Portswigger - Information Disclosure - Lab #3 Source code disclosure via backup files

Hello Hackers, in this video of Source code disclosure via backup files you will see how to exploit, discover and find senstive information to leak for potential attacks from Burp Suite in a lab from Web Security Academy powered by Portswigger

⚠️ Subscribe to my channel ➡️ @popo_hack ⚠️

0:00 - About the Lab
0:41 - About the robots.txt file
0:57 - Google's robots.txt file
2:40 - Find hidden directory
3:06 - Discover /backup
3:28 - Find database credentials

🔍 About the Lab
Lab: Source code disclosure via backup files
Level: Apprentice
This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.

✅ What to do ?
1. Browse to /robots.txt and notice that it reveals the existence of a /backup directory. Browse to /backup to find the file ProductTemplate.java.bak. Alternatively, right-click on the lab in the site map and go to "Engagement tools" then "Discover content". Then, launch a content discovery session to discover the /backup directory and its contents.

2. Browse to /backup/ProductTemplate.java.bak to access the source code.

3. In the source code, notice that the connection builder contains the hard-coded password for a Postgres database.

4. Go back to the lab, click "Submit solution", and enter the database password to solve the lab.

Thank you for watching my video, if you have any questions or any topics recommendation feel free to write them on the comment below 🙋

#WebSecurityAcademy #portswigger #leakinfo #vulnerability