Sensitive Data Exposure Lab – Full Walkthrough - TryHackMe Pre-Security

Durre ShaffaDurre Shaffa
2 min read

Table of contents

Introduction

In web security, Sensitive Data Exposure is a common yet critical vulnerability. It occurs when sensitive information, like passwords, API keys, or hidden links, is unintentionally left accessible in a website’s front-end source code.

This lab in the TryHackMe Pre-Security course introduces learners to the real-world risk of sensitive data being left visible in the browser through careless development practices. Let’s walk through what this vulnerability is and how it was discovered in this task.

What is Sensitive Data Exposure?

Sensitive Data Exposure refers to any instance where confidential or restricted data is made publicly accessible, usually unintentionally. This often includes:

  • Login credentials

  • Hidden URLs

  • API keys or tokens

  • Internal comments with useful context for attackers

Since modern websites rely heavily on front-end code (HTML, CSS, JavaScript), careless developers might accidentally leave behind such data in the source code during development or testing.

How Can This Happen?

Web browsers allow any user to inspect the structure of a website using View Page Source or Developer Tools (F12). If a developer has hardcoded sensitive information, such as:

htmlCopyEdit<!-- Temporary login: user=test | password=testpasswd -->

…it becomes easily visible to anyone curious enough to look.

Even a simple HTML comment can expose passwords, admin links, or outdated endpoints. Although not visible on the live webpage, they remain accessible in the source code.

Why It’s a Security Risk

Sensitive information in front-end code can be exploited in many ways:

  • Unauthorized logins using exposed credentials

  • Discovery of admin panels or internal tools

  • Access to hidden API endpoints

  • Further privilege escalation if reused credentials are found

Such information can also be used in social engineering, brute-force attacks, or even as part of a larger penetration test.

Lab Task Summary

In this lab, we were asked to:

"View the website and find the password hidden in the source code."

Steps Taken:

  1. Clicked “View Site” to open the target webpage.

  2. Right-clicked on the page and selected "View Page Source".

  3. Searched for keywords like <!--, password, or login.

  4. Found a comment in the HTML source revealing the following:

htmlCopyEdit<!-- password: testpasswd -->

Answer: testpasswd

This simple task demonstrates how easy it is to accidentally leave sensitive data behind—and how easy it is for an attacker to find it.

Conclusion

This lab is a great reminder of why code reviews, secure coding practices, and security testing are essential steps in the development lifecycle. Exposing passwords or internal links, even in comments, can lead to serious vulnerabilities if left unchecked.

0
Subscribe to my newsletter

Read articles from Durre Shaffa directly inside your inbox. Subscribe to the newsletter, and don't miss out.

ethicalhackinghackingtryhackmelab#cybersecurityCyberSec

Written by

Durre Shaffa
Durre Shaffa