lolcreds

Public credential defaults and exposure patterns for authorized security testing.

WSO2 Identity Server

WSO2identity4 credentials

Credentials4 documented
01

Administrator Password

wso2-identity-server / admin-password

WSO2 Identity Server has an administrator account used to access the Management Console and administrative APIs. WSO2 documents changing the default administrator password during secure deployment.

generated on installuser definedsecretusername/password

Location

config file

deployment.toml, user-mgt.xml, carbon.xml, and provisioning files

public interface
/carbon, management APIs

WSO2 Management Console and administrative endpoints

database

WSO2 user store and registry databases containing user and credential verifier data

environment
WSO2_ADMIN_USERNAME, WSO2_ADMIN_PASSWORD
secret store

Secure Vault, Kubernetes Secrets, cloud secret managers, and CI/CD variables

source code

deployment manifests, Helm values, Docker Compose files, and committed config

logs

startup logs, installer output, and authentication traces

Notes

Do not rely on example admin credentials as a universal default. Treat the administrator credential as deployment-specific and rotate it after setup.

02

OIDC Application Client Secret

wso2-identity-server / oidc-client-secret

WSO2 Identity Server service providers and OIDC applications use OAuth client credentials, including a client secret, to authenticate token requests and relying-party integrations.

generated on installsecretsecret value

Location

database

WSO2 registry/user-store database records for service provider and OAuth application configuration

config file

service provider exports, application config, .env files, and deployment manifests

environment
WSO2_CLIENT_ID, WSO2_CLIENT_SECRET
secret store

Secure Vault, application secret stores, CI/CD variables, and cloud secret managers

source code

OAuth examples, tests, and committed relying-party config

logs

OAuth token exchange and OIDC troubleshooting logs

Notes

Client secret exposure can allow impersonation of the WSO2 OIDC/OAuth application in supported token flows.

03

Database / User Store Credentials

wso2-identity-server / database-credentials

WSO2 Identity Server stores identity, registry, and user-management data in configured databases and user stores. Deployment configuration can include database usernames, passwords, and LDAP bind credentials.

user definedsecretusername/password

Location

config file

deployment.toml, master-datasources.xml, user-mgt.xml, and LDAP user store config

environment
WSO2_DB_USERNAME, WSO2_DB_PASSWORD, WSO2_LDAP_BIND_PASSWORD
secret store

WSO2 Secure Vault, Kubernetes Secrets, database vault entries, and cloud secret managers

source code

committed deployment configs, Helm values, and Docker Compose files

logs

datasource connection logs and LDAP troubleshooting output

Notes

These credentials can expose identity data, service provider secrets, user accounts, and token/session stores.

04

Keystore / Truststore Password

wso2-identity-server / keystore-password

WSO2 deployments use Java keystores and truststores for TLS, signing, and encryption. Keystore passwords protect private keys used by the Identity Server.

user definedsecretpassword

Looks like

pattern
pattern

WSO2 deployment configuration containing keystore or truststore password

(?:keystore|truststore|keyStore|trustStore).*password\s*=\s*[^\r\n]+

Location

config file

deployment.toml, carbon.xml, axis2.xml, and Java keystore configuration

secret store

WSO2 Secure Vault, Java keystores, Kubernetes Secrets, and cloud secret managers

source code

committed deployment configs and container build contexts

image

images containing keystores and deployment configuration

Notes

Keystore credentials may unlock SAML/OIDC signing keys and TLS private keys trusted by identity clients.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.