The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Sensitive directories and files
  • Developer comments
  • Error, debug messages or stack traces
  • Sensitive data on headers
  • References
  1. WEB

Information disclosure

Last updated 2 years ago

Introduction

The information disclosure vulnerability consists of websites unintentionally showing the user sensitive information, which can be useful for future attacks.

Examples of sensitive information are:

  • Business data or personal information about a user.

  • Debugging data, error messages or stack traces that reveal source code.

  • Information about the infrastructure:

    • Software used and its version.

    • Hidden directories

    • API keys or credentials

  • Backup files.

This data is usually found during the enumeration phase while fuzzing and analysing the web application. Nonetheless, in this section appears several techniques that you can use in order to obtain such information.

Sensitive directories and files

In the , there are several important files/directories, such as .git, robots.txt, sitemap.xml and .well-known, pointing to other files with sensitive information or directories with directory listing enabled. Also, both things can be discovered by performing .

Developer comments

During the development of the web page, the programmers could have written comments on the HTML code of the website or inside the JavaScript libraries.

The comments can be easily obtained by using the BurpSuite Tool on Target/Site map/<Right_Click_on_domain>/Engagement tools/Find comments

Error, debug messages or stack traces

The verbose error messages can expose a lot of sensitive information about the application, like the number of arguments and data types expected, functions executed, the technology used and its version, etc.

This information can be helpful because you can easily search for any documented exploits that may exist for this version or misconfiguration errors.

Usually, to obtain this kind of information, you might need to send unexpected data types, such as sending a string instead of the expected number, negative values, random symbols, etc. or not sending data at all, leaving the parameter empty.

Also, try looking at the web browser console because many developers show log messages during the execution of the application.

Sensitive data on headers

Most of web servers provide information about their infrastructure through headers on the response. Some examples of headers that disclose information about the server are Server, X-Powered-By, X-CMS, X-Php-Version, etc.

References

enumeration phase
directory or file enumeration
Web Application Security Testing
OWASP Secure Headers Project
Information disclosure