Sensitive Information Leakage via Log File

Hey there! It’s been a while since I published on Medium…
In this article, I will introduce you to my steps in finding a “Sensitive Information leak via Log File” in one of the programs I worked on recently.

I am not allowed to disclose the program name, so for now, let’s name it example.com.

Recon

I took me 1–2 days to explore the web app and understand its functionalities. Intercepting a few requests, messing with some parameters, and using Google Dorks to find any interesting endpoints.

Methodology

Step 1: I used a Google Dork query that I posted in my previous article to test if the web app allows directory listing. And yes it was!

I explored the directories and files under the “\admin” directory and viewed their content, yet nothing was interesting.

“directories /admin”

Step 2: I used dirb to look for existing (and/or hidden) directories on the target. I found an interesting directory (https[:]//example.com/error_log), but I had 403!

Step 3: Bypassing the 403 using the tool 403bypasser.

403bypasser command line tool

Note: It was the first time I use this tool and it gave me quite good and quick results.
It worked and successfully bypassed the restriction! Now i can browse the /error_log directory .

Then, I started with the manual work. I viewed the content of the directory and searched all the files for keywords (e.g. password, username, token etc..), and read the content carefully. It took me almost 1 hour in this phase. And BOOM! I found a log file of the IIS server of the web app that has the usernames and passwords of users registered on the website.

I’m proud of the work I have done and happy with the result.

Thank you, and hope my article was helpful to you!