OWASP · Copilot · Feb 23, 2026 · Feb 23, 2026 · Feb 24, 2026 · Feb 24, 2026
@@ -202,7 +202,7 @@ class Challenge[Number]Test {
 docker build -t wrongsecrets .
 
 # Run locally
-docker run -p 8080:8080 wrongsecrets
+docker run -p 8080:8080 -p 8090:8090 wrongsecrets
 ```
 
 ## Testing Guidelines

@@ -236,7 +236,7 @@ local_extra_info() {
     if [[ $script_mode == "local" ]] ; then
         echo ""
         echo "⚠️⚠️ This script is running in local mode, with no arguments this script will build your current code and package into a docker container for easy local testing"
-        echo "If the container gets built correctly you can run the container with the command: docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test, if there are errors the script should tell you what to do ⚠️⚠️"
+        echo "If the container gets built correctly you can run the container with the command: docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test, if there are errors the script should tell you what to do ⚠️⚠️"
         echo ""
     fi
 }
@@ -447,7 +447,7 @@ test() {
     if [[ "$script_mode" == "test" ]]; then
         echo "Running the tests"
         echo "Starting the docker container"
-        docker run -d -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test
+        docker run -d -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test
         until $(curl --output /dev/null --silent --head --fail http://localhost:8080); do
             printf '.'
             sleep 5

@@ -19,6 +19,6 @@ jobs:
       - uses: actions/checkout@v5
       - name: run container
         run: |
-          podman run -dt -p 8080:8080 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
+          podman run -dt -p 8080:8080 -p 8090:8090 docker.io/jeroenwillemsen/wrongsecrets:latest-no-vault && \
           echo "wait 20 seconds for container to come up" && sleep 20 && \
           curl localhost:8080
@@ -116,7 +116,7 @@ jobs:
           echo "**🐳 Try the bleeding-edge version:**" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
           echo "docker pull ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
-          echo "docker run -p 8080:8080 ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
+          echo "docker run -p 8080:8080 -p 8090:8090 ghcr.io/${{ github.repository }}/wrongsecrets-master:latest-master" >> $GITHUB_STEP_SUMMARY
           echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "Then visit: http://localhost:8080" >> $GITHUB_STEP_SUMMARY
@@ -62,7 +62,7 @@ jobs:
           kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
           kubectl port-forward \
               $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-              8080:8080 \
+              8080:8080 8090:8090 \
               &
           echo "Do minikube delete to stop minikube from running and cleanup to start fresh again"
           echo "wait 20 seconds so we can check if vault-k8s-container works"

@@ -178,13 +178,13 @@ jobs:
             \`\`\`bash
             # Download the artifact, extract it, then:
             docker load < wrongsecrets-preview.tar
-            docker run -p 8080:8080 wrongsecrets-preview
+            docker run -p 8080:8080 -p 8090:8090 wrongsecrets-preview
             \`\`\`
 
             **🚀 Alternative - Pull from Registry:**
             \`\`\`bash
             docker pull ${imageTag}
-            docker run -p 8080:8080 ${imageTag}
+            docker run -p 8080:8080 -p 8090:8090 ${imageTag}
             \`\`\`
 
             Then visit: http://localhost:8080
@@ -318,8 +318,8 @@ jobs:
 
       - name: Start both versions
         run: |
-          docker run -d -p 8080:8080 --name pr-version wrongsecrets-pr
-          docker run -d -p 8081:8080 --name main-version wrongsecrets-main
+          docker run -d -p 8080:8080 -p 8090:8090 --name pr-version wrongsecrets-pr
+          docker run -d -p 8081:8080 -p 8091:8090 --name main-version wrongsecrets-main
 
           # Wait for services to start
           echo "Waiting for services to start..."

@@ -79,8 +79,8 @@ jobs:
 
       - name: Start both versions
         run: |
-          docker run -d -p 8080:8080 --name pr-version wrongsecrets-pr
-          docker run -d -p 8081:8080 --name main-version wrongsecrets-main
+          docker run -d -p 8080:8080 -p 8090:8090 --name pr-version wrongsecrets-pr
+          docker run -d -p 8081:8080 -p 8091:8090 --name main-version wrongsecrets-main
 
           # Wait for containers to start
           echo "Waiting for containers to start..."

@@ -13,11 +13,12 @@
 ARG spring_profile=""
 ARG challenge59_webhook_url="YUhSMGNITTZMeTlvYjI5cmN5NXpiR0ZqYXk1amIyMHZjMlZ5ZG1salpYTXZWREEwVkRRd1RraFlMMEl3T1VSQlRrb3lUamRMTDJNeWFqYzFSVEUzVjFrd2NFeE5SRXRvU0RsbGQzZzBhdz09"
 ENV SPRING_PROFILES_ACTIVE=$spring_profile
 ENV ARG_BASED_PASSWORD=$argBasedPassword
 ENV APP_VERSION=$argBasedVersion
 ENV DOCKER_ENV_PASSWORD="This is it"
 ENV AZURE_KEY_VAULT_ENABLED=false
 ENV CHALLENGE59_SLACK_WEBHOOK_URL=$challenge59_webhook_url
+ENV WRONGSECRETS_MCP_SECRET=MCPStolenSecret42!
 ENV SPRINGDOC_UI=false
 ENV SPRINGDOC_DOC=false
 ENV BASTIONHOSTPATH="/home/wrongsecrets/.ssh"
@@ -70,4 +71,4 @@
 RUN adduser -u 2000 -D wrongsecrets
 USER wrongsecrets

 CMD java --add-modules=jdk.unsupported -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar
@@ -16,7 +16,7 @@
 
 Welcome to the OWASP WrongSecrets game! The game is packed with real life examples of how to _not_ store secrets in your software. Each of these examples is captured in a challenge, which you need to solve using various tools and techniques. Solving these challenges will help you recognize common mistakes & can help you to reflect on your own secrets management strategy.
 
-Can you solve all the 60 challenges?
+Can you solve all the 61 challenges?
 
 Try some of them on [our Heroku demo environment](https://wrongsecrets.herokuapp.com/).
 
@@ -29,12 +29,12 @@ Want to play the other challenges? Read the instructions on how to set them up b
 1. **Try Online First**: Visit our [Heroku demo](https://wrongsecrets.herokuapp.com/) to get familiar with the challenges
 2. **Run Locally**: Use Docker for the full experience with all challenges:
    ```bash
-   docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
+   docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault
    ```
    Then open [http://localhost:8080](http://localhost:8080)
 3. **Want to see what's ahead?** Try our bleeding-edge master container with the latest features:
    ```bash
-   docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
+   docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
    ```
    ⚠️ *Note: This is a development version and may be unstable*
 4. **Advanced Setup**: For cloud challenges and Kubernetes exercises, see the detailed instructions below
@@ -128,16 +128,16 @@ Not sure which setup is right for you? Here's a quick guide:
 
 | **I want to...** | **Recommended Setup** | **Challenges Available** |
 |------------------|----------------------|--------------------------|
-| Try it quickly online | [Container running on Heroku](https://www.wrongsecrets.com/) | Basic challenges (1-4, 8, 12-32, 34-43, 49-52, 54-58) |
+| Try it quickly online | [Container running on Heroku](https://www.wrongsecrets.com/) | Basic challenges (1-4, 8, 12-32, 34-43, 49-52, 54-60) |
 | Run locally with Docker | [Basic Docker](#basic-docker-exercises) | Same as above, but on your machine |
-| Learn Kubernetes secrets | [K8s/Minikube Setup](#basic-k8s-exercise) | Kubernetes challenges (1-6, 8, 12-43, 48-58) |
+| Learn Kubernetes secrets | [K8s/Minikube Setup](#basic-k8s-exercise) | Kubernetes challenges (1-6, 8, 12-43, 48-60) |
 | Practice with cloud secrets | [Cloud Challenges](#cloud-challenges) | All challenges (1-87) |
 | Run a workshop/CTF | [CTF Setup](#ctf) | Customizable challenge sets |
 | Contribute to the project | [Development Setup](#notes-on-development) | All challenges + development tools |
 
 ## Basic docker exercises
 
-_Can be used for challenges 1-4, 8, 12-32, 34, 35-43, 49-52, 54-58_
+_Can be used for challenges 1-4, 8, 12-32, 34, 35-43, 49-52, 54-60_
 
 For the basic docker exercises you currently require:
 
@@ -147,19 +147,23 @@ For the basic docker exercises you currently require:
 You can install it by doing:
 
 ```bash
-docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault
+docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault
 ```
 
 **🚀 Want to try the bleeding-edge version?**
 
 If you want to see what's coming in the next release, you can use our automatically-built master container:
 
 ```bash
-docker run -p 8080:8080 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
+docker run -p 8080:8080 -p 8090:8090 ghcr.io/owasp/wrongsecrets/wrongsecrets-master:latest-master
 ```
 
 ⚠️ **Warning**: This is a development version built from the latest master branch and may contain experimental features or instabilities.
 
+**📝 Note on Ports:**
+- Port **8080**: Main application (challenges 1-59)
+- Port **8090**: MCP server (required for Challenge 60)
+
 Now you can try to find the secrets by means of solving the challenge offered at the links below
 <details>
     <summary>all the links for docker challenges (click triangle to open the block).
@@ -210,6 +214,8 @@ Now you can try to find the secrets by means of solving the challenge offered at
 -   [localhost:8080/challenge/challenge-56](http://localhost:8080/challenge/challenge-56)
 -   [localhost:8080/challenge/challenge-57](http://localhost:8080/challenge/challenge-57)
 -   [localhost:8080/challenge/challenge-58](http://localhost:8080/challenge/challenge-58)
+-   [localhost:8080/challenge/challenge-59](http://localhost:8080/challenge/challenge-59)
+-   [localhost:8080/challenge/challenge-60](http://localhost:8080/challenge/challenge-60)
 </details>
 
 Note that these challenges are still very basic, and so are their explanations. Feel free to file a PR to make them look
@@ -693,7 +699,7 @@ If you have made some changes to the codebase or added a new challenge and would
    - Note: Do you want to run this on your minikube? then first run `eval $(minikube docker-env)`.
 4. Follow any instructions given, you made need to install/change packages.
 5. Run the newly created container:
-  - to running locally: `docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:local-test-no-vault`
+  - to running locally: `docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:local-test-no-vault`
   - to run it on your minikube: use the container `jeroenwillemsen/wrongsecrets:local-test-k8s-vault` in your deployment definition.
   - to run it with Vault on your minikube: use the container `jeroenwillemsen/wrongsecrets:local-test-local-vault` in your deployment definition.
 
@@ -710,7 +716,7 @@ Note: You can do a full roundtrip of cleaning, building, and testing with `./mvn
 ### Common Issues
 
 **Docker Issues:**
-- **Port already in use**: Change the port mapping: `docker run -p 8081:8080 jeroenwillemsen/wrongsecrets:latest-no-vault`
+- **Port already in use**: Change the port mapping: `docker run -p 8081:8080 -p 8091:8090 jeroenwillemsen/wrongsecrets:latest-no-vault`
 - **Docker not found**: Make sure Docker is installed and running
 - **Permission denied**: On Linux, you might need to add your user to the docker group
 

@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   ;
@@ -79,6 +79,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: "/actuator/health/readiness"

@@ -11,5 +11,10 @@ spec:
     - port: 80
       targetPort: 8080
       protocol: TCP
+      name: http
+    - port: 81
+      targetPort: 8090
+      protocol: TCP
+      name: MCP
   selector:
     app: secret-challenge
@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   ;
@@ -7,5 +7,11 @@ spec:
   ports:
     - port: 80
       targetPort: 8080
+      protocol: TCP
+      name: http
+    - port: 81
+      targetPort: 8090
+      protocol: TCP
+      name: MCP
   selector:
     app: secret-challenge
@@ -78,6 +78,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: '/actuator/health/readiness'

@@ -86,7 +86,7 @@ you run tests every time that you are adding something new.
 - Use GitHub Actions for CI container builds and tests.
 
 ### Step 3: Deploy
-- **Docker**: Run locally with `docker run -p 8080:8080 jeroenwillemsen/wrongsecrets:latest-no-vault`.
+- **Docker**: Run locally with `docker run -p 8080:8080 -p 8090:8090 jeroenwillemsen/wrongsecrets:latest-no-vault`.
 - **Kubernetes**: Apply manifests from `k8s/` and use challenge-specific images as needed.
 - **Heroku/Fly.io/Render/Okteto**: Use respective configuration files for cloud deployment.
 

@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   ;
@@ -11,5 +11,10 @@ spec:
     - port: 80
       targetPort: 8080
       protocol: TCP
+      name: http
+    - port: 81
+      targetPort: 8090
+      protocol: TCP
+      name: MCP
   selector:
     app: secret-challenge
@@ -66,6 +66,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: '/actuator/health/readiness'

@@ -3,5 +3,5 @@
 kubectl port-forward vault-0 -n vault 8200:8200 &
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090\
   ;
@@ -193,7 +193,7 @@ kubectl logs -l app=secret-challenge -f >> pod.log &
 kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
 kubectl port-forward \
     $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-    8080:8080 \
+    8080:8080 8090:8090 \
     &
 echo "Do minikube delete to stop minikube from running and cleanup to start fresh again"
 echo "wait 20 seconds so we can check if vault-k8s-container works"

@@ -34,6 +34,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: '/actuator/health/readiness'

@@ -43,6 +43,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: "/actuator/health/readiness"

@@ -43,6 +43,8 @@ spec:
           ports:
             - containerPort: 8080
               protocol: TCP
+            - containerPort: 8090
+              protocol: TCP
           readinessProbe:
             httpGet:
               path: "/actuator/health/readiness"

@@ -7,5 +7,7 @@ spec:
   ports:
     - name: http
       port: 8080
+    - name: mcp
+      port: 8090
   selector:
     app: secret-challenge-ctf
@@ -7,5 +7,7 @@ spec:
   ports:
     - name: http
       port: 8080
+    - name: mcp
+      port: 8090
   selector:
     app: secret-challenge
@@ -4,6 +4,6 @@ while [[ $(kubectl get pods -l app=secret-challenge -o 'jsonpath={..status.condi
 #kubectl expose deployment secret-challenge --type=LoadBalancer --port=8080
 kubectl port-forward \
   $(kubectl get pod -l app=secret-challenge -o jsonpath="{.items[0].metadata.name}") \
-  8080:8080 \
+  8080:8080 8090:8090 \
   &
 echo "Run terraform destroy to clean everything up."
@@ -0,0 +1,32 @@
+package org.owasp.wrongsecrets;
+
+import org.apache.catalina.connector.Connector;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.tomcat.TomcatWebServerFactory;
+import org.springframework.boot.web.server.WebServerFactoryCustomizer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * Configures an additional HTTP connector so the MCP server endpoint is also available on a
+ * dedicated port (default 8090). This simulates the realistic scenario where MCP servers run
+ * alongside a main application on a separate port.
+ */
+@Configuration
+public class McpServerConfig {
+
+  @Value("${mcp.server.port:8090}")
+  private int mcpPort;
+
+  /** Adds a secondary Tomcat connector on the MCP port when the port value is positive. */
+  @Bean
+  public WebServerFactoryCustomizer<TomcatWebServerFactory> mcpConnectorCustomizer() {
+    return factory -> {
+      if (mcpPort > 0) {
+        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
+        connector.setPort(mcpPort);
+        factory.addAdditionalConnectors(connector);
+      }
+    };
+  }
+}
@@ -51,7 +51,7 @@ private void configureCsrf(HttpSecurity http) throws Exception {
     http.csrf(
         csrf ->
             csrf.ignoringRequestMatchers(
-                "/canaries/tokencallback", "/canaries/tokencallbackdebug", "/token"));
+                "/canaries/tokencallback", "/canaries/tokencallbackdebug", "/token", "/mcp"));
   }
 
   private void configureBasicAuthentication(HttpSecurity http, List<BasicAuthentication> auths)