bWAPP - Text Files (Accounts)

bWAPP – Text Files (Accounts)

In this walk through, we will be going through the Text Files (Accounts) vulnerability section from bWAPP Labs. We will be exploring and exploiting Text Account Files and learn how application are affected because of it. So, let’s get started with the Hacking without any delay.

Text Files (Accounts)

Security: Low

  • Setting the security level to Low.

Security level Low

  • The application has a functionality to add a new account. It issues a POST request to insecure_crypt_storage_2.php file with our username and password parameter. Once account is created, it displays a download and delete file button.

Text Files

Burpsuite intercept

  • Upon clicking the download file button, we are able to see the added username and password in plain text.


Security: Medium

  • Setting the security level to Medium.

Security level Medium

  • I added another user again and had a look in the accounts.txt file. This time we got an encrypted password value.

Text Files


  • It was a SHA1 hash and on decrypting it we got our password value.

SHA-1 Reverse

Security: High

  • Setting the security level to High.

Security level High

  • Adding another account.

Account was added!

  • This time it is more difficult to crack the password as it is using a salt with it but it is still possible.


Also Read: bWAPP – SQL Injection Stored (User-Agent)



So, we finally completed all the security levels for the bWAPP Text Files (Accounts) Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate this by storing sensitive file properly and avoiding leakage issues. On that note, i will take your leave and will meet you in next one with another bWAPP vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top