I Found A Source Code Disclosure Bug In My Own Flask App

I am a cybersecurity student practicing directory enumeration with Gobuster. Instead of using lab targets, I tested my own Flask application.

I found a real source code disclosure bug.

Here is how it happened and why it matters.

The Setup

I wanted to study a specific misconfiguration. I cloned my app's code to a local environment to keep it safe. I then moved database.py, a core server file, into the static/ directory.

In Flask, the static/ folder is public by default. It serves files like CSS and images without needing special routes. By moving a python file there, I broke the security boundary between server logic and public assets.

Discovery

I ran Gobuster against the local server:

gobuster dir -u http://localhost:5000/static -w /usr/share/wordlists/dirb/common.txt -x py,js,txt

The tool found:

  • script.js (Expected)
  • database.py (The bug)

I confirmed the leak using curl. The command returned the full, raw source code of database.py.

What was exposed?

The file did not contain passwords or API keys. However, it leaked:

  • The full database schema.
  • Table names and column relationships.
  • Application logic for handling user data.
  • How the app hashes passwords.

Why this is dangerous

Source code disclosure helps attackers in two ways:

  • Targeted attacks: Attackers no longer need to guess table names for SQL injection.
  • Easier reconnaissance: Reading the logic reveals flaws in validation or authentication.

Direction for Fixing

  1. Keep all server-side files out of public directories.
  2. Use web server rules to block sensitive file extensions. For example, tell Nginx to deny all requests for .py files.
  3. Audit your static/ folders regularly to find stray files.

The Lesson

Never assume a directory is safe just because of its name. Contents change over time. A simple mistake during testing or a bad build script can leave your logic open to the world.

Source: https://dev.to/zeyrian_faris/i-found-a-source-code-disclosure-bug-in-my-own-flask-app-with-gobuster-42n8