Lab Icon

Secrets in Source

🔍 Can you uncover what's hiding in plain sight?

Very Easy 05 Dec 2025 Free Access Solution Available

Web developers sometimes leave behind valuable secrets in places they think nobody will look. While most users only see the polished surface of a website, curious minds know that the real treasures often lie just beneath. This beginner-friendly challenge will teach you a fundamental skill every security professional needs: the art of looking beyond the obvious. 🕵️ Ready to discover what's been there all along?

1
Flags
5
Points
53%
Success Rate
Start Your Challenge

Launch your dedicated machine to begin hacking

~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Very Easy

Secrets in Source - Complete Solution

Challenge Overview: This beginner-friendly challenge teaches fundamental web security concepts including broken access control and information disclosure. You'll learn how examining HTML source code can reveal sensitive information and how to exploit files that lack proper authentication controls.
Understanding the Vulnerability

This challenge demonstrates two critical OWASP Top 10 vulnerabilities working together:

Broken Access Control

Files are accessible without authentication simply by knowing their URL path - the #1 vulnerability in OWASP Top 10 (2021)

Information Disclosure

Sensitive file paths are exposed in HTML source code comments that developers accidentally left behind

Knowledge Check: What OWASP Top 10 vulnerability occurs when users can access files or resources directly without proper authentication by simply knowing or guessing the URL?
Answer: Broken Access Control
Phase 1: Accessing the Challenge

Navigate to the challenge URL in your web browser:

https://lab.hdna.me/4-secrets-in-source

You'll see a professional corporate website for "TechNova Solutions" with information about their services and team. The visible page appears completely normal with no obvious security issues.

Phase 2: Understanding Information Disclosure

The key insight is that web pages contain more than what's visible. When you visit a website, your browser downloads HTML, CSS, and JavaScript files. While these render into the visual page, the underlying source code often contains additional information.

Information Disclosure vulnerabilities occur when applications unintentionally expose sensitive data through:

  • HTML Comments: Developer notes, TODO items, file paths, credentials
  • JavaScript Code: API endpoints, authentication logic, internal URLs
  • Error Messages: Database details, system paths, configuration info
  • Debug Code: Testing credentials or development information left in production
Knowledge Check: What vulnerability classification describes when sensitive data like file paths, credentials, or internal URLs are exposed in client-side code?
Answer: Information Disclosure
Phase 3: Viewing the HTML Source Code

To examine the underlying HTML source code, you have several options:

Method 1: Keyboard Shortcut (Fastest)

Windows/Linux: Ctrl + U
macOS: Cmd + Option + U

Method 2: Right-Click Menu

  • Right-click anywhere on the page
  • Select "View Page Source" or "View Source"

Method 3: URL Prefix

view-source:https://lab.hdna.me/4-secrets-in-source
Knowledge Check: What keyboard shortcut (on Windows/Linux) opens the HTML source code of a webpage in most browsers?
Answer: Ctrl+U
Phase 4: Finding the Hidden Information

Once you have the source code open, examine it carefully. Look specifically for HTML comments, which are enclosed in <!-- --> tags.

Near the bottom of the source code (around line 63), you'll find a developer comment:

<!-- TODO: move the flag "/anwvdzqtcucr/flag.txt" in a more secure location -->

This is a classic example of Information Disclosure - a developer left a TODO note revealing:

  • The exact path to a sensitive file: /anwvdzqtcucr/flag.txt
  • That this file contains "the flag"
  • That the developer knows it's not in a secure location
Important: Developers often leave comments thinking they're harmless notes for themselves or their team. However, these comments are downloaded by every user's browser and can be viewed by anyone examining the source code.
Phase 5: Exploiting Broken Access Control

Now that we have the file path, we can test if the file has proper access controls. The developer's comment suggests it doesn't - they want to "move it to a more secure location" but haven't done so yet.

This is where Broken Access Control comes into play. The file can be accessed directly without any authentication simply by constructing the full URL.

Method 1: Using a web browser, navigate to:

https://lab.hdna.me/4-secrets-in-source/anwvdzqtcucr/flag.txt

Method 2: Using curl from the command line:

curl https://lab.hdna.me/4-secrets-in-source/anwvdzqtcucr/flag.txt

Method 3: Using wget:

wget -qO- https://lab.hdna.me/4-secrets-in-source/anwvdzqtcucr/flag.txt

The file loads without any authentication prompt or access denied error. This confirms the Broken Access Control vulnerability - the file lacks proper authentication and authorization checks.

Phase 6: Capturing the Flag

The file displays the flag in UUID format. Copy it exactly as shown and submit it to complete the challenge.

Why Security Through Obscurity Fails

This challenge demonstrates a critical security principle: security through obscurity does not work.

The developer attempted to "secure" the flag by:

  • Placing it in a directory with a random name (anwvdzqtcucr)
  • Assuming nobody would guess or discover this path

However, this approach failed because:

  • The path was exposed in an HTML comment (Information Disclosure)
  • Once discovered, there were no access controls to prevent access (Broken Access Control)
  • The file could be accessed by anyone who knew the URL
Security Principle: Obscure file paths, random directory names, and "hidden" URLs are not security controls. Real security requires authentication (verifying who you are) and authorization (checking what you can access).
Key Takeaways
  • Broken Access Control is #1: OWASP ranks this as the most critical web application vulnerability - always implement proper authentication and authorization
  • Information Disclosure Enables Attacks: Exposed file paths, even in comments, provide attackers with the information they need to exploit other vulnerabilities
  • Always Check Source Code: Web page source examination is fundamental in security testing - it requires no special tools and often reveals critical information
  • HTML Comments Are Public: Anything in HTML comments can be viewed by anyone - never include sensitive information, credentials, or file paths
  • Security Through Obscurity Fails: Random directory names and obscure paths don't provide real security - implement proper access controls instead
  • Defense in Depth: Multiple security layers are needed - even if paths are discovered, access controls should prevent unauthorized access
  • Code Review Matters: Regular code reviews and security scans can catch information disclosure issues before they reach production
  • Real-World Relevance: These vulnerability patterns are common in production applications and are frequently discovered during security assessments