| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Information Disclosure — Backup File in Hidden Directory |
| Difficulty | Apprentice |
| Objective | Identify and submit the database password hard-coded in the leaked source code |
Source Code Disclosure via Backup Files¶
Checking /robots.txt:
Disallow: /backup
robots.txt is meant to tell search engine crawlers what not to index — it's not an access control mechanism, and listing a path under Disallow is essentially advertising its existence to any attacker who checks the file.
Navigating to /backup:
Directory listing enabled, showing ProductTemplate.java.bak. A backup file left in a web-accessible directory is direct source code disclosure — if credentials are hard-coded in that source, they're now fully exposed. Opening it:
Database password in plain text. Submitting it:
And lab solved o.o