🧪 Lab Write-up: Source Code Disclosure via Backup Files

🎯 Goal

Identify and submit the database password, which is hard-coded in leaked source code.

🔍 Approach

1. Check for hidden backup directory

   • Go to:

     /backup
     

     Example:

     <https://0a90003303d4d2a7802d674f00fb0028.web-security-academy.net/backup>
     

2. Locate backup file

   • File discovered:

     productTemplate.java.bak
     

3. Review the source code

   • Open the .bak file.
   • Inside, the database password is hard-coded.

   

✅ Solution

• Copy the database password from the code.

• 🎉 Congratulations, lab solved!