# Python - Information Leakeage in Comments ## Running the app on Docker ``` $ sudo docker pull blabla1337/owasp-skf-lab:info-leakeage-comments ``` ``` $ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:info-leakeage-comments ``` {% hint style="success" %} Now that the app is running let's go hacking! {% endhint %} ## Reconnaissance It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked. When we start the application we can see that there is a login form. ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Comments/1.png) ## Exploitation What we are going to do is explore and check the source code of the website in order to find some useful information that the programmer may have forgotten in the source code. ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Comments/2.png) We found something promising! Now, we try these words as the credentials in the login form: ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Comments/3.png) And goal achieved! ![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Comments/4.png) ## Additional sources [https://www.owasp.org/index.php/Review\_webpage\_comments\_and\_metadata\_for\_information\_leakage\_(OTG-INFO-005](https://www.owasp.org/index.php/Review_webpage_comments_and_metadata_for_information_leakage_\(OTG-INFO-005\)) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://skf.gitbook.io/asvs-write-ups/information-leakeage-in-comments/information-leakeage-comments.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.