Secrets in Source

🔍 Can you uncover what's hiding in plain sight?

Very Easy 05 Dec 2025 Free Access Solution Available

Web developers sometimes leave behind valuable secrets in places they think nobody will look. While most users only see the polished surface of a website, curious minds know that the real treasures often lie just beneath. This beginner-friendly challenge will teach you a fundamental skill every security professional needs: the art of looking beyond the obvious. 🕵️ Ready to discover what's been there all along?

Flags

Points

53%

Success Rate

Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup

Dedicated server

Private instance

Industry standard

Learn

Broken Access Control

Broken Access Control is the #1 vulnerability in OWASP Top 10 (2021). It occurs when users can access resources without proper authentication or authorization.

OWASP Top 10 #1: 94% of applications tested have some form of broken access control.

Common Types

IDOR

Accessing files by changing URLs without checks

Missing Auth

Protected resources accessible without login

Security Through Obscurity

Relying on hidden URLs instead of access controls

Privilege Escalation

Regular users accessing admin functions

How It's Exploited

Attacker discovers file path (in source code, comments, or guessing)
Navigates directly to the URL
Server returns resource without checking permissions
Sensitive data exposed

Security Through Obscurity Fails: Random directory names like /x7k2m9p4/ provide zero security. Once paths are discovered, nothing prevents access.

Proper Security: Implement authentication (verify identity) and authorization (check permissions) on the server. Never rely on keeping URLs secret.

Read the Learn section above ⬆ and answer the question below ⬇

Step 1

Learn

Information Disclosure

Information Disclosure occurs when web applications unintentionally expose sensitive data in places users shouldn't be able to access it.

What Gets Exposed?

HTML Comments

TODO notes, file paths, credentials left in comments

JavaScript Code

API endpoints, authentication logic, internal URLs

Error Messages

Database details, file paths, system configuration

Debug Code

Testing credentials or development information

OWASP Classification: Information Disclosure is a critical OWASP vulnerability that often enables further attacks.

Attack Chain

Information Disclosure typically leads to:

Reconnaissance: Attacker gathers system details
Exploitation: Uses exposed info to craft targeted attacks
Compromise: Gains unauthorized access via discovered paths or credentials

Prevention: Remove comments from production code, never hardcode credentials in client-side files, use generic error messages, and conduct regular code reviews.

Read the Learn section above ⬆ and answer the question below ⬇

Step 2

Learn

Viewing HTML Source Code

Web pages are built with HTML code. While browsers show you the rendered visual page, the underlying source code often contains additional information not visible to users.

Why It Matters in Security

When you visit a website, your browser downloads all the HTML, CSS, and JavaScript files. Developers often accidentally leave sensitive information in this code:

HTML comments with file paths, credentials, or TODO notes
API endpoints and internal URLs in JavaScript
Hidden form fields with tokens or IDs
Configuration details and version numbers

Key Point: Viewing source code is the first step in web security testing. It requires no special tools and can reveal critical vulnerabilities instantly.

How to View Source

Keyboard Shortcut

Ctrl+U (Windows/Linux)
Cmd+Option+U (macOS)

Right-Click

Right-click → "View Page Source"

URL Prefix

Add view-source: before the URL

Read the Learn section above ⬆ and answer the question below ⬇

Step 3

Open the target and find the flag

flag.txt

+5 pts