Hey there! It’s been a while since I published on Medium…
In this article, I will introduce you to my steps in finding a “Sensitive Information leak via Log File” in one of the programs I worked on recently.
I am not allowed to disclose the program name, so for now, let’s name it example.com.
I took me 1–2 days to explore the web app and understand its functionalities. Intercepting a few requests, messing with some parameters, and using Google Dorks to find any interesting endpoints.
Step 1: I used a Google Dork query that I posted in my previous article to test if the web app allows directory listing. And yes it was!
I explored the directories and files under the “\admin” directory and viewed their content, yet nothing was interesting.
Step 2: I used dirb to look for existing (and/or hidden) directories on the target. I found an interesting directory (https[:]//example.com/error_log), but I had 403!
Step 3: Bypassing the 403 using the tool 403bypasser.
Note: It was the first time I use this tool and it gave me quite good and quick results.
It worked and successfully bypassed the restriction! Now i can browse the /error_log directory .
Then, I started with the manual work. I viewed the content of the directory and searched all the files for keywords (e.g. password, username, token etc..), and read the content carefully. It took me almost 1 hour in this phase. And BOOM! I found a log file of the IIS server of the web app that has the usernames and passwords of users registered on the website.
I’m proud of the work I have done and happy with the result.
Thank you, and hope my article was helpful to you!