Information Disclosure §

• 📖 Portswigger Information Disclosure

What is information disclosure?

Depending on the context, websites may leak all kinds of information to a potential attacker, including:

• Data about other users, such as usernames or financial information
• Sensitive commercial or business data
• Technical details about the website and its infrastructure

Information leaks can be a starting point for exposing an additional attack surface, which may contain other interesting vulnerabilities.

Examples

• Hard-coding API keys, IP addresses, database credentials in the application, github public repository
• Revealing names of hidden directory, their structure and their contents via robots.txt file or directory listing.
• Hinting at the existence or absence of resources, usernames, and so on via subtle differences in application behavior
• Default configurations i.e you didn’t changed default password or the default configuration display verbose error messages.

Information Leaks can lead to other vulnerabilities, for example username enumeration is possibly if the web service returns distinct responses when an username is registered or not.

Severity of information vulnerability §

If you can exploit the information leak to do something harmful with it, example an attack, then it’s severe. In my opinion, if it violates the privacy legislation it is also severe and worth of noticing the web service provider.

Preventing disclosure vulnerabilities §

This is mean from the POV of development team:

• Make sure everyone in the organization know what data is sensible and what it is not.
• Audit code, change default configurations, include security in DevOps pipelines
• Use generic error messages as much as possible. Don’t provide attackers with clues about application behavior unnecessarily.
• Understand the configuration settings and security implications.
• Disable any features and settings that you don’t need

How to test for information disclosure vulnerabilities §

📖 Port Swigger - How to test for information leaks

Fuzzing §

• Submit unexpected data types and specially crafted fuzz string and notice any effect this has
  • Response time, HTTP status code, lengths, match occurences of keywords like error, invalid and so on

Engineering informative responses §

By studing the way errors occurs in an application, in some cases you can manipolate the website in order to extract arbitrary data via an error message.

There are numerous methods for doing this, depending on the particular scenario you encounter.

Common source of leaks §

Common Source of leaks

• Files for web crawlers -> /robots.txt or /sitemap.xml
• Directory listing
• Developer comments in html, css o javascript
• Error messages -> verbose message, explicit version of a software like database or webserver.
• Debug messages -> many website generate custom error messages and logs that contains large amounts of data
• User account pages
• Source code disclosure via backup files -> i.e trick a website to return .php code instead of execute it by using ~ for temporary files
• Insecure configuration i.e HTTP TRACE method left enabled
• Version control history -> i.e access to .git directory