The information disclosure vulnerability consists of websites unintentionally showing the user sensitive information, which can be useful for future attacks.
Examples of sensitive information are:
- Business data or personal information about a user.
- Debugging data, error messages or stack traces that reveal source code.
- Information about the infrastructure:
- Software used and its version.
- Hidden directories
- API keys or credentials
- Backup files.
This data is usually found during the enumeration phase while fuzzing and analysing the web application. Nonetheless, in this section appears several techniques that you can use in order to obtain such information.
In the enumeration phase, there are several important files/directories, such as
.well-known, pointing to other files with sensitive information or directories with directory listing enabled. Also, both things can be discovered by performing directory or file enumeration.
The comments can be easily obtained by using the BurpSuite Tool on
Target/Site map/<Right_Click_on_domain>/Engagement tools/Find comments
The verbose error messages can expose a lot of sensitive information about the application, like the number of arguments and data types expected, functions executed, the technology used and its version, etc.
This information can be helpful because you can easily search for any documented exploits that may exist for this version or misconfiguration errors.
Usually, to obtain this kind of information, you might need to send unexpected data types, such as sending a string instead of the expected number, negative values, random symbols, etc. or not sending data at all, leaving the parameter empty.
Also, try looking at the web browser console because many developers show log messages during the execution of the application.
Most of web servers provide information about their infrastructure through headers on the response. Some examples of headers that disclose information about the server are