An information disclosure vulnerability is a security weakness that allows a user to access sensitive data that should be kept private. This can include personal information, passwords, internal system details, source code, or configuration files. Although some of this information may be of limited use, it can potentially serve as a starting point for uncovering an additional attack surface that may contain other interesting vulnerabilities.

1.Information disclosure in error messages

Lab Objective:

This lab's verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework.

Solution:

The initial step is to understand how the vulnerable application works and gather information about the target system. The application showcases an image catalog with title, price, star rating, and a "View details" button. The "view details" button redirects to the product page. The product page has a productId parameter with an integer as its value.

If you attempt to fetch a product with a non-existent integer value, the application displays a 404 error. However, with a non-numeric value (such as null) as a parameter, the application's safeguard fails, and it displays some sensitive information. Like the version of the third-party framework used in this application (Apache Struts 2 2.3.31).

2.Information disclosure on debug page

Lab Objective:

This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable.

Solution:

The application discloses the information or URL of the debug page (in this case phpinfo page) in the source code of the home page. You can find more information about the phpinfo page here.

Extract the SECRET_KEY from the phpinfo page (which is located at /cgi-bin/phpinfo.php) and submit it to solve the lab.

3.Source code disclosure via backup files

Lab Objective:

This lab leaks its source code via backup files in a hidden directory. To solve the lab, identify and submit the database password, which is hard-coded in the leaked source code.

Solution:

The application contains a robots.txt file that discloses the files and directories this application may contain. You can learn more about the robots.txt file here.

This application clearly disallows the index of /backup page in the robots.txt file. After visiting the backup page, I found a link that redirects to ProductTemplate.java.bak, which typically represents a backup copy of a Java source code file.

Here, you can find the password of the PostgreSQL database hardcoded in the source code file. To solve the lab, submit the password.

4.Authentication bypass via information disclosure

Lab Objective:

This lab's administration interface has an authentication bypass vulnerability, but it is impractical to exploit without knowledge of a custom HTTP header used by the front-end.

To solve the lab, obtain the header name, then use it to bypass the lab's authentication. Access the admin interface and delete the user carlos.

Solution:

The login page of the application supports the HTTP GET, POST, and TRACE methods. The GET and POST methods are used to request data from the server and send credentials back to the server, but the TRACE method performs a message loop-back test along the path to the target resource. You can find more about the HTTP TRACE method here.

The TRACE method returns an interesting header X-Custom-IP-Authorization. The X-Custom-IP-Authorization header is a non-standard HTTP header that some web applications or APIs use for IP-based authorization. It typically allows access to specific resources based on the IP address provided in the header.

In the lab description, it is provided that this application contains an admin interface. However, if you try to access the /admin page, you will receive a 401 Status Code.

We can use the header X-Custom-IP-Authorization to bypass authentication and access the admin page by setting its value to 127.0.0.1. We should be able to successfully access the admin page. Now, to solve the lab, delete the user carlos.

5.Information disclosure in version control history

Lab Objective:

This lab discloses sensitive information via its version control history. To solve the lab, obtain the password for the administrator user, then log in and delete the user carlos.

Solution:

The solution for this lab is straightforward. As mentioned in the lab description, the lab discloses sensitive information via its version control history.

This application utilizes Git as its version control system, which can be confirmed by visiting the .git directory of the application. We can download the entire content of the /.git recursively. Rename the folder with downloaded contents to .git.

wget -r -np -nH --cut-dirs=1 https://YOUR-LAB-ID.web-security-academy.net/.git

Now, move outside of the .git folder and issue the git log --oneline command to view all commits.

Now use the command git diff <commit> to find the password of admin (Make sure to use the commit ID of the label "Add skeleton admin panel").

Log in as admin and delete the user carlos to solve the lab.