Information Disclosure @WebSecAcademy Lab Notes
August 14, 2020Theory is available at: https://portswigger.net/web-security/information-disclosure This learning section at the moment of writing the notes has in total 7 labs which involve the following topics:
- Developer comments
- Error messages
- Debugging data
- User account pages
- Backup files
- Insecure configuration
- Version control history
Information Disclosure Due To Insecure Configuration
In short I learned a bit more about HTTP methods and BurpSuite functionality.
About TRACE HTTP method
If enabled, the web server will respond to requests that use theTRACE
method by echoing in the response the exact request that was received. This behavior is often harmless, but occasionally leads to information disclosure, such as the name of internal authentication headers that may be appended to requests by reverse proxies.
And in the following lab you are given a website, which has an admin panel, and you are required to bypass the authentication via information disclosure.
I tried to normally access the admin panel by appending the /admin
to the end of the url in the browser first, and the server has served me a page with the following response:
The admin panel is only accessible if logged in as an administrator, or if requested from a local IP.
So I realized that I need to somehow use the localhost <127.0.0.1>
in the request to the server.
And this is how the TRACE
method comes into play.
I used Burp Repeater to send the request to the server like TRACE /admin
.
And the response revealed the custom HTTP header the X-Custom-IP-Authorization
containing my IP address, which I could now use with the 127.0.0.1
value instead, in order to satisfy the requirement quoted above, which was "unintentionally leaked" by the devs.
What I learned about Burpsuite:
- Go to "Proxy" > "Options", scroll down to the "Match and Replace" section, and click "Add".
- Leave the match condition blank, but in the "Replace" field, enter X-Custom-IP-Authorization: 127.0.0.1.
- Burp Proxy will now add this header to every request you send.
Information Disclosure In Version Control History
The lab was easy as it required minimal knowledge of git commands, such as git status
, git reset HEAD~1
, git log
.
What I learned from the security perspective is that sometimes devs might forget to add the .git
directory (which basically contains the project's version control data) to the .gitignore
and might enable the adversary to potenitially abuse it.
Also, learned a new bash command wget -r https://.../.git
, which allowed me to download .git directory directory from the terminal.