OWASP Top 10 | TryHackMe | Sensitive Data Exposure Task 8–11

3 min readJun 29, 2021

Task 11 challenge at the bottom.

Task 8 : [Severity 3] Sensitive Data Exposure (Introduction)

Sensitive Data Exposure vulnerabilities can occur when a web application does not adequately protect sensitive information from being disclosed to attackers. This can include information such as credit card data, medical history, session tokens, or other authentication credentials. ~ Port Swigger

Task 9: [Severity 3] Sensitive Data Exposure (Supporting Material 1)

The most common (and simplest) format of the flat-file database is an SQLite database.
To check the type of any example.db use file command

file example.db

To query an SQLite database use the following commands:
→ To access it use: sqlite3 <database-name> == sqlite example.db
→ To see the tables in the database by using the .tables command, let the table name be Table_name.
→ To see the various column in the table use PRAGMA table_info(Table_name);
→ To dump all the data of the table use SELECT * FROM Table_name;

Task 10: [Severity 3] Sensitive Data Exposure (Supporting Material 2)

Use the online tool: Crackstation (https://crackstation.net/) to break Joy Paulson’s weak password hash.

Task 11: [Severity 3] Sensitive Data Exposure (Challenge)

Have a look around the webapp. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

Navigate to the Machine IP in the browser

a) What is the name of the mentioned directory?
Let's do directory busting using dirbuster, type dirbuster& in the terminal, and fill the information (Machine IP, port number, wordlist (/usr/share/wordlist/dirbuster/small.txt) ) accordingly.
You can use any other tool that you are familiar with like gobuster, dirb, etc.