Source Code Disclosure
Hello Techies,
This is my 23rd blog on web application security penetration testing. In this blog I will explain about Source Code Disclosure vulnerability in Web Application.
In my last blog, I have explained about Session Hijacking Hope everyone liked it. If you haven’t read it yet please follow along.
Although, source code disclosure vulnerability is very rare into the web application now a day’s but still it exists into so many public facing IP’s due to ignorance of developer or sometime due to unrestricted folder/file download.
I have came across one application let’s call it redacted.com where I was able to download some files and folder by just navigating to the file path in the web browser. Below is the step by step POC:
Step 1: Navigate to below mentioned URL which is used to download xtc5.zip file. To download xtc5.zip file doesn’t require any authentication.
https://www.redacted.com/templates/xtc5.zip
Step 2: Extract the xtc5.zip file and following folders are listed as shown in below screenshot.
Step 3: Navigate to source folder which has all the PHP files. Whereas JavaScript folder has all the JS files.
Step 4: Navigate to modules folder which has all the HTML files.
Guys! Although it’s looked very simple to find but trust me you need to be good in finding internal file-paths and directories. There are plenty of open source tools that you can use to find it on Github,
- DIRB.
- Dirbuster.
- Wfuzz.
- Metasploit.
- Dirserach
This is an Critical bug which I found with less efforts and got high appreciation from vendor.
Impact:
Depending on the source code, database connection strings, username, and passwords, the internal workings and business logic of application might be revealed. With such information, an attacker can mount the following types of attacks:
Access the database or other data resources. Depending on the privileges of the account obtained from the source code, it may be possible to read, update or delete arbitrary data from the database.
Gain access to password protected administrative mechanisms such as dashboards, management consoles and admin panels, hence gaining full control of the application.
Recommendation:
Following are the recommendations to prevent source code disclosure,
Confirm exactly what aspects of the source code are actually disclosed; due to the limitations of this type of vulnerability, it might not be possible to confirm this in all instances. Confirm this is not an intended functionality.
If it is a file required by the application, change its permissions to prevent public users from accessing it. If it is not, then remove it from the web server.
Ensure that the server has all the current security patches applied.
Remove all temporary and backup files from the web server.
References:
Source Code Disclosure in PHP Applications
I hope you people are enjoying reading my blogs within less time. Please do like and follow me on Medium and LinkedIn for more reads.
Thank!
