July 16, 2026
From Source Code Leak to Full Session Forgery: How Hardcoded Secrets Compromised an Enterprise…
Executive Summary

By M0stafaX404
2 min read
Executive Summary
During an authorized security assessment of an enterprise web application, a critical sensitive information disclosure vulnerability was identified. By analyzing a publicly exposed backup archive format (tar.gz) discovered during reconnaissance, the core configuration infrastructure files were retrieved. A deep manual code review of the main configuration file—app-config.php—revealed hardcoded production credentials, including active MySQL database access parameters and the application's global symmetric encryption key (APP_ENC_KEY).
Possession of these cryptographic secrets bypasses standard perimeter controls, allowing unauthenticated remote actors to gain direct read/write database access or forge signed session cookies to hijack administrative accounts.
- Vulnerability Type: Use of Hard-coded Credentials (CWE-798) / Sensitive Information Disclosure (CWE-200).
- Severity: Critical (CVSS v3.1 Score: 9.8/10).
- Target File Path:
/application/config/app-config.php.
Assessment Context
- Target Type: Private Enterprise Web Infrastructure (Internal Audit).
- Engagement Type: Authorized Internal Penetration Testing (White-box Source Code Review).
- Disclosure Status: Responsibly Disclosed & Fully Remediated by the Internal Dev Team.
- Bounty/Reward: Internal Pentesting Engagement (Corporate Payroll), Non-HackerOne.
Phase 1: Code Review & Leaked Secrets Analysis
After extracting the exposed server backup file target_backup.tar.gz retrieved from the web root, I audited the configuration files responsible for establishing database state connections and session tracking protocols.
Inside /application/config/app-config.php, the database driver configuration array was populated with hardcoded production strings:
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
define('APP_BASE_URL', 'https://target-app.com/');
// Encryption Key - Used for signing sessions
define('APP_ENC_KEY', 'e8018c74678b075c612a43befdc59900');
// Database credentials
define('APP_DB_HOSTNAME', 'localhost');
define('APP_DB_USERNAME', 'db_prod_user');
define('APP_DB_PASSWORD', 'Redacted_Symmetric_Password_String');
define('APP_DB_NAME', 'prod_db_system');
// Session Handler
define('SESS_DRIVER', 'database');
define('SESS_SAVE_PATH', 'ci_sessions');<?php
defined('BASEPATH') OR exit('No direct script access allowed');
define('APP_BASE_URL', 'https://target-app.com/');
// Encryption Key - Used for signing sessions
define('APP_ENC_KEY', 'e8018c74678b075c612a43befdc59900');
// Database credentials
define('APP_DB_HOSTNAME', 'localhost');
define('APP_DB_USERNAME', 'db_prod_user');
define('APP_DB_PASSWORD', 'Redacted_Symmetric_Password_String');
define('APP_DB_NAME', 'prod_db_system');
// Session Handler
define('SESS_DRIVER', 'database');
define('SESS_SAVE_PATH', 'ci_sessions');Phase 2: High-Severity Exploitation Scenarios
Exposing these specific parameters to unauthenticated external actors poses two critical structural security risks to the enterprise:
1. Direct Database Compromise
With active database credentials (host, user, database name, and password) leaked, an attacker who obtains internal network routing access (or exploits a secondary port-forwarding flaw) can connect directly to the relational database engine. This grants absolute read, write, and drop privileges over the production database schemas, leading to complete data exfiltration or total loss of data integrity.
2. Symmetric Session Forgery & Administrative Hijacking
The application framework relies heavily on the defined APP_ENC_KEY value to cryptographically sign, encrypt, and serialize active session cookies.
Because the global symmetric key is static and known, an attacker can construct a custom, serialized administrative session cookie locally, sign it with the leaked APP_ENC_KEY, and submit it to the server. The backend will process the signature as valid, immediately authenticating the attacker as a high-privileged administrator without ever prompting for credentials. Additionally, this opens a direct pathway to trigger Remote Code Execution (RCE) via PHP Object Injection flaws within the unserialization stream.
Root Cause Remediation & Security Controls
Mitigating hardcoded secret disclosure requires decoupling environment credentials from persistent codebase versions:
- Immediate Credential Rotation: Immediately revoke and regenerate all database account passwords and change production server access credentials.
- Regenerate Encryption Keys: Invalidate the compromised
APP_ENC_KEYvalue and replace it with a newly generated, random 32-character hexadecimal key. Note that this action will safely terminate all active user sessions globally. - Implement Environment Variables (.env): Transition all production keys, API tokens, and database passwords out of the code repository. Load these parameters dynamically using server environment variables or centralized secret management vaults (such as AWS Secrets Manager or HashiCorp Vault).
- Purge Public Backup Scopes: Remove compressed archives, backup formats (
.tar.gz,.zip,.bak,.sql), or exposed version control directories from public-facing web root paths. Implement server rules to drop incoming requests seeking backup extensions.
Disclaimer & Contact
This security assessment was conducted legally with prior authorization and written permission from the target organization. All sensitive details, identifiers, and company names have been strictly obfuscated for confidentiality and privacy compliance.