> For the complete documentation index, see [llms.txt](https://skf.gitbook.io/asvs-write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://skf.gitbook.io/asvs-write-ups/information-leakeage-in-metadata/info-leakage-metadata.md).

# NodeJS - Information Leakeage in Metadata

## Running the app on Docker

```
$ sudo docker pull blabla1337/owasp-skf-lab:js-info-leakage-metadata
```

```
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-info-leakage-metadata
```

{% hint style="success" %}
Now that the app is running let's go hacking!
{% endhint %}

## Reconnaissance

It is very common, and even recommended, for programmers to include detailed comments and metadata on their source code. However, comments and metadata included into the HTML code might reveal internal information that should not be available to potential attackers. Comments and metadata review should be done in order to determine if any information is being leaked.

When we start the application we can see that there is a login form.

![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Metadata/1.png)

## Exploitation

What we are going to do is explore and check the source code of the website in order to find some useful information that the programmer may have forgotten or hidden in the source code and metadata tag and fields.

![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Metadata/2.png)

We found something promising inside two of the metadata tags! Now, we try these words as the credentials in the login form:

![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Metadata/3.png)

And goal achieved!

![](https://raw.githubusercontent.com/blabla1337/skf-labs/master/.gitbook/assets/python/Info-Leakage-Metadata/4.png)

## Additional sources

{% embed url="<https://www.owasp.org/index.php/Review_webpage_comments_and_metadata_for_information_leakage_(OTG-INFO-005)>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://skf.gitbook.io/asvs-write-ups/information-leakeage-in-metadata/info-leakage-metadata.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.