Are there any answers to such web server behavior?

[precious]

I frequently use tools like ffuf to illustrate fuzzing to my students.

Using the following command, for instance:

bash
┌──(kali㉿localhost)-[~]└─$ffuf -w wordlist.txt -u http://mydomaintarget.org/FUZZ

Files like backup.sql, graphql.txt, config.json, and other possibly sensitive files may be discovered in this way.

To confirm their presence, we employ:
┌──(kali㉿localhost)-[~]└─$curl -I http://mydomaintarget.org/backup.sql on mydomaintarget.org

The server replies with an HTTP 200 status if the file is present. When we try to download the file, though: backup.sql using

bash
┌──(kali㉿localhost)-[~]└─$curl -o http://mydomaintarget.org/backup.sql on mydomaintarget.org

The output is a JavaScript obfuscated code rather than the anticipated content.
Are there any explainations to such behavior?

 

[RyanKonecky]

I don't have any answers, but I was curious whether or not you figured this out.

 

[precious]

I don't have any answers, but I was curious whether or not you figured this out.

Not yet, am also looking forward to learn

 

[Trevor Chandler]

Not yet, am also looking forward to learn

I'm looking forward to learning as well, but you didn't explain what fuzzing is

 

[precious]

I'm looking forward to learning as well, but you didn't explain what fuzzing is

I appreciate you bringing that up! I'd be pleased to describe fuzzing. Fuzzing is a security testing method that involves inserting/inputting unexpected or random data (referred to as "fuzz") into a computer program in order to find software flaws. The goal is to observe how the program responds, including whether it crashes, exhibits strange behavior, or reveals exploitable flaws.

When testing a web application, for instance, a fuzzer may insert distorted data into form fields to test the application's ability to handle odd data, possibly revealing faults or security holes. It is an essential component of security assessments and penetration testing.

 

[Trevor Chandler]

I appreciate you bringing that up! I'd be pleased to describe fuzzing. Fuzzing is a security testing method that involves inserting/inputting unexpected or random data (referred to as "fuzz") into a computer program in order to find software flaws. The goal is to observe how the program responds, including whether it crashes, exhibits strange behavior, or reveals exploitable flaws.

When testing a web application, for instance, a fuzzer may insert distorted data into form fields to test the application's ability to handle odd data, possibly revealing faults or security holes. It is an essential component of security assessments and penetration testing.

Thank you for that explanation. Now I can say that I'm smarter! Prior to your explanation, I was a little fuzzy about fuzzing!!!

 

[precious]

Thank you for that explanation. Now I can say that I'm smarter! Prior to your explanation, I was a little fuzzy about fuzzing!!!

You’re in the elite club of bug-busting geniuses!

 

[Trevor Chandler]

You’re in the elite club of bug-busting geniuses!

Feels dang good to be considered among the elite!!!!

 

[precious]

Feels dang good to be considered among the elite!!!!

To be honest you must be a cyber guru-you must be modest

 

[Alexander petree]

what exactly are you trying to find out with the issue

 

[precious]

what exactly are you trying to find out with the issue

The server returns an HTTP 200 status(it has the file), but I'm attempting to figure out why the expected file content (such as backup.sql) isn't being served directly.

Expectation : I expect to see the raw file content (such as the SQL dump for backup.sql) when I use curl -o to retrieve the file.

Reqlity: The content is not being returned by the server; instead, JavaScript-obfuscated code is.

Am curious about such behavior.