Write-up: Source code disclosure via backup files @ PortSwigger Academy

This write-up for the lab Source code disclosure via backup files is part of my walkthrough series for PortSwigger’s Web Security Academy.

Learning path: Server-side topics → Information disclosure

Lab: Source code disclosure via backup files | Web Security Academy

Python script: script.py

Lab description

Steps

When analyzing a web page, one of the first steps is always to check for the existence of a robots.txt file.

It is a file that requests search engine crawlers to either include or exclude certain parts of the site from their index. Sometimes, interesting locations are revealed that way.

It is up to the crawler whether they obey these wishes or ignore them. As the file is plain text, the same applies to any human reading it.

In this case, it points straight to the subdirectory /backup (other means to discover it would be tools like Burp Content Discovery, gobuster, wfuzz, ...)

Checking the directory shows a backup file for some Java code:

In the code, the credentials for the database connections can be found:

After submitting the solution time, the lab updates to

Originally published at https://github.com.

New to Medium? Become a Medium member to access all stories on the platform and support me at no extra cost for you!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!