Information disclosure - gachikuku/portswigger GitHub Wiki

Apprentice lab: Source code disclosure via backup files

This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.

  • Solution

    1. Check /robots.txt.
    2. Check /backup.
    3. Look through the source code for anything interisting.

Apprentice lab: Information disclosure in error messages

This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.

  • Solution

    1. Check a product.
    2. Observe the endpoint with productId parameter expecting an integer. Try different types, perhaps a char.
    3. Observe the error messege.

Apprentice lab: Information disclosure on debug page

This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.

  • Solution

    1. View-source. Notice in the commends there is an interisting endpoint.
    2. Search and find (⌘ F) for SECRET_KEY.

Apprentice lab: Authentication bypass via information disclosure

This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
To solve the lab, obtain the header name then use it to bypass the lab's authentication. Access the admin interface and delete the user carlos.
You can log in to your own account using the following credentials: wiener:peter

  • Solution (Explaination)

    1. /admin panel is accessible to local users only.
    2. Reload the page this time with Intercept on using mitmproxy (set intercept 'admin').
    3. Use TRACE method to inspect further the Response.
    4. Notice there is a strange Header X-Custom-IP-Authorization: <IP-Address> in the Response.
    5. set modify_headers /X-Custom-IP-Authorization/127.0.0.1 is same as "Match and Replace" in Burp.
    6. Delete poor carlos.

NOTE:
In this lab localhost did not work!

Practitioner lab: Information disclosure in version control history

This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user then log in and delete the user carlos.

  • Solution

    1. Use the dsstorewordlist.txt wordlist, to discover endpoints.
    ffuf -u "https://uuid.web-security-academy.net/FUZZ" -w SecLists/Discovery/Web-Content/dsstorewordlist.txt -c
...
admin                   [Status: 401, Size: 2617, Words: 1049, Lines: 54, Duration: 162ms]
.git                    [Status: 200, Size: 1201, Words: 256, Lines: 27, Duration: 253ms]
login                   [Status: 200, Size: 3192, Words: 1315, Lines: 64, Duration: 75ms]
analytics               [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 71ms]
logout                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 108ms]
    1. Download the version control history of the website.
    wget -r "https://uuid.web-security-academy.net/.git"
    1. Change into the downloaded directory and do a git log.
    commit b3c75939ffb61480adac0253742b29af73bb9492 (HEAD -> master)
Author: Carlos Montoya <[email protected]>
Date:   Tue Jun 23 14:05:07 2020 +0000

    Remove admin password from config

commit 9ef3a538bab5e38d702bab0a8fa411a34fc60b0a
Author: Carlos Montoya <[email protected]>
Date:   Mon Jun 22 16:23:42 2020 +0000

Add skeleton admin panel
    1. Notice, there is an admin password in the config. git status reveals the files.
    On branch master
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        deleted:    admin.conf
        deleted:    admin_panel.php

no changes added to commit (use "git add" and/or "git commit -a")
    1. Do a git checkout 9ef3a538bab5e38d702bab0a8fa411a34fc60b0a and a git status again.
    HEAD detached at 9ef3a53
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        deleted:    admin_panel.php

no changes added to commit (use "git add" and/or "git commit -a")

    1. Do a git restore admin_panel.php and then cat *.

    2. go to /login and login as administrator and delete poor carlos.

  • Solution (Better)

    1. Repeat steps one, two and three.
    2. Do a git diff 9ef3a53.
    3. Repeat last step.

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️