Introduction
Hello everyone, in this post I am going to share the writeup of all the PortSwigger Information disclosure Labs. Sensitive Information Disclosure (also known as Sensitive Data Exposure) happens when an application does not adequately protect sensitive information that may wind up being disclosed to parties that are not supposed to have access to it. The dangers of leaking sensitive user or business data are fairly obvious, but disclosing technical information can sometimes be just as serious.
Lab — 1 : Information disclosure in error messages
Objective
This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.
Detection
Every product here has a productID , intercept that request and add '
at the end of the productID .
Due to this an error occur which leaks the version of Apache Struct framework. Submit this and solve the lab.
Lab-2 : Information disclosure on debug page
objective
This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY
environment variable.
Detection
In Burpsuite we can see there is a cgi-bin folder which has phpinfo.php file. We know that phpinfo is commonly used to check configuration settings. one the page and CTRL+F
and write secret_key .
Submit the key and complete this lab.
Lab — 3: Source code disclosure via backup files
Objective
This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.
Detection
There is /robots.txt
file on this website.
In /backup
folder the java code is leaked , which contains information of postgres username and password.
Submit the password to complete the lab.
Lab — 4: Authentication bypass via information disclosure
Objective
This lab’s administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.
To solve the lab, obtain the header name then use it to bypass the lab’s authentication. Access the admin interface and delete Carlos’s account.
You can log in to your own account using the following credentials: wiener:peter
Detection
we already know /admin
is the admin panel.
As we can see /admin
is only accessible for for local user .The TRACE method is used to invoke a remote, application-layer loop- back of the request message. Let’s use TRACE method ,
we can see it is using x-custom-ip-authorization , which we can use to access this website as a local user .
Now we can access the /admin
panel of the website .Delete the user Carlos to solve the lab.
Lab — 5: Information disclosure in version control history
Objective
This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator
user then log in and delete Carlos's account.
Detection
After directory listing we get to know there is /.git
directory.
I am using a tool called githack .
As we can there is a env which have the actual password.
wget -r http://url/.git to recursively download the all file from this directory.
we can see admin password was removed from the code to ENV .
Log in with administrator and the above password .
Go to admin panel and delete user carlos .