🗂️PortSwigger Lab Writeup: Source Code Disclosure via Backup Files
🎯 Objective
The objective of this lab is to discover an information disclosure vulnerability in a web application where it exposed a backup file in production, and our goal is to obtain the database password from the source code available in backup.
- Lab URL:
https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files - Category: Information Disclosure
- Difficulty: Apprentice
🧪 Exploitation Steps
🕵️Step 1: Observe the Website
- Firstly open the lab URL in your browser, and observe what it is about and how it works.
- At first glance, the website seems to be a shopping website with very unique and unrelated products. In the lab description, it is mentioned that there is a hidden backup page and we need to find that page.
🧰Step 2: Finding Backup Page
- Normally backup page may be named as
/backup/, so let's try opening it.
- Hence, we successfully retrieved the
backuppage and, we can see that there is a source code file in it. - After opening the source code, we can see the database password hardcoded in code.
- Hence, we successfully retrieved the DB password from the backup files.
🚀Step 3: Submit the password
- Copy the DB password from backup files and paste it in the
Submit solutionto complete the lab. - And Finally, the Lab is solved.
🧠 Conclusion
- This lab demonstrated how an information disclosure vulnerability can occur when backup files are left accessible in production. By navigating to
/backup/, we were able to access a source file and extract the hardcoded database password. - Such exposures can have a severe impact - an attacker could directly connect to the database, steal or modify data, and pivot further into the internal environment.
- This highlights the importance of removing backup files from public directories, disabling directory listing, and avoiding hardcoded secrets in source code.