The Pentesting Guide
TwitterBlog
Search
K
Links

Information disclosure

Introduction

The information disclosure vulnerability consists of websites unintentionally showing the user sensitive information, which can be useful for future attacks.
Examples of sensitive information are:
  • Business data or personal information about a user.
  • Debugging data, error messages or stack traces that reveal source code.
  • Information about the infrastructure:
    • Software used and its version.
    • Hidden directories
    • API keys or credentials
  • Backup files.
This data is usually found during the enumeration phase while fuzzing and analysing the web application. Nonetheless, in this section appears several techniques that you can use in order to obtain such information.

Sensitive directories and files

In the enumeration phase, there are several important files/directories, such as .git, robots.txt, sitemap.xml and .well-known, pointing to other files with sensitive information or directories with directory listing enabled. Also, both things can be discovered by performing directory or file enumeration.

Developer comments

During the development of the web page, the programmers could have written comments on the HTML code of the website or inside the JavaScript libraries.
The comments can be easily obtained by using the BurpSuite Tool on Target/Site map/<Right_Click_on_domain>/Engagement tools/Find comments

Error, debug messages or stack traces

The verbose error messages can expose a lot of sensitive information about the application, like the number of arguments and data types expected, functions executed, the technology used and its version, etc.
This information can be helpful because you can easily search for any documented exploits that may exist for this version or misconfiguration errors.
Usually, to obtain this kind of information, you might need to send unexpected data types, such as sending a string instead of the expected number, negative values, random symbols, etc. or not sending data at all, leaving the parameter empty.
Also, try looking at the web browser console because many developers show log messages during the execution of the application.

Sensitive data on headers

Most of web servers provide information about their infrastructure through headers on the response. Some examples of headers that disclose information about the server are Server, X-Powered-By, X-CMS, X-Php-Version, etc.

References

Previous
HTTP Request Smuggling
Next
JWT
Last modified 11mo ago