I Found A Source Code Disclosure Bug In My Own Flask App
I am a cybersecurity student practicing directory enumeration with Gobuster. Instead of using lab targets, I tested my own Flask application.
I found a real source code disclosure bug.
Here is how it happened and why it matters.
The Setup
I wanted to study a specific misconfiguration. I cloned my app's code to a local environment to keep it safe. I then moved database.py, a core server file, into the static/ directory.
In Flask, the static/ folder is public by default. It serves files like CSS and images without needing special routes. By moving a python file there, I broke the security boundary between server logic and public assets.
Discovery
I ran Gobuster against the local server:
gobuster dir -u http://localhost:5000/static -w /usr/share/wordlists/dirb/common.txt -x py,js,txt
The tool found:
- script.js (Expected)
- database.py (The bug)
I confirmed the leak using curl. The command returned the full, raw source code of database.py.
What was exposed?
The file did not contain passwords or API keys. However, it leaked:
- The full database schema.
- Table names and column relationships.
- Application logic for handling user data.
- How the app hashes passwords.
Why this is dangerous
Source code disclosure helps attackers in two ways:
- Targeted attacks: Attackers no longer need to guess table names for SQL injection.
- Easier reconnaissance: Reading the logic reveals flaws in validation or authentication.
Direction for Fixing
- Keep all server-side files out of public directories.
- Use web server rules to block sensitive file extensions. For example, tell Nginx to deny all requests for .py files.
- Audit your static/ folders regularly to find stray files.
The Lesson
Never assume a directory is safe just because of its name. Contents change over time. A simple mistake during testing or a bad build script can leave your logic open to the world.