In this post we will walk step by step through how to Source code disclosure via backup files on PortSwigger Academy. This lab’s difficulty is Apprentice and it is the third lab on Information disclosure on Portswigger.

Link to lab: https://portswigger.net/web-security/information-disclosure/exploiting/lab-infoleak-via-backup-files

To solve the lab we need to identify and submit the database password, which is hard-coded in the leaked source code.

To start the lab click the ‘Access the Lab’ button.

As we begin the lab we encounter a shop page showcasing several products. It’s worth noting that the products may differ from the screenshot as PortSwigger Labs can vary the content with each lab session.

Our first step will be identifying if a robots.txt file exists, as this can lead to discovering new endpoints. The robots.txt is a file is a plain text file that provides instructions to web robots, like search engine crawlers, about which parts of a website they are allowed or disallowed to access.

Let’s head back to the home page and click the Submit Solution button and provide the database password to complete the lab.

That completes the lab! Well done! If you found this helpful, please send me a tweet and tell me what you thought! Feedback is always appreciated!

Jarrod