← vuln-lab catalog

Hard-coded Secrets in Client Source

This page ships live-looking API keys and credentials directly in its HTML/JS, plus a DB URL hidden in an HTML comment and a JS sourcemap that re-exposes original source. Every value is fabricated and scoped to vuln-lab.test — safe to leak.

(reading inline config…)

Trigger: view-source:/secrets/ or scan the inline JS / /assets/app.js.map.

Detected by: browser_cdp_js_secrets_scan