud deployment.
 

@@ -12,9 +12,9 @@ The project maintains version consistency between:
 ## Version Schema
 
 ```
-pom.xml version:        1.12.11-SNAPSHOT
-Dockerfile version:     1.12.11
-Dockerfile.web version: 1.12.11-no-vault
+pom.xml version:        1.13.1-alpha5-SNAPSHOT
+Dockerfile version:     1.13.1-alpha5
+Dockerfile.web version: 1.13.1-alpha5-no-vault
 ```
 
 ## Automated Solutions

@@ -8,7 +8,7 @@ app = "wrongsecrets"
 primary_region = "ams"
 
 [build]
-  image = "docker.io/jeroenwillemsen/wrongsecrets:1.12.11-no-vault"
+  image = "docker.io/jeroenwillemsen/wrongsecrets:1.13.1-alpha5-no-vault"
 
 [env]
   K8S_ENV = "Fly(Docker)"

@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   ;
@@ -11,5 +11,10 @@ spec:
     - port: 80
       targetPort: 8080
       protocol: TCP
+      name: http
+    - port: 81
+      targetPort: 8090
+      protocol: TCP
+      name: MCP
   selector:
     app: secret-challenge
@@ -58,14 +58,16 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-gcp-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.12.11-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.13.1-alpha5-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: ["/bin/sh"]
           args: ["-c", "source /vault/secrets/challenge46 && source /vault/secrets/challenge47 && java -jar -Dspring.profiles.active=kubernetes-vault -Dspringdoc.swagger-ui.enabled=true -Dspringdoc.api-docs.enabled=true -D /application/application.jar"]
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: '/actuator/health/readiness'

@@ -1,5 +1,5 @@
 
  function secret() {
- var password = "3F4QBCQ=" + 9 + "RGlS" + 6 + "W9g=" + 2 + "Hk2F" + 7;
+ var password = "t5K69iQ=" + 9 + "IoOL" + 6 + "jYE=" + 2 + "/i5I" + 7;
  return password;
  }